search

ministryofjustice / analytics-platform

Parent repository for the MOJ Analytics Platform
MIT License
14 stars 1 forks source link

NOMIS login for AP not working for some Quantum users #113

Closed davidread closed 4 years ago

davidread commented 4 years ago

The Auth0 login page (for SDT) doesn't show for some users - this includes various prison staff (Quantum). It doesn't affect me when using it on Quantum at HQ.

This is what they see: image (8)

This is what they should see:

Screen Shot 2019-09-30 at 11 26 33

They are using Firefox 52ESR. We've tried this on our Macbooks and it loads it fine.

The page load stopping at this point suggests a problem with: https://cdn.auth0.com/js/lock/11.3/lock.min.js being loaded & run. The user is able to browse to that URL ok and see the js, so it is not blocked. However the SHA error suggests the javascript files lock.min.js and sentry JS are corrupted en-route: None of the "sha384" hashes in the integrity attribute match the content of the subresource to do with Sentry and Auth0Lock

This issues is also noted in our SDT trello: https://trello.com/c/a3aW3Vey/39-auth0-page-doesnt-load-properly

r4vi commented 4 years ago

it feels like there is a content inspection proxy server in the way, and it somehow changes the sentry js causing the sha384 error. It is probably doing this for the traffic to the rshiny app causing problems with inputs being cleared too

davidread commented 4 years ago

JP reports what seems like a related issue with Shiny app prison-network-app:

The data that has been inputted into a text box regularly gets wiped. Whenever they zoom out, click on another tab, or try to adjust their search, the data often gets wiped. This is using the visNetwork and igraph packages to visualise networks as well as some radio buttons etc. to filter the network being plotted. No errors show up in Kibana and I've turned off as many websockets as I can I think.

r4vi commented 4 years ago

by

I've turned off as many websockets as I can I think.

Joe means the ALLOWED_PROTOCOLS for sock.js as described here: https://github.com/ministryofjustice/analytics-platform-shiny-server#configuration

davidread commented 4 years ago

The users in question have reported they have fixed the issue. This was achieved by installing HMPSNOMSROOT.crt into Firefox as a trusted root Certificate Authority (CA). So I guess they have a mitm which was rejecting these requests (but not others?).