Comments (7)
zebox
commented on August 18, 2024
2
I reproduced the issue in chrome-extension using the Auth package (with local provider). Yes, extension not save cookies in extension context, but you can try get it use chrome.cookies API.
For example:
chrome.cookies.get({ "url": "https://127.0.0.1", "name": "XSRF-TOKEN" }, function (cookie) {
console.log(cookie);
});
chrome.cookies.get({ "url": "https://127.0.0.1", "name": "JWT" }, function (cookie) {
console.log(cookie);
});And you get results in JSON:
domain: "127.0.0.1"
expirationDate: 1595440998.066463,
hostOnly: true
httpOnly: false
name: "XSRF-TOKEN"
path: "/"
sameSite: "unspecified"
secure: false
session: false
storeId: "0"
value: "0f0289c3849274e48f98efb61f237006ef76ff01",
domain: "127.0.0.1"
expirationDate: 1595440998.06642
hostOnly: true
httpOnly: true
name: "JWT"
path: "/"
sameSite: "unspecified"
secure: false
session: false
storeId: "0"
value: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTUzNTQ4OTgsI..."
Notice that you must set appropriate permission in manifest file for access to cookies api:
"permissions": [
...
...
"http://*/*",
"https://*/*",
"cookies"
],from auth.
umputun
commented on August 18, 2024
1
Or is their any way to circumvent this for development and able to get cookies and keep Auth enabled?
This is what basic auth for. You can allow basic auth for your local development. Another thing you can try (in dev environment) is to disable XSRF check.
from auth.
umputun
commented on August 18, 2024
Confused a little bit. I'm not sure how exactly the chrome extension reports the domain and work with cookies, but why this issue limited for XSRF-TOKEN only? It also should affect JWT cookie exactly the same way. If so, disabling XSRF-TOKEN cookie verification won't help much.
Generally speaking, the idea of disabling XSRF-TOKEN will open a door for CSRF attack. Back in days, the first consumer of this library had several CSRF issues, like this one. I'm not sure how relevant those issues for your case, but to me, the idea of disabling XSRF-TOKEN sounds dangerous.
from auth.
kleash
commented on August 18, 2024
Yeah you are right, I don't want to disable CSRF protection as I have webapp for same. I need a way to somehow send XSRF token to my chrome plugin.
Do you have any option to populate XSRF TOKEN in header instead of cookie?
from auth.
umputun
commented on August 18, 2024
Are you sure XSRF-TOKEN is the only problem? You can disable it with an existing DisableXSRF parameter to check if it "solves" the problem. I think you will still have a similar issue with JWT token
from auth.
kleash
commented on August 18, 2024
@zebox Thanks for quick verification. I did try your method and it seems to work perfectly. 👍
I have one last question, maybe we can close this issue afterwards.
Let's say I have deployed my Go webserver at api.domain.com. Normally we will deploy fronted under same domain and everything works just fine.
But if we want to let's say test our fronted from local dev pc, but with remote backend. Obviously it won't work now as browser won't allow localhost website to access the cookies from api.domain.com. In this scenario, we need to disable Auth/XSRF for development, right? Or is their any way to circumvent this for development and able to get cookies and keep Auth enabled?
from auth.
kleash
commented on August 18, 2024
Got it. Thanks
from auth.
Related Issues (20)
- Support OpenID and 3rd party IdTokens with cookie-less authentication HOT 7
- Auth status handler panics if user didn't finish the auth process HOT 2
- Support work/school accounts from Azure AD in addition to personal Microsoft accounts
- Bug: auth should also check if xsrf token is set in cookies after checking via headers HOT 12
- twitter oauth now required to use oauth2 - unless you have elevated access HOT 4
- Give an access to bearer token, aquired during authentication proccess HOT 12
- Avatar store connection problems HOT 1
- Bug: (/_example) Using "Login with custom_123" results in "Invalid Request" HOT 2
- [Q] Why don't we use refresh token? HOT 2
- Password in GET is Insecure HOT 1
- Add Mastodon? HOT 1
- 2fa support
- Cannot disable avatar support HOT 4
- Dependency error while downloading auth on Go 1.20 HOT 4
- How to implement Google One Tap
- User email and info on Google Log in
- remove bluemonday as an unreliable dependency HOT 2
- Is there a way to use the token after login? HOT 1
- Telegram auth doesn't set "aud" in JWT token after login
- Request more than one info url HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth.