qwc-services / qwc-services-core

QWC services core
MIT License
9 stars 8 forks source link

Multitenancy with tenant as subdomain - cookie issue #12

Closed qwenger closed 2 months ago

qwenger commented 3 months ago

Hi,

We would like to use multitenancy, but prefer to have the tenant name as a subdomain instead of as the head of the path. So scheme://tenant.some.domain/some/service instead of scheme://some.domain/tenant/some/service.

The doc is not very clear whether that setup is fundamentally unsupported or just not commonly used.

We found settings that almost work, as follows:

While basic requests then go through and maps are shown, not everything works. In particular, logging to qwc_admin gets stuck in a loop.

We diagnosed it as an issue in https://github.com/qwc-services/qwc-services-core/blob/v1.3.28/qwc_services_core/tenant_handler.py#L219: if we set neither a tenant name (TENANT_PATH_PREFIX without @tenant@) nor a service prefix (QWC_SERVICE_PREFIX not set), tenant_path_prefix() returns an empty string, so cookies end up sent with an empty Path= attribute and matching fails (if I understand the RFC correctly, this is because the attribute is then set client-side to the full path of the resource, so typically /auth/login because the POST happens there, hence /qwc_admin doesn't match).

After fixing that (https://github.com/qwenger/qwc-services-core/commit/04564cee96f121f66e3cdf53655baad87e422a42), it seems that everything works correctly so far.

So, a few questions:

Many thanks in advance!

manisandro commented 3 months ago

The subdomain approach is indeed seldom used, and hence hasn't received the same focus as the path approach. But it would be great to polish its support and add a example to the Documentation.

Regarding your fix: there is indeed an inconsistency here, as a matter of fact consumers of tenant_path_prefix are using

app.session_interface.tenant_path_prefix().rstrip("/") + "/"

So I believe the correct fix is to also append the trailing slash to the multi-tenant path, which would make the above "workarounds" unnecessary.

qwenger commented 2 months ago

This way of fixing it looks good to me. Would you consider integrating those changes? Or should I create a pull request myself?

manisandro commented 2 months ago

Please do create a PR