efim
/
go-ssr-pocketbase-oauth-attempt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: setting Secure behind nginx 

bug was due to having explicit 'serve --http=address' when running
behind nginx on NixOS server
So either a more complicated check was required, or just setting
Secure=true unconditionally.

This seems to be a better way, because Firefox already allows secure
cookies beng sent and received from localhost for dev purposes, and
Chromium does too
This commit is contained in:
efim 2023-10-09 04:50:33 +00:00
parent 2a3d00839f
commit 591aea717b
3 changed files with 35 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
auth-notes.org
View File

@ -214,6 +214,31 @@ this is all that's needed to enable tls
mind blown
** DONE somehow set cookie to httpOnly & secure
with ability to disable for development session
*** a complication
since i'm under the nginx, i can't just match on the serving address :
#+begin_src
[efim@franzk:~]$ systemctl status pb-auth-example-app.service
● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt
Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled)
Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago
Main PID: 411857 (auth-pocketbase)
Tasks: 13 (limit: 629145)
Memory: 28.3M
CPU: 148ms
CGroup: /system.slice/pb-auth-example-app.service
└─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user
Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt.
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false!
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/
#+end_src
*** so, custom arg is required, hello
https://github.com/pocketbase/pocketbase/discussions/1900
*** holy cow, Firefox and later Chrome will accept Secure cookie on localhost
https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost
** TODO maybe add middleware so that 401 would be a page, and not json
** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?

7
main.go
View File

@ -2,8 +2,6 @@ package main
import (
"log"
"strings"
"github.com/pocketbase/pocketbase"
"sunshine.industries/auth-pocketbase-attempt/middleware"
"sunshine.industries/auth-pocketbase-attempt/pages"
@ -12,10 +10,7 @@ import (
func main() {
app := pocketbase.New()
servedName := app.Settings().Meta.AppUrl
isTlsEnabled := strings.HasPrefix(servedName, "https://")
middleware.AddCookieSessionMiddleware(app, isTlsEnabled)
middleware.AddCookieSessionMiddleware(app)
pages.AddPageRoutes(app)
if err := app.Start(); err != nil {

15
middleware/auth.go
View File

@ -1,7 +1,6 @@
package middleware
import (
"log"
"net/http"
"github.com/labstack/echo/v5"
@ -15,9 +14,7 @@ import (
const AuthCookieName = "Auth"
func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
log.Println("Warning: starting server with cookie Secure = false!")
func AddCookieSessionMiddleware(app *pocketbase.PocketBase) {
app.OnBeforeServe().Add(func(e *core.ServeEvent) error {
e.Router.Use(loadAuthContextFromCookie(app))
return nil
@ -29,7 +26,7 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
Name: AuthCookieName,
Value: e.Token,
Path: "/",
Secure: isTlsEnabled,
Secure: true,
HttpOnly: true,
})
e.HttpContext.SetCookie(&http.Cookie{
@ -43,12 +40,12 @@ func AddCookieSessionMiddleware(app *pocketbase.PocketBase, isTlsEnabled bool) {
Name: AuthCookieName,
Value: e.Token,
Path: "/",
Secure: isTlsEnabled,
Secure: true,
HttpOnly: true,
})
return nil
})
app.OnBeforeServe().Add(getLogoutRoute(app, isTlsEnabled))
app.OnBeforeServe().Add(getLogoutRoute(app))
}
func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
@ -92,7 +89,7 @@ func loadAuthContextFromCookie(app core.App) echo.MiddlewareFunc {
}
// render and return login page with configured oauth providers
func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool) func(*core.ServeEvent) error {
func getLogoutRoute(app *pocketbase.PocketBase) func(*core.ServeEvent) error {
return func (e *core.ServeEvent) error {
e.Router.GET("/logout", func(c echo.Context) error {
c.SetCookie(&http.Cookie{
@ -100,7 +97,7 @@ func getLogoutRoute(app *pocketbase.PocketBase, isTlsEnabled bool) func(*core.S
Value: "",
Path: "/",
MaxAge: -1,
Secure: isTlsEnabled,
Secure: true,
HttpOnly: true,
})
c.Response().Header().Add("HX-Trigger", "auth-change-event")