Fix / Allow callbacks in federated auth workflow (#481)

* Only use a single instance of the login content resource loader * Set same site cookie restrictions back to the HTTP default
finos · Dec 12, 2024 · 2330dff · 2330dff
1 parent a27fd02
commit 2330dff
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 12 deletions.
diff --git a/...p-libs/tracdap-lib-auth/src/main/java/org/finos/tracdap/auth/login/Http1LoginHandler.java b/...p-libs/tracdap-lib-auth/src/main/java/org/finos/tracdap/auth/login/Http1LoginHandler.java
@@ -49,12 +49,13 @@ public class Http1LoginHandler extends ChannelInboundHandlerAdapter {
 
     private static final int PENDING_CONTENT_LIMIT = 64 * 1024;
 
+    private static final LoginContent LOGIN_CONTENT = new LoginContent();
+
     private final Logger log = LoggerFactory.getLogger(getClass());
 
     private final AuthenticationConfig authConfig;
     private final JwtProcessor jwtProcessor;
     private final ILoginProvider loginProvider;
-    private final LoginContent loginContent;
 
     private final String defaultReturnPath;
 
@@ -69,7 +70,6 @@ public Http1LoginHandler(
         this.authConfig = authConfig;
         this.jwtProcessor = jwtProcessor;
         this.loginProvider = loginProvider;
-        this.loginContent = new LoginContent();
 
         this.defaultReturnPath = authConfig.hasReturnPath()
                 ? authConfig.getReturnPath()
@@ -243,7 +243,7 @@ private void serveLoginOk(ChannelHandlerContext ctx, HttpRequest request, Sessio
                     .map(s -> URLDecoder.decode(s, StandardCharsets.UTF_8))
                     .orElse(defaultReturnPath);
 
-            content = loginContent.getLoginOkPage(returnPath);
+            content = LOGIN_CONTENT.getLoginOkPage(returnPath);
             headers = Http1Headers.fromGenericHeaders(content.headers());
 
             AuthHelpers.addClientAuthCookies(headers, token, session);
@@ -271,7 +271,7 @@ private void serveLoginOk(ChannelHandlerContext ctx, HttpRequest request, Sessio
 
     private void serveStaticContent(ChannelHandlerContext ctx, HttpRequest request) {
 
-        var content = loginContent.getStaticContent(request);
+        var content = LOGIN_CONTENT.getStaticContent(request);
         var headers = Http1Headers.fromGenericHeaders(content.headers());
 
         var response = new DefaultFullHttpResponse(

diff --git a/...cdap-lib-auth/src/main/java/org/finos/tracdap/auth/login/simple/BuiltInLoginProvider.java b/...cdap-lib-auth/src/main/java/org/finos/tracdap/auth/login/simple/BuiltInLoginProvider.java
@@ -35,12 +35,12 @@ class BuiltInLoginProvider implements ILoginProvider {
 
     private static final Logger log = LoggerFactory.getLogger(BuiltInLoginProvider.class);
 
-    private final LoginContent loginContent;
+    private static final LoginContent LOGIN_CONTENT = new LoginContent();
+
     private final IUserDatabase userDb;
 
     public BuiltInLoginProvider(ConfigManager configManager) {
 
-        this.loginContent = new LoginContent();
         this.userDb = SimpleLoginPlugin.createUserDb(configManager);
     }
 
@@ -72,7 +72,7 @@ private LoginResult checkLoginRequest(CommonHttpRequest request) {
         if (usernameParam == null || usernameParam.size() != 1 ||
             passwordParam == null || passwordParam.size() != 1) {
 
-            var loginFormPage = loginContent.getLoginFormPage();
+            var loginFormPage = LOGIN_CONTENT.getLoginFormPage();
             return LoginResult.OTHER_RESPONSE(loginFormPage);
         }
 
@@ -86,7 +86,7 @@ private LoginResult checkLoginRequest(CommonHttpRequest request) {
         }
         else {
 
-            var loginFormPage = loginContent.getLoginFormPage();
+            var loginFormPage = LOGIN_CONTENT.getLoginFormPage();
             return LoginResult.OTHER_RESPONSE(loginFormPage);
         }
     }

diff --git a/tracdap-libs/tracdap-lib-common/src/main/java/org/finos/tracdap/common/auth/AuthHelpers.java b/tracdap-libs/tracdap-lib-common/src/main/java/org/finos/tracdap/common/auth/AuthHelpers.java
@@ -244,10 +244,10 @@ void setClientCookie(
 
         var cookie = new DefaultCookie(cookieName.toString(), cookieValue);
 
-        // TODO: Can we know the value to set for domain?
-
-        // Do not allow sending TRAC tokens to other end points
-        cookie.setSameSite(CookieHeaderNames.SameSite.Strict);
+        // Allow using the TRAC auth cookie when navigating in from other domains (this is the default)
+        // This is necessary to work as expected with some federated flows (and is also the HTTP default)
+        // TODO: This setting could be made a config parameter for the login auth provider
+        cookie.setSameSite(CookieHeaderNames.SameSite.Lax);
 
         // Make sure cookies are sent to the API endpoints, even if the UI is served from a sub path
         cookie.setPath("/");