search

hotwired / turbo

The speed of a single-page web application without having to write any JavaScript
https://turbo.hotwired.dev
MIT License
6.73k stars 429 forks source link

set-cookie header is ignored when Turbo Drive is enabled #701

Open felix185 opened 2 years ago

felix185 commented 2 years ago

Hi! I developed a simple application using Turbo (version 7.1.0), the starting point is the following HTML snippet

<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
        <title>TODO App</title>
        <link rel="stylesheet" href="css/todoApp.css">
        <script crossorigin="anonymous" src="https://unpkg.com/@hotwired/turbo@7.1.0/dist/turbo.es2017-umd.js"></script>
    </head>
    <body>
        <h1>TODO App</h1>
        <ul>
            <li><a href="/">Turbo Frames</a></li>
            <li><a href="/stream">Turbo Frames & Turbo Streams</a></li>
            <li><a href="/sse">Turbo Frames & Turbo Streams with SSE</a></li>
            <li><a href="/secure">Secure Todo App</a></li>
        </ul>
    </body>
</html>

When clicking on "Secure Todo App" to follow /secure the following should happen:

  1. Check whether user is authenticated
  2. if user is not authenticated -> redirect to Keycloak Login as OIDC provider
  3. after successful login redirect from keycloak to /secure

Now I'm facing the issue that if the user is not yet authenticated, the request to /secure responds with http status 302 with a redirect location and also a set-cookie header (which is fine). But as soon as the browser follows the redirect location to Keycloak the provided cookie I received during the first request is not sent to Keycloak along with the redirect request which causes a failure. There is also a CORS error, although I added my application (running on localhost:8080) to the list of allowed-origins in keycloak.

By disabling turbo for the /secure link using a href="/secure" data-turbo="false", everything works fine (cookie is set and sent along with the request to keycloak). I don't really want to disable Turbo for the link because I would like a smooth navigation if user is already logged in. Is there any configuration I'm missing? Or is there a bug in Turbo Drive cookie handling?

Seems like something familiar to https://github.com/hotwired/turbo/issues/401

Thanks for your help.

felix185 commented 2 years ago

After double checking other issues, behavior is as described in https://github.com/hotwired/turbo/issues/203