search

docusign / code-examples-node

Node.js code examples and launcher
https://developers.docusign.com/
MIT License
62 stars 52 forks source link

Example 44 uses production bundle instead of demo #59

Closed tylercollier closed 5 months ago

tylercollier commented 6 months ago

In views/pages/examples/eg044Embed.ejs, there is this on line 27:

<script src='https://js.docusign.com/bundle.js'></script>

Shouldn't it be

<script src='https://js-d.docusign.com/bundle.js'></script>

Also, I'm not sure where else to report this, but the source maps are missing in the file https://docucdn-a.akamaihd.net/demo/1ds/widgets/@ds/signing/24.3.40-4/signing_iframeless_mobile.172.js?cs=539be489332502f5e410. Can you add the sourcemaps?

The reason I report it is because I'm having trouble with embedded signing. I'm trying to combine examples 13 and 44 to use a server side template but with embedded+focused signing, which I can get working with redirect signing (I think this is called embedded signing as opposed to remote signing, but it's not focused), but not embedded+focused signing. With the non-modified example 44 that uses window.DocuSign.loadDocuSign(), I can see that signing_iframeless_mobile.172.js issues an XHR request for https://demo.docusign.net/Signing/DocuSignXML.aspx?abc=123..., but it's not making that fetch with my attempt to piece together examples 13 and 44. If I had the sourcemaps, maybe I could figure out why.

InbarGazit commented 6 months ago

On your first question about the URL for bundle.js, no, this is the same exactly JavaScript code, it doesn't matter which environment you're using. You can use either URL.

InbarGazit commented 6 months ago

As for your second question, not sure about that, I'll have to talk to the people who own that code, but to do examples 13 + 44 what you have to do is make an extra API call to update the frameOriginto allow to use Focused View which means you load DocuSign inside a DIV in a different website.

tylercollier commented 6 months ago

If you can talk to the people who own that code and point me in the right direction like a different support page, that’d help. There are no error messages so I’m not able to diagnose.

I did see in example 44 that there were several layers of iframes which seemed odd. I tried looking into your suggestion. I didn’t find anything about frameOrigin specifically. I did find similar stuff in the content security policy response header, but 1) Using the API, I’m not sure how to trigger DocuSign to include it, and 2) I don’t understand why combining examples 13 and 44 (as in, using a template plus focused view) would make it behave differently than example 44.

tylercollier commented 5 months ago

I contacted DocuSign support. I'll update here if we end up figuring it out.

tylercollier commented 5 months ago

Turns out there are error messages:

Selection_861

Refused to display 'https://account-d.docusign.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Refused to display 'https://account-d.docusign.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Refused to display 'https://account-d.docusign.com/' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Refused to frame 'http://localhost:3000/' because it violates the following Content Security Policy directive: "frame-src 'self' https://docucdn-a.akamaihd.net/ https://apps-d.docusign.com https://demo.docusign.net https://account-d.docusign.com https://proof-d.docusign.net https://identity-d.docusign.net https://content.googleapis.com https://docs.google.com https://players.brightcove.net https://www.youtube.com https://accounts.google.com https://docusign.sjv.io https://docusign.co1.qualtrics.com/ https://apps.usw2.pure.cloud".

I didn't see them at first because... they weren't there. I don't know why this is, but the first 2 messages show up after 10 minutes. The third one shows up at 20. The fourth shows up at 21 minutes.

InbarGazit commented 5 months ago

Does your template include any sort of recipient authentication like IDV?

InbarGazit commented 5 months ago

These errors usually mean that either you're trying to do something that's not allowed cross-frame (which requires authentication) or that you didn't set the properties correctly for Focused View to allow frameAncestors

tylercollier commented 5 months ago

You're right! Unsurprisingly, I just missed it in the documentation AND the examples.

For anyone else finding this:

Here's the documentation: https://developers.docusign.com/docs/esign-rest-api/esign101/concepts/embedding/

Look in the section titled "Update your existing embedded signing flow to use focused view", and look at step 1 which shows:

Example recipientViewRequest

{
  "returnUrl":"http://my.return.url.here.com",
  "authenticationMethod":"my_authentication_method",
  "email":"my_email",
  "userName":"my_username",
  "clientUserId":"my_client_user_id",
  "frameAncestors":[
     "https://my.site.com",
     "https://apps-d.docusign.com"
  ],
  "messageOrigins":[
     "https://apps-d.docusign.com"
  ]
}

The code was also in example 44, in the lib/eSignature/examples/focusedView.js file, at the end fo the makeRecipientViewRequest() method:

viewRequest.frameAncestors = ["http://localhost:3000", "https://apps-d.docusign.com"];
viewRequest.messageOrigins = ["https://apps-d.docusign.com"]

After I copied those lines into my example 13 (the one I'd modified to use embedded+focused), it worked.

Thanks for your help!