grpc-web: Using server streaming with authboss the call remains in pending state (and doesn't work)

[frederikhors]

Versions of relevant software used

github.com/improbable-eng/grpc-web v0.14.0

What happened

I have been using grpc-web for a long time (it's such a pleasure, THANKS!).

I'm using it with authboss too.

Today I had to test the gRPC server streaming and after HOURS of trying I found a strange issue described below:

• main.go:

package main

import (
    "github.com/volatiletech/authboss/v3/remember"
    "net/http"

    "github.com/go-chi/chi/v5"
    "github.com/go-chi/chi/v5/middleware"
    _ "github.com/volatiletech/authboss/v3/auth"
    _ "github.com/volatiletech/authboss/v3/logout"
)

func main() {
  // ... get config and db
  authb := InitAuthboss(config, db)
    chiRouter := chi.NewRouter()
  grpcwebServer := grpcweb.WrapServer(grpc.NewServer())

    chiRouter.Use(authb.LoadClientStateMiddleware, remember.Middleware(authb))

    chiRouter.Group(func(r chi.Router) {
        r.Use(authboss.Middleware2(authb, authboss.RequireNone, authboss.RespondUnauthorized))
        r.Post("/grpc", grpcWebServer.ServeHTTP)
    })

    chiRouter.Group(func(r chi.Router) {
        r.Mount(config.AuthURL, http.StripPrefix(config.AuthURL, authb.Config.Core.Router))
    })

    // ... startServer
}

func InitAuthboss(config *Config, dbPG *DB) *authboss.Authboss {
    var (
        ab                 = authboss.New()
        database           = newDBStorer(config, dbPG)
        cookieStoreKey, _  = base64.StdEncoding.DecodeString(config.CookieStoreKey)
        sessionStoreKey, _ = base64.StdEncoding.DecodeString(config.SessionStoreKey)
        cookieStore        = abclientstate.NewCookieStorer(cookieStoreKey, nil)
        sessionStore       = abclientstate.NewSessionStorer(config.ProjectName, sessionStoreKey, nil)
        cstore             = sessionStore.Store.(*sessions.CookieStore)
    )
    cookieStore.HTTPOnly = true
    cookieStore.Secure = config.IsProduction
    cookieStore.Domain = config.CookiesDomain
    cookieStore.SameSite = http.SameSiteStrictMode
    cookieStore.MaxAge = int(config.CookiesRemembermeMaxageTime.Seconds())
    cstore.Options.HttpOnly = true
    cstore.Options.Secure = config.IsProduction
    cstore.Options.Domain = config.CookiesDomain
    cstore.Options.SameSite = http.SameSiteStrictMode
    cstore.Options.MaxAge = int(config.CookiesSessionMaxageTime.Seconds())
    ab.Config.Paths.RootURL = config.SiteURL
    ab.Config.Storage.Server = database
    ab.Config.Storage.SessionState = sessionStore
    ab.Config.Storage.CookieState = cookieStore
    ab.Config.Modules.LogoutMethod = "GET"
    ab.Config.Core.ViewRenderer = defaults.JSONRenderer{}
    defaults.SetCore(&ab.Config, true, false)
    ab.Config.Core.Redirector = &defaults.Redirector{Renderer: &defaults.JSONRenderer{}, CorceRedirectTo200: true}

    err := ab.Init()
    if err != nil {
    panic(err)
  }

    return ab
}

I'm trying to use protobuf-ts but I don't get messages from server until connection is closed.

I'm using Svelte 3 like this:

<script lang="ts">
  import { onDestroy, onMount } from "svelte";

  const transport = new GrpcWebFetchTransport({
    baseUrl: "/",
    format: "binary",
  });

  const service = new EventServiceClient(transport);

  const abortController = new AbortController();

  onMount(async () => {
    const call = service.flow({}, { abort: abortController.signal });

    for await (const response of call.responses) {
      console.log("got another response!", response);
    }
  });

  onDestroy(() => abortController.abort());
</script>

The call in in pending state for about 2.2 min. After that I get all messages logged in console.

If I change this line:

chiRouter.Use(authb.LoadClientStateMiddleware, remember.Middleware(authb))

to:

chiRouter.Use(remember.Middleware(authb))

(removing authb.LoadClientStateMiddleware) it works!

Why?

Can you suggest me something?

[frederikhors]

Here is the code for that middleware: https://github.com/volatiletech/authboss/blob/master/client_state.go#L123.

[johanbrandhorst]

Sounds like some sort of timeout is being hit. I don't know why the middleware is causing the server to wait, I can't see it doing anything suspicious with the request body at a first glance. I'd probably just try and debug it more!

[frederikhors]

authboss's author, @aarondl, answered this here:

The response is always closed, it's a guarantee by the stdlib nowadays. Now because you're using grpc in some fashion that might be different maybe they're doing their own weird http things.

Authboss's middleware is pretty simple, when a request comes in it gives the request to LoadClientState which gives it to your ClientStateReadWriter to extract client state variables out. It collects session and cookie changes in memory and when someone calls WriteHeader or Write it will flush those out to the response. In essence that's how it works. I'm not sure exactly where things are going wrong here because there's quite a few layers.

But I'd suggest reading client_state.go and take a look at the ClientStateResponseWriter which is likely the trouble spot. Notably calls to hijack() will fail completely and if they're using hijack that might be a problem?

Are you using hijack here?

[johanbrandhorst]

Most of the logic is in this file: https://github.com/improbable-eng/grpc-web/blob/master/go/grpcweb/wrapper.go. We're doing some wrapping of the body, but I don't think we're using Hijack, unless you're using websockets and it's done by our websocket library.

[frederikhors]

unless you're using websockets and it's done by our websocket library

Nope.