We're working with community non-profits who have a Host Home or empty bedrooms initiative to develop a workflow management tool to make the process scalable (across all providers), reduce institutional bias, and effectively capture data.
The backend API auth/session and auth/refresh endpoints always return a 401 UNAUTHORIZED response when called from frontend app deployed locally using the default api and app configurations. Both of these endpoints rely on the session cookie to provide an updated JWT, but the session cookie is never attached to the backend API requests, so the authentication always fails.
The major consequence of this bug is that the user is logged out anytime the web application is refreshed, or if the JWT expires and needs to be refreshed.
Interestingly, this bug is not present on the dev.homeunite.us deployment. The missing session cookies are due to a local configuration issue.
Root Cause
I've researched this issue and identified this as a cross-origin resource sharing issue. By default our backend application is deployed to 127.0.0.1:8080 and our frontend application is deployed to localhost:4040. The frontend development server does forward requests made to localhost:4040/api to localhost:8080.
Our session cookies are not sent with this configuration because:
1) 127.0.0.1 and localhost are considered as two different domains by browser same-origin policies
2) same-origin policies prevent cookies from being shared between two different origins, unless the server enables CORS by setting the correct CORS headers in the cookie response.
Reproduction Steps
Remove all unnecessary values from the app/.env and api/.env file (remote ROOT_URL and VITE_HUU_API_BASE_URL at least)
Run the development API using default development configuration
Run the frontend app using default development config (npm run dev)
Sign-in
Refresh page
Notice that:
1) you are logged out
2) the refresh & session requests failed with an auth error
3) no session cookie was attached to the refresh and session endpoints
Shut-down the frontend app
Update app/.env to set VITE_HUU_API_BASE_URL=http://127.0.0.1:4040/api/
Restart frontend app
Sign-in
Refresh page
Notice that the refresh works now!
Action Items
Update the frontend/backend local build configuration to ensure that session cookies are attached to backend requests
Update the refresh and session endpoints to return a custom status code if the session cookie is missing
Write end-to-end integration tests to verify that refreshing the application and updating the JWT session works as expected
(Optional) Review the session cookie settings to see if the proper security configurations are being used
(Optional) Update the frontend vite development proxy to use a runtime value. The proxy is hard coded to the target http://localhost:8080, but the backend could be deployed on a different port
(Optional) Explore ways to add an assertion to require that the frontend and backend application exist on the same domain. I may be able to achieve this by updating the session cookie configuration. If the two applications are served on different domains then we will need to update the backend to set the proper CORS headers.
Overview
The backend API
auth/session
andauth/refresh
endpoints always return a401 UNAUTHORIZED
response when called from frontend app deployed locally using the default api and app configurations. Both of these endpoints rely on the session cookie to provide an updated JWT, but the session cookie is never attached to the backend API requests, so the authentication always fails.The major consequence of this bug is that the user is logged out anytime the web application is refreshed, or if the JWT expires and needs to be refreshed.
Interestingly, this bug is not present on the dev.homeunite.us deployment. The missing session cookies are due to a local configuration issue.
Root Cause
I've researched this issue and identified this as a cross-origin resource sharing issue. By default our backend application is deployed to
127.0.0.1:8080
and our frontend application is deployed tolocalhost:4040
. The frontend development server does forward requests made tolocalhost:4040/api
tolocalhost:8080
.Our session cookies are not sent with this configuration because: 1)
127.0.0.1
andlocalhost
are considered as two different domains by browser same-origin policies 2) same-origin policies prevent cookies from being shared between two different origins, unless the server enables CORS by setting the correct CORS headers in the cookie response.Reproduction Steps
app/.env
andapi/.env
file (remote ROOT_URL and VITE_HUU_API_BASE_URL at least)npm run dev
)refresh
&session
requests failed with an auth error 3) no session cookie was attached to therefresh
andsession
endpointsapp/.env
to setVITE_HUU_API_BASE_URL=http://127.0.0.1:4040/api/
Action Items
refresh
andsession
endpoints to return a custom status code if the session cookie is missinghttp://localhost:8080
, but the backend could be deployed on a different portResources/Instructions