Client fetch requests for a secured API route returns 302 redirect when already logged in

ecphp / cas-bundle

CAS Bundle, a standard Symfony bundle for authentication using CAS protocol.

https://ecphp-cas-bundle.readthedocs.io

BSD 3-Clause "New" or "Revised" License

43 stars 9 forks source link

Client fetch requests for a secured API route returns 302 redirect when already logged in #82

Closed bljohnsondev closed 1 year ago

bljohnsondev commented 1 year ago

Steps required to reproduce the problem

Using a browser fetch (axios, etc) make an API call to a secured route
Secured route redirects to CAS even when the user is already logged in
API call fails

Expected Result

If already logged in skip the 302 redirect

Actual Result

API call fails

Is every secured route redirected to CAS even when the user is logged in? When making an API call from the browser to a route that is secured it fails because the API call is being redirected to CAS. Is there a workaround for this or is this library not suitable for securing API endpoints?

drupol commented 1 year ago

Hello,

Using CAS to make an API call is not appropriate since making an API call is usually stateless.

It is possible to use this library to do that, but you have to use proxy tickets and I need to refresh my memory about this since I don't use it that often.

bljohnsondev commented 1 year ago

Well it could work if the API call returned a 302 or 401 if the user wasn't already logged in (or if I could trap that and return a JSON response notifying the frontend that the user isn't authorized). If the user was already logged in it would return the expected JSON response without the redirect. However, if that's not the intended use I'll have to figure out a workaround.

Thanks for the reply, though!

drupol commented 1 year ago

I will investigate a bit more in the upcoming days, feel free to share your findings as well !

bljohnsondev commented 1 year ago

Will do! Thanks for looking into it.

EDIT: One thing to add - the "Usage" section in the documentation specifically says this:

If you try to reach a path using Ajax (X-Requested-With: XMLHttpRequest), there won’t be any redirection but an error 401 (Unauthorized).

This is opposite of the behavior I'm seeing when logged in already. I'm getting the 302 redirect on an Ajax API call. This could absolutely be an issue with some misconfiguration on my part, though.

Also to note - my Symfony app hosts both the API end points (all under /api) and the frontend application (React+Encore). They both reside in the same app and should be subject to the same session based security.

bljohnsondev commented 1 year ago

This issue has now been resolved. It was a two-fold issue on my part. I'll update this in case anyone else stumbles across this.

The first issue was with the 302 redirect. Due to the redirect I was making a few assumptions on why this was happening. After reading the docs and seeing the comment I quoted previously it got me thinking.

I use axios for handling API calls. Axios does not set the X-Requested-With: XMLHttpRequest header. I added this and retested which at least got me a little further. This started giving me a 401 unauthorized (as it should based on your previous commit).

That is when I realized that the local domain I'm using for development is slightly different than the domain the API calls were using (for example: hostname vs hostname.localdomain). They both resolve to the same place but that slight different means sessions don't work across them.

Adding the X-Requested-With and changing my API calls has fixed this issue.

drupol commented 1 year ago

Very nice !!! Thanks for letting me know :)