Allow logging into Treeherder when pointing the UI at the stage/prod API

NEW
Assigned to

Status

Tree Management
Treeherder: Docs & Development
P2
normal
a year ago
9 days ago

People

(Reporter: camd, Assigned: emorley)

Tracking

(Depends on: 1 bug, Blocks: 1 bug)

Details

(Reporter)

Description

a year ago
We should investigate if it's possible to log in with taskcluster auth if your front-end is local and the thServiceDomain is set to stage or prod.
(Reporter)

Updated

a year ago
Depends on: 1273034
(Assignee)

Comment 1

11 months ago
Ah with Django 1.9+ we might be able to use the new `CSRF_TRUSTED_ORIGINS` to make this work:
https://docs.djangoproject.com/en/1.9/ref/settings/#std:setting-CSRF_TRUSTED_ORIGINS
(Assignee)

Comment 2

9 months ago
Ok so a few things would need resolving:
1) $httpProvider isn't sending any cookies when cross-domain, since `withCredentials` defaults to false, so needs overriding (eg `$httpProvider.defaults.withCredentials = true;`).
2) With that set, the request fails due to the current backend CORS policy not allowing credentials. This would need CORS_ALLOW_CREDENTIALS setting to true (https://github.com/ottoyiu/django-cors-headers#cors_allow_credentials).
3) With that fixed, the frontend still wouldn't have the CSRF token to set via the X-CSRFToken header, since the cookie from which it is fetched (`csrftoken`) can only be accessed from the API's origin. The solution here seems to be to return the token in the login view response, and store in sessionstorage/localstorage (in the frontend's origin) and then set manually in the $http calls. 
4) Even with that fixed, we'd still hit the referrer check, so would have to whitelist via CSRF_TRUSTED_ORIGINS too

On the plus side with this approach, we could (once released) switch to Django 1.11's session-tied csrf token:
https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-CSRF_USE_SESSIONS
...and therefore skip the risk of a csrf cookie (subdomain and MITM issues).
(Assignee)

Comment 3

6 months ago
I've figured out a way to do this using the webpack-dev-server proxy.

The first part for enabling this will land in bug 1363722.

After that, we need to:
1) Update to a newer webpack-dev-server that includes the fix for the security I reported (https://github.com/webpack/webpack-dev-server/issues/887)
2) Resolve the fact that stage/prod set the `secure` attribute on their cookies, which get ignored when proxied to a non-HTTPS localhost origin. This can be fixed via either:
  (a) using HTTPS for local development (pain due to self-signed certs etc)
  (b) stripping the secure attribute as part of proxying

I've opened an upstream PR for (2b):
https://github.com/nodejitsu/node-http-proxy/pull/1166
Assignee: nobody → emorley
Depends on: 1363722
Priority: -- → P2
Summary: Enable logging in with Taskcluster Auth cross-domain. → Allow logging into Treeherder when pointing the UI at the stage/prod API
(Assignee)

Comment 4

6 months ago
(In reply to Ed Morley [:emorley] from comment #3)
> 1) Update to a newer webpack-dev-server that includes the fix for the
> security I reported
> (https://github.com/webpack/webpack-dev-server/issues/887)

We're now on the newer version as of bug 1364010:
https://github.com/mozilla/treeherder/commit/0c42d47c9d123a882668aae6f97716a81d2e85f5#diff-8ee2343978836a779dc9f8d6b794c3b2R6639

> I've opened an upstream PR for (2b):
> https://github.com/nodejitsu/node-http-proxy/pull/1166

Sadly no reply to the PR yet.
Depends on: 1364010
(Assignee)

Updated

2 months ago
Component: Treeherder → Treeherder: Docs & Development
(Assignee)

Comment 5

12 days ago
(In reply to Ed Morley [:emorley] from comment #4)
> Sadly no reply to the PR yet.

Still no reply, sigh.

Though the workaround can be added via the config in our repo if needed, like so:
https://github.com/nodejitsu/node-http-proxy/pull/1166#issuecomment-328764776
(Assignee)

Updated

9 days ago
Blocks: 1416266
You need to log in before you can comment on or make changes to this bug.