larrysalibra
commented
3 years ago I spent a couple hours taking a look at this today.
@wileyj writes:
Pretty sure the issue is here: https://github.com/blockstack/omniauth-blockstack/blob/master/lib/omniauth/strategies/blockstack.rb#L39-L42
One issue is here. What's supposed to happen is when /auth/blockstack?manifest=true is fetched by the authenticator, the manifest json is returned. It appears discourse changed behavior such that it instead returns an HTML page with a button the user has to click on before the JSON is returned by the omniauth strategy. I imagine this has something to do with the discourse folks trying to address cross-site scripting, but it breaks our authentication flow.
One short-term way to work around this to put the discourse installation behind a proxy and intercept requests to /auth/blockstack?manifest=true and return the manifest json.
A longer term solution would be really digging into the internals of discourse to figure a better way to do this - there might not be away to do it in a supported fashion.
A second issue was reported by @tvr132b here: https://github.com/blockstack/blockstack.org/issues/1159#issue-687503148
This issue is with the content security policy added by discourse. You need to disable to included content security policy on discourse or add the unsafe-inline keyword (unclear how to do this in on discourse in a supported way).
wileyj
This plugin is broken in recent versions (true as of 2.5.6) of discourse.
The Stacks Foundation is looking for help with updating the plugin. (https://github.com/stacksgov/Stacks-Grants/issues/29)
Related issues/info:
https://github.com/blockstack/blockstack.org/issues/392 https://github.com/blockstack/blockstack.org/issues/1159 https://github.com/blockstack/omniauth-blockstack/blob/master/lib/omniauth/strategies/blockstack.rb#L39-L42