Feature request: pass cookies from command line

[lolmaus]

I would like my StaticBoot app to fetch some data via authenticated requests, then shoebox the result.

Authentication credentials should not leak into the browser sources, so I can't use normal env vars.

The simplest solution seems to be the following:

1. Use Ember Simple Auth (fastboot branch)
2. Authenticate in the browser app
3. Copy the ESA cookie
4. Somehow tell StaticBoot to use this cookie when making requests to the FastBoot-served app.
5. ESA would restore the session from the cookie and let Ember Data do authenticated requests.

The only part missing is step 4.

[robwebdev]

Hi @lolmaus, thanks for the request. When I've got some time I'll have a look and see how/if this is possible. Could you let me know how you imagine the command to look ideally?

[lolmaus]

I think we need a browser console command to serialize the ESA cookie, so that it can be copied into clipboard and passed into StaticBoot via terminal. StaticBoot would then deserialize it using the matching algorithm.

Example:

JSON.stringify(unescape(document.cookie))

Then I can copy some of the cookies and pass them into StaticBoot as an argument:

ember b --cookies "ember_simple_auth-session={\"prop\": \"value\"}; FooBar=\"value\""

Or as an env var:

STATICBOOT_COOKIES="ember_simple_auth-session={\"prop\": \"value\"}; FooBar=\"value\"" ember b

This is merely my first idea, I'm not implying that this approach is the best.

[lolmaus]

I think that this implementation might be not enough for advanced use cases, e. g. different cookies for different endpoints.

But we have to start somewhere.

The problem with the env var approach is that the serialized cookie leaks into the distro. I tried deleting it, it works, but then the cookie is only available for the first StaticBoot pass.

[lolmaus]

Let me share my pain why I need this.

I'm retrieving star counts from GitHub. GitHub API is super greedy and allows only 60 requests per hour for anons. This means I can do as few as three builds per hour! :sob:

I had to subscribe for a VPN service and keep switching VPN countries as I code.

Authenticated requests are limited at 5000 per hour, which should be just enough. Also, switching users is simpler than switching IP addresses.

But I don't know how to pass credentials without them leaking into the build.

If you have an approach on your mind but lack time, please explain it here so that I can attempt a PR.

PS We could reorganize this issue to be more general rather than just cookies.

[robwebdev]

@lolmaus Have you looked at https://github.com/fivetanley/ember-cli-dotenv/ ?

I think this does what you need and would prefer to keep passing env vars out of staticboot as it is a different concern.

[lolmaus]

@robwebdev Yes, I started using it before submitting this issue.

The problem with it is that all env vars you use end up in the distro and can be scavenged by anyone. This is not acceptable for private keys and admin cookies.

I tried removing them manually with simple delete obj.prop. It works, but the second StaticBoot iteration does not receive env vars.

[robwebdev]

Sorry @lolmaus I should have recapped on the issue before responding, you clearly stated that earlier.

I just had a quick look and it doesn't seem possible to extend the build command, doing so in this addons index.js offers the following warning:

WARNING: An ember-addon has attempted to override the core command "build". The core command will be used.

This leads me to think an env var would be the only option. The place to pick up the env var would most likely be here: https://github.com/robwebdev/ember-cli-staticboot/blob/dfa5be892e4b66f9127042ebd41183e352362f96/lib/broccoli/staticboot.js#L42

[lolmaus]

I gave it another thought and I believe restoring the session in FastBoot should be tackled in Ember Simple Auth.

Please excuse my for this frustrating feature request. :innocent: