iOS cannot login cofacts.tw

[MrOrz]

See: https://g0v.hackmd.io/@mrorz/cofacts-meeting-notes/%2F-Mth-vd5RPWqdLOfRJHHcg This is because

• currently the oauth callback (setting API cookie and redirect back) is using cofacts-api.g0v.tw, then redirect back to the original site
  • for instance, if logging in from cofacts.tw, during the oauth server flow, the user is being directed to:
    1. cofacts-api.g0v.tw, remember current path
    2. Facebook login
    3. cofacts-api.g0v.tw, getting the previously set redirect path
    4. cofacts.tw
• API calls to cofacts.g0v.tw from other domains like cofacts.org and cofacts.tw us considered ccross-site
• iOS now blocks third party cookie strictly, regardless of samesite: none is present or not.

Proposed change

When redirecting to original site, we fix the domain to cofacts.g0v.tw. In this way, cofacts.g0v.tw and cofacts-api.g0v.tw are considered same-site, then iOS can send login cookie along with it's request to API.

alternative

Use cofacts.tw as main site and redirect target, and connect to api.cofacts.tw for all domains. In this way cofacts.tw and api.cofacts.tw are also considered same-site.

[MrOrz]

From slack

問題的核心是 rumors-site 戳 API 的時候，無論是造訪 cofacts.org, cofacts.tw 還是 cofacts.g0v.tw，都是往同一個 API_URL。 這三個網域都需要放在 CORS whitelist 上面，不然會直接壞掉 但 login session 只會寫在 redirect back 的那個網域上，也就是 API_URL。 不管 API_URL 設成 api.cofacts.org, api.cofacts.tw 還是 cofacts-api.g0v.tw，都只能與網站三個網域中的一個網域 same-site，另外兩個網域，就會在 disable 3rd party cookie 的瀏覽器中遇到無法登入的狀況。