Nebula Hub local server - connection to on premise Qlik Sense Server

[jeff-1984]

🐛 Bug report

I am trying nebula.js, following this page : https://qlik.dev/extend/extend-quickstarts/first-extension/ I have access to a Qlik Sense Enterprise server installed locally on a windows server.

The Nebula Hub page says : ` Qlik Sense Enterprise on Windows WebSocket URL format: wss:/// Example: wss://mycompany.com/bi

Note that for the Qlik Sense Proxy to allow sessions from this webpage, myserver:8000 needs to be whitelisted in QMC in your Qlik Sense Enterprise on Windows deployment. In addition, you need to enable Has secure attribute and set SameSite attribute to None. Make sure you are logged in to Qlik Sense in another browser tab. `

• I created a virtual proxy, whitelisted the URL, set the flags, and I am logged on the hub for that virtual proxy (with admin access)
• The Nebula hub displays "Something went wrong, check the devtools console"
• If I inspect the websocket when doing this, I see that the hub is sending "GetConfiguration" but the server answers "OnAuthenticationInformation" and send the authentication redirect URL

It seems the authentication cookie is not sent, compared to what is send on the websocket when I open a Qlik Sense app through the HUB.

Can you help, any advice ?

Thanks

[Caele]

I did some testing and initially ran into the secure/sameSite issue but after updating the default virtual proxy it worked as intended.

One issue I noticed was the lack of a proper error, as the intended one should state: In your virtual proxy advanced settings in the QMC, make sure to whitelist ${window.location.host}, ensure "Has secure attribute" is enabled and that "SameSite attribute" is set to "None"., But it gets overwritten by Failed to get configuration. - we'll look into that

Before I updated the virtual proxy I could observe the same pattern as you, the websocked connects but the last message is "OnAuthenticationInformation" follwed by the socked closing. By debugging Nebula I could see that the code actually gets that message here: https://github.com/qlik-oss/nebula.js/blob/master/commands/serve/web/hooks/useConnection.js#L66

To be sure, can you instead of creating a new virtual proxy update the default one?

I got it working with a new virtual proxy as well, by using this:

• Host allow list: add your server here, so example: server.domain.com
  • Did not need to add my localhost url to that list
• Engine URL: wss://server.domain.com/{proxyprefix}

[jeff-1984]

Hello Caele,

Thank you for testing and investigating !

Ok for the error that is not well managed, it will be easier to understand what is going on with a better message displayed.

Unfortunately I cannot update the default proxy, there is a other people working on the server and authenticating through that one.

Yeserterday, I am sure I checked the flag "has secure attribute" + same site "none", and added the nubula hub page url to the whitelist, and that was not working. But I will re-check next week.

It seems my authentication cookie, available on the classic QS hub, was not available for the page nubula hub... Thinking about it, isn't that normal ? This is not the same page, should the nebula hub page have access to the cookie of the QS page ?

Maybe it would be nice to be able to set the authentication cookie/token on the nebula hub page ?

Or we could also provide the server certificate + user id to use to allow session creation with QRS ticket APIs ?

Thank you again ! JF

[Caele]

Another FYI: I tested enabling the Chrome third-party cookies phaseout flag and that gives the same error.

[flash-222]

I also encountered a problem connecting to the on premise Qlik Sense Server. QMC has several virtual proxies. For development we use the version with the dev prefix. In the Advanced section I set the following properties:

• Extended security environment: unchecked
• Session cookie domain: empty
• Has secure attribute (https): checked
• SameSite attribute (https): None
• Has secure attribute (http): unchecked
• SameSite attribute (http): None
• Additional response headers: Vary: Origin

List of allowed hosts:

• http://localhost:8000

In the Engine Connection tab, I try to connect to the development server by providing the following WebSocket URL:

wss://my.company.com/dev

But I get an error:

eHub.js:2 WebSocket connection to 'wss://my.company.com/app/engineData' failed

In the Network tab in DevTools I see the following:

Request URL in engineData Headers section is the following:

wss://my.company.com/app/engineData

As you can see, the virtual proxy prefix dev is not taken into account. Could this be causing the error?

[flash-222]

@Caele Сould you please help with the situation described above?

[Caele]

@flash-222 I believe you are correct, its missing the prefix in that case. Looking into it.

[flash-222]

Thanks @Caele! The issue has been fixed in 4.11.0 and everything works as expected.