search

sveltia / sveltia-cms

Alternative to Netlify/Decap CMS. Fast, lightweight, Git-based headless CMS. Modern UX, first-class i18n support, open source & free. Made with Svelte.
MIT License
727 stars 33 forks source link

Cannot Login: Authentication aborted #131

Closed jonnyowenpowell closed 2 months ago

jonnyowenpowell commented 2 months ago

Hi 👋

I was using Decap CMS and somewhat satisfied with the results. However, I felt it lacked polish, so I went looking for an alternative and found this project. It immediately worked locally (after I changed the backend from git-gateway to github and added the repo key) and is much more polished in my opinion; nice work!

However, upon deployment to production, I find that I cannot login. The admin page loads fine, there are no console errors, CSP warnings, etc. When I click login, I immediately see 'Authentication aborted. Please try again.' and a corresponding 'Authentication aborted undefined' console error. The https://api.netlify.com/auth?provider=github&site_id=<my domain>&scope=repo%2Cuser page opens, with content 'Not found' and a 404 response code.

My backend configuration is the following:

backend:
  name: github
  repo: jonnyowenpowell/<my site repo>
  branch: main

The repository is private, I'm unsure if this matters but I'm including it for completeness.

I have tried with and without the Netlify Identity widget loaded on the admin page. I have tried clearing my site data. I did not change any Netlify Identity settings when I switched from Decap CMS.

I cannot find any issues about this, so I assume I'm doing something wrong, but I'm not sure what.

Update:

I have resolved the 404 response from Netlify - I simply changed the backend from git-gateway to github and didn't stop to configure the backend according to Decap CMS documentation. Silly me! I now have a GitHub OAuth app setup, and get a nice 'Authenticated' message - but the site still displays the same 'Authentication aborted. Please try again.' message.

jonnyowenpowell commented 2 months ago

I have resolved this issue - and will close.

For anyone reading this, my issue was I had the Cross-Origin-Opener-Policy: same-origin header set. This is known to break OAuth flows as it servers the connection to the OAuth popup window. What I needed was Cross-Origin-Opener-Policy: same-origin and then everything worked.

I do have a small suggestion, which is to clarify in the documentation that using the GitHub backend is rather a different setup to the git-gateway backend and you will no longer be using Netlify Identity at all, but rather the Netlify OAuth flow.

One of my motivations for moving away from Decap CMS was to avoid the need for unsafe-eval in my CSP - it may be the same for others too. Such security minded folk may also be setting the Cross-Origin-Opener-Policy: same-origin across their site - it might be worth including a note, even though it's not specific to sveltia, that you will need to relax this to -allow-popups, at least for the CMS route, for the OAuth flow to work.

kyoshino commented 2 months ago

Hey @jonnyowenpowell, welcome to Sveltia CMS, and glad you have solved the problem yourself! I have updated the README to briefly explain these issues. In a few months, I’ll prepare full documentation for Sveltia to make the migration easier. 😃