if you tried to install - pls share your pain

[umputun]

As we installed remark42 on https://radio-t.com and https://remark42.com/demo/ we had no significant issues, and I even tried to use our readme instruction for this procedure. However, my experience is not really typical and some steps may not be as clear to others as it obvious to authors.

If you installed remark42 or at least tried to install - pls share what was not clear and how we can improve the procedure and documentation.

[Menelion]

As always, my cry will be about Windows (and with no Docker available).
The Go app itself was built without a hitch, thank you!
Then I installed NPM dependencies, built everything, ran app.exe, went to localhost:8080 and got 404. OK then, I re-read the docs and found out that the default folder is web. I went to localhost:8080/web and got the index of my web directory. Then I tried localhost:8080/web/public - and got a 404 again.
This is it so far. The only thing I can fairly run is localhost:8080/web/public/iframe.html, for some reason.
What am I missing?

[umputun]

@Menelion I've never planned this thing to be used outside of Docker container and have not prepared install or instruction for this case. Probably it is possible and not even too hard, but I don't get why? Can you just install docker on your win box?

[igoradamenko]

@Menelion, I can't talk about all application, but if you want to develop or test frontend part, you should try this section of readme: https://github.com/umputun/remark#frontend

I don't know what app.exe is, but you can run frontend part without Docker. Just go to ./web inside your terminal, run npm install and then npm start. After that you will be able to test frontend part on localhost:8080/dev.html. So, frontend part has its own dev-server which does not need Docker.

But be careful, we don't have any mocks right now, and because of CORS you can't do any PUT or POST there.

[Menelion]

@umputun, I'll try but I haven't gotten any positive responses about Docker accessibility-wise so far. Probably (as with Remark42), if no one did it before, I should try and assemble an accessible Docker box myself :).
@igoradamenko, app.exe is what you get if you run go build on Windows, the main back-end file.

[umputun]

@Menelion to make sure your backend up and running you can try localhost:8080/ping or something more meaningful like localhost:8080/api/v1/config. Take a look at readme (API section) and some examples in remark.rest file.

[Menelion]

@umputun, it is running indeed:

{"version":"unknown","edit_duration":300,"max_comment_size":2048,"admins":null,"auth_providers":[]}

however, localhost:8080/index.html gives me a 404.

[umputun]

@Menelion this is because of there no such thing. All web parts are under /web, but as you can see here there is no index.html. I'm not sure what you expected, but if the goal was to see how static files served, you can hit localhost:8080/web/privacy.html

[Guria]

@umputun It is a good idea to serve index.html with further instructions to integrate on website

[Menelion]

Decided not to open a separate issue for that.
I tried setting up a development environment for frontent. Everything was OK a week ago or so, but now whenever I try to authenticate using Github or Google, I get the following:

{"details":"failed to get jwt","error":"jwt cookie was not presented: http: named cookie not present"}

Any help is highly appreciated.
Thanks!

[umputun]

How exactly are you trying to work with google/github? Did you create your own oauth2 setups for them? Anyway, this is not needed for development setup as it has local oauth2 provider, defined in compose-dev-frontened.yml. If you run docker-compose -f compose-dev-frontend.yml up it will start backend without google/github/facebook auth, but with "Dev" provider only.

[Menelion]

@umputun, since I was planning to tweak only frontent, I did npm install && npm start, so it would run against demo.remark42.com. Everything used to work as expected, but now it throws at me this message related to JWT. Thanks!

[umputun]

This is probably CORS related. I have restored headers we used to have, give it another try.

Also, take a look on README section about local dev setup for the frontend. Having your local backend for such a setup is really handy. Demo site is not a playground/sandbox for development.

[Guria]

@Menelion README has pretty clear statement about it:

By visiting 127.0.0.1:9000/web you will get a page with main comments widget. communicating with demo server backend running on https://demo.remark42.com. But you will not be able to login with any oauth providers due to security reasons.

[Menelion]

@Guria oh, sorry about that, I should have missed the last part of the sentence in there :).

[urmaul]

Installed server side. Everything is fine except stupid me provided REMARK_URL in quotes. Server throws an error: Invalid remark url "https://...". And quotes looks like a part of error template.

Trying to setup client side. Widget works, I'm able to login but when I'm trying to post a comment, I see an error: {"details":"can't save comment","error":"site \"urmaul.com\" not found"}

Couldn't find information on how to add a site-id to server in README.

[umputun]

this is SITE env in compose.

The info included in https://github.com/umputun/remark#parameters

[urmaul]

Ok, see it. Maybe it's worth adding it to docker-compose.yml template since it's kinda required.

[umputun]

it is required only in case you switch to non-default SITE as by default it has "remark" value. @Guria - I think widget uses the same default, is it correct?

[urmaul]

Readme proposes YOUR_SITE_ID: https://github.com/umputun/remark#setup-on-your-website

[umputun]

@urmaul added to README (compose example) - https://github.com/umputun/remark#required-parameters

[seqizz]

First of all, thanks for the app.

Here is a small point I've seen: I have 2 blogs I'd like to use remark. Tried using same domain (and effectively same DB) since it has multiple SITE support. Then privacy badger kicked in and didn't load a script from an external website, even though it's over https. Currently running 2 services for both websites. I don't think there is an easy way to solve this (maybe I need some special HTTP headers on the single domain so browsers/extensions would know that it's allowed) so here is my systemd service template (which is at /etc/systemd/system/remark@.service):

[Unit]                                                                                                                                                                      Description=Remark comment engine for %i
After=network.target

[Service]
User=remark
Group=remark
EnvironmentFile=/www/remark/remark-ENV-%I
WorkingDirectory=/www/remark
Restart=always
RestartSec=5
ExecStart=/www/remark/remark server

[Install]
WantedBy=multi-user.target

So I have two different ENV files for my each website and I'm can use systemctl start/enable/etc.. remark@example1.com.

[umputun]

@seqizz thx for sharing. I think, running the reverse proxy, like nginx, in front of remark42 may help in your case. In fact, I use shared remark42 instance (container) for 3 sites - radio-t.com, pirates.radio-t.com and news.radio-t.com. Remark42 system runs as remark42.radio-t.com for all of them.

[seqizz]

@umputun it's already reverse proxied, but I guess it's OK in your case since imports from the same root domain (radio-t.com) considered safe :thinking: Anyway, it's not an issue. Thx again :slightly_smiling_face:

[umputun]

I think if the reverse proxy on example.com handles remark42 call as remark42.example.com you should have the same root domain too, regardless what the real domain was proxied to.

i.e. smth like this:

server {
    listen      443;
    server_name remark42.example.com;

    ssl    on;
    ssl_certificate        /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key    /etc/nginx/ssl/example.com.key;

    gzip on;
    gzip_types text/plain application/json text/css application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;
    gzip_min_length 1000;
    gzip_proxied any;

    location /index.html {
         proxy_redirect              off;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        Host $http_host;
         proxy_pass                   http://remark42.anotherdomain.com/web/index.html;
     }

    location / {
         proxy_redirect              off;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        Host $http_host;
         proxy_pass                   http://remark42.anotherdomain.com/;
    }
}

Anyway, it's not an issue. Thx again

sure, yw.

[seqizz]

Aha! That's a clever idea. Don't want to turn here to IRC, so I just want to note this: Just tried that method and realized the issue is not displaying comments, it's getting the tokens. Eventually callback URL is handing the cookies from different domain and this makes to not authenticate unless explicitly allowing the domain on privacy extension. :v:

[mfioretti]

Greetings,

I have several static blogs managed with hugo and nginx, each on its subdomain:

work.example.com hobby.example.com etc...

and want to have coments on them. I have already installed and started the remark42 container with the yml file below. The container is running and is accessible,because I do see the demo page at http://example.com:8080/web/ in my browser . However, after doing exactly what the install guide says at https://github.com/umputun/remark#setup-on-your-website,adding "<div id="remark"></div>" and then changing the parameters of the script as follows:

<script>
  var remark_config = {
    host: "http://example.com:8080", // hostname of remark server, same as REMARK_URL in backend config, e.g. "https://demo.remark42.com"
    site_id: 'remark',
    components: ['embed'] // optional param; which components to load. default to ["embed"]
                          // to load all components define components as ['embed', 'last-comments', 'counter']
                          // available component are:
                          //     - 'embed': basic comments widget
                          //     - 'last-comments': last comments widget, see `Last Comments` section below
                          //     - 'counter': counter widget, see `Counter` section below
    //url: 'PAGE_URL', // optional param; if it isn't defined window.location.href will be used
    max_shown_comments: 10, // optional param; if it isn't defined default value (15) will be used
    //theme: 'dark', // optional param; if it isn't defined default value ('light') will be used
    //page_title: 'Moving to Remark42' // optional param; if it isn't defined `document.title` will be used
  };

  (function(c) {
    for(var i = 0; i < c.length; i++){
      var d = document, s = d.createElement('script');
      s.src = remark_config.host + '/web/' +c[i] +'.js';
      s.defer = true;
      (d.head || d.body).appendChild(s);
    }
  })(remark_config.components || ['embed']);
</script>

I have one side question and one problem. The side question is.... "how can adding "<div id="remark"></div>" possibly work?" I mean how does the browser understand, by reading that div command, that it should execute the remark script? I confess I don't get it.

The problem is that the comment widget does NOT appear in the pages at all. From reading this thread I suspect that either I have to change the nginx configuration to use nginx as proxy, or have done something so dumb in the configuration I cannot see it myself... if Nginx needs reconfiguring, how should it be done? ANY help is appreciated, thanks.

The docker YML file: version: '2'

services: remark: build: . image: umputun/remark42:latest container_name: "remark42" hostname: "remark42" restart: always

    logging:
      driver: json-file
      options:
          max-size: "10m"
          max-file: "5"

    # uncomment to expose directly (no proxy)
    ports:
      - "8080:8080"

    environment:
        - REMARK_URL=http://example.com:8080
        - SECRET=secret string here
        - STORE_BOLT_PATH=/srv/var/db
        - BACKUP_PATH=/srv/var/backup
        - DEBUG=true
        - AUTH_GOOGLE_CID
        - AUTH_GOOGLE_CSEC
        - AUTH_GITHUB_CID
        - AUTH_GITHUB_CSEC
        - AUTH_FACEBOOK_CID
        - AUTH_FACEBOOK_CSEC
        - AUTH_DISQUS_CID
        - AUTH_DISQUS_CSEC
        - ADMIN_PASSWD=myadminpassword
        - ADMIN_SHARED_EMAIL=myemail@example.com
    volumes:
        - ./var:/srv/var

[umputun]

Hi. Do you see any errors in web console? If you do, pls share, can help to identify the root cause.

To me, compose looks legit and the only unusual thing is running remark42 directly, i.e. without proxy.

if Nginx needs reconfiguring, how should it be done?

see wiki, I just added an example of nginx reverse proxy.

@Reeywhaar - can you spot any problem with this configuration? I see no reason why it won't work directly, but maybe some iframe related issue because the site and iframe's content on different ports?

[umputun]

@mfioretti - not sure if helpful, but this is an example of my own static site with hugo, nginx-le and remark42 integerated.

[mfioretti]

Hello @umputun , and thanks for the prompt answer. Indeed, the firefox web console said that my test page had a syntax error at line 303 and the brace opened at line 293 was not closed. (compare the code below with the one in my previous comment...). After removing the comma after max_shown_comments: 10 and re-indenting the code as below for better readability, I reloaded the page and now:

• I do not get syntax errors anymore...
• but I get in the web console the error Remark42: Can't find root node.

may this be because I said "remark" in some places, and "remark42" in others? What now?

Thanks!

   293    var remark_config = {
   294      host: "http://example.com:8080", // hostname of remark server, same as REMARK_URL in backend config, e.g. "https://demo.remark42.com"
   295      site_id: 'remark',
   296      components: ['embed'],  // optional param; which components to load. default to ["embed"]
   297                              // to load all components define components as ['embed', 'last-comments', 'counter']
   298                              // available component are:
   299                              //     - 'embed': basic comments widget
   300                              //     - 'last-comments': last comments widget, see `Last Comments` section below
   301                              //     - 'counter': counter widget, see `Counter` section below
   302                              // url: 'PAGE_URL', // optional param; if it isn't defined window.location.href will be used
   303      max_shown_comments: 10  // optional param; if it isn't defined default value (15) will be used
   304                              //theme: 'dark', // optional param; if it isn't defined default value ('light') will be used
   305                              //page_title: 'Moving to Remark42' // optional param; if it isn't defined `document.title` will be used
   306    };

[Reeywhaar]

"Remark42: Can't find root node." indicates that script cannot find <div id="remark"></div> you said above. Though correct id will be "remark42": <div id="remark42"></div>

[mfioretti]

"Remark42: Can't find root node." indicates that script cannot find <div id="remark"></div> you said above. Though correct id will be "remark42": <div id="remark42"></div>

Hello @Reeywhaar and @umputun . Thanks for this other pointer. Now the comments are working almost as I want, that is (configuration and comands used are at the bottom)

• The remark42 server running in a container, accessible from website visitors at http://example.com:8080
• NO auth system configured except anonymous and email auth, because I actually only want to provide those two options. I want no tracking from third parties, whoever they are.
• Comment section appearing where I want it to be in the page, as shown in the screenshot

It seems to me that all is missing is advice about:

• how to actually enable the email auth (which remark42 options, or other external settings am I missing?)
• general configuration, especially how to disable the demo page, and whether in general the configuration below is safe and could/should be hardened in any way

Thanks!!!

WORKING DOCKER FILE:

#> cat docker-compose.yml
version: '2'

services:
    remark:
        build: .
        image: umputun/remark42:latest
        container_name: "remark42"
        hostname: "remark42"
        restart: always

        logging:
          driver: json-file
          options:
              max-size: "10m"
              max-file: "5"

        # uncomment to expose directly (no proxy)
        ports:
          - "8080:8080"

        environment:
            - REMARK_URL=http://example.com:8080
            - SECRET=mysecretstring
            - STORE_BOLT_PATH=/srv/var/db
            - BACKUP_PATH=/srv/var/backup
            - DEBUG=true
            - AUTH_ANON=true
            - AUTH_EMAL_ENABLE=true
            #- AUTH_GOOGLE_CID
            #- AUTH_GOOGLE_CSEC
            #- AUTH_GITHUB_CID
            #- AUTH_GITHUB_CSEC
            #- AUTH_FACEBOOK_CID
            #- AUTH_FACEBOOK_CSEC
            #- AUTH_DISQUS_CID
            #- AUTH_DISQUS_CSEC
            - ADMIN_PASSWD=mypassword
            - ADMIN_SHARED_EMAIL=myemail
        volumes:
            - ./var:/srv/var

#> docker-compose pull && docker-compose up -d

At this point, demo page works OK at http://example.com:8080/web

REMARK42 script called from HTML template as:

<div><h4>TEST: Start comment area</h4></div>
 <div id="remark42"></div>
<div><h4>TEST: End comment area</h4></div>

The actual script:

<script>
  var remark_config = {
   host: "http://example.com:8080", // hostname of remark server, same as REMARK_URL in backend config, e.g. "https://demo.remark42.com"
   site_id: 'remark',
   components: ['embed'],  // optional param; which components to load. default to ["embed"]
                           // to load all components define components as ['embed', 'last-comments', 'counter']
                           // available component are:
                           //     - 'embed': basic comments widget
                           //     - 'last-comments': last comments widget, see `Last Comments` section below
                           //     - 'counter': counter widget, see `Counter` section below
                           // url: 'PAGE_URL', // optional param; if it isn't defined window.location.href will be used
    max_shown_comments: 10 // optional param; if it isn't defined default value (15) will be used
                           //theme: 'dark', // optional param; if it isn't defined default value ('light') will be used
                           //page_title: 'Moving to Remark42' // optional param; if it isn't defined `document.title` will be used
   };

  (function(c) {
    for(var i = 0; i < c.length; i++){
      var d = document, s = d.createElement('script');
      s.src = remark_config.host + '/web/' +c[i] +'.js';
      s.defer = true;
      (d.head || d.body).appendChild(s);
    }
  })(remark_config.components || ['embed']);
</script>

[Reeywhaar]

You have typo AUTH_EMAL_ENABLE=true should be AUTH_EMAIL_ENABLE=true, though it will make email auth appear in list of login providers, to actually make it work you must provide other necessary credentials. Search readme for AUTH_EMAIL

As for hiding demo page, there is no option for this right now, though it can be discussed. What the reason for this? @umputun what do you think?

[mfioretti]

You have typo AUTH_EMAL_ENABLE=true should be AUTH_EMAIL_ENABLE=true

Of course! Sorry! Today is "typo day" for me,really. Thanks for spotting it. I will study the other parameters to make everything work later. About the reason to hide the demo page: it seems to me that everybody knowing how remark42 work can go directly to the /web/ URL and fill bogus comments. Why accept them? Once a demo is not needed, why keep it running? Less load on server and admin, and less risks too maybe, if it is turned off. No?

[umputun]

I think in most cases remark42 runs behind some proxy and demo is not exposed unless proxied explicitly. In addition (and @Reeywhaar correct if I'm mistaken) demo works with default site only, i.e. only in case if the user didn't define his own SITE or used the default value.

@mfioretti - demo presence doesn't generate any load by itself, it just one more "post" with comments.

[umputun]

Thx for the report. Probably this is not relevant for you as you are going to use something else but maybe others will find some answers useful:

The secret. First, I had no idea what it was or why it was needed

The secret needed for 2 things: make authenticated user unique for your particular install (no other user's token can be accepted if they made for other system or just faked) and encrypt things related to user's privacy, like source emails and so on. The secret can be any string and, depends on how the user runs it, may be needed to have quotes that are not really specific to remark42, but rather to the os/docker. There is no security risk in making this string a long alphanumeric, in this case, no quotation needed.

SSL was a pain.

By default SSL not even served by remark42, but supposed to be handled (terminated) downstream (i.e. proxy, like nginx or apache). Nothing specific to remark42 in this configuration - whatever works for the user as a webserver/proxy should be fine with remark42. In case, if remark42 exposed directly (not behind the proxy) it supports user-defined SSL which can be set with SSL_TYPE=static and SSL_KEY / SSL_CERT. In addition, it may use fully automatic (lets encrypt) SSL certificates if SSL_TYPE set to auto

The installation command actually runs it. In the SSH session. So you have to keep it running in order to use it.

This system is self-hosted and works as some sort of "client-server". Client is UI/Web part, the and server has to be activated to respond to UI requests. So, yes - in order to use this system user expected to actually run it. Running the system with or without docker should be easy enough because in a docker-less way all it has is a single binary with no external dependencies.

setting up the oauth clients that you have to setup before installing for some reason?

Oauth setup needed only in case if user want to allow social login via third-party providers like twitter, google, facebook and so on. This is not a requirement and it is possible to use remark42 with anonymous access only or with email authentication. In other words - there is no need to setup oauth providers if the user doesn't need such social logins.

I do realize - non-trivial setup can be challenging. I have a ticket for better documentation and started to collect useful snippets on info in the docs directory.

[umputun]

that's a major difference from other solution where you only need to add a div and a script.

As far as I can judge - this is a little bit fictional simplification. Sure, to run php based system users don't need to run anything "manually" but have the ability to execute arbitrary php script. However, it doesn't mean "only need to add a div and a script", it also needs to have the ability to execute php scripts. None of my personal sites can do it as all of them are static (generated) htmls. Generally speaking, any self-hosted commenting system has to be "executable" in some form. This can be achieved as a bunch of php script (executed by php engine), like in the example you provided, or as a truly executable binary (or via docker), as remark42 does, providing an API for web ui.

Regarding oauth2 and setup via some nice panel - I'm not sure if this even possible to set up such auth via API and, in other words, to wrap oauth setup with remark's dashboard. Maybe it is, not sure. I'll make a ticket about it.

[Flameborn]

Hello,

I have just installed Remark42 on a Raspberry Pi via Go and Node, copying the contents of the public directory to ./web, as it is the default web root. Thus, I have a working comments.domain1.com site with a demo page under /web. I've also enabled everything except Yandex and anonymous mode (not sure about the spam I would receive via the latter). I am able to sign in. Remark42 is proxied via Caddy, from port 8081.

On a second site (domain2.com), I am running Hugo via Caddy, embedding the comments iframe on every post page (via the site ID domain2), as per the instructions in README.md.

Unfortunately, I am unable to sign in, I am just returned to the sign in section.

In debug mode, Remark42 prints this right after a GET request to the /auth/method/callback:

[DEBUG] {middleware/auth.go:69 middleware.(*Authenticator).auth.func1} auth failed, can't get token: token cookie was not presented: http: named cookie not present

When opening the page, the console has the following:

[Error] You are currently using minified code outside of NODE_ENV === "production". This means that you are running a slower development build of Redux. You can use loose-envify (https://github.com/zertosh/loose-envify) for browserify or setting mode to production in webpack (https://webpack.js.org/concepts/mode/) to ensure you have the correct code for your production build.

https://comments.domain1.com/api/v1/user?site=domain2
[Error] Failed to load resource: the server responded with a status of 401 () (user, line 0)

The issue is via Safari under MacOS.

Via Brave, things are a bit better, as I am told to enable third-party cookies, or sign in via a new window.

Is there anything we could do to make this sign-in experience a bit better, or at least, have the same warning for Safari as well?

[umputun]

I'm not sure I got it, are you trying to embed comments widget on domain2.com pointing to comments.domain1.com? I don't think there is any restriction on iframe level preventing it (or rejecting cookies), but @Reeywhaar this is your area, pls advise.

It is also unclear where public content from? Did you build a container and moved web from that container to your server manually?

[Flameborn]

Yes, that is how I am trying to do it. comments.domain1.com http://comments.domain1.com/ is a different server, and domain2.com http://domain2.com/ is likewise.

On the server of comments.domain1.com http://comments.domain.com/, I’ve ran an npm install, then an npm run build in the frontend directory, then copied everything from /public to backendRoot/web.

If I try to embed Remark on any site hosted on domain1.com http://domain1.com/, it seems to work as expected, but no go with domain2.com http://domain2.com/.

On 2019. Nov 21., at 8:37, Umputun notifications@github.com wrote:

I'm not sure I got it, are you trying to embed comments widget on domain2.com pointing to comments.domain1.com? I don't think there is any restriction on iframe level preventing it (or rejecting cookies), but @Reeywhaar https://github.com/Reeywhaar this is your area, pls advise.

It is also unclear where public content from? Did you build a container and moved web from that container to your server manually?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/umputun/remark/issues/26?email_source=notifications&email_token=AAHLD4BRIDAI2OFFV55TCVLQUY3FJA5CNFSM4E7Y3HR2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEEZIOUQ#issuecomment-556959570, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHLD4CT7QJWF5FM4JT3N2TQUY3FJANCNFSM4E7Y3HRQ.

[umputun]

Not sure if this way to prepare the frontend is the right one, will see what @Reeywhaar says. I would run docker build and copy from /srv/web, but maybe your way is fine too, no clue.

Running it cross-domain the only unusual part here. I do run some of my systems in similar ways, but they on different subdomains of the same domain, i.e. remark42.example.com serves comments for both site1.example.com and site2.example.com

[Reeywhaar]

@Flameborn can you please clarify domains? I see you have "domain.com", "domain2.com", "domain2.com".

But yes, generally speaking Safari denies setting cookie if iframe's domain appears to be third-party to container page's domain. It's Safari's issue and solution is user must turn off "prevent cross-site tracking", or not to use different domains. Strange thing is that remark haven't detected such thing and showed "Disable third-party cookies blocking to sign..."

[Flameborn]

Of course.

My Remark server is reachable via comments.domain1.com

I'd like to embed Remark on domain2.com, where I get the HTTP 401 error via the console, for https://comments.domain1.com/api/v1/user?site=domain2

In Brave and Chrome, I get a third-party cookie warning, and I can open Remark in a new window, however, this does not happen in Safari.

I was wondering if this sign-in experience could be improved, either by associating the HTTP token cookie with the domain Remark is embedded on, or having the same cookie warning via Safari as well. Ideally, it would be the best without third-party cookies, though I am not sure how this is done by other embeddable comment systems like Disqss.

[Reeywhaar]

Yeah, I've read that Disqus works without enabling third-party cookies. It says on page:

because those browsers consider our cookies to be "first-party" because they're used in a trusted way.

But what is this "trusted way" is unknown. Some hack?

The thing that Safari doesn't show message should be investigated.

[umputun]

it would be the best without third-party cookies

Theoretically, we can do it without cookies as our auth mechanics doesn't use cookies for sessions but as a transport/storage layer for JWT. It should be possible (with minor changes) to return a token on login request and make UI send it in each query as a header. However, this solution will open us to a bunch of potential vulnerabilities because we have to store the token somewhere. Currently, it stored in a server-only cookie and the frontend doesn't even have access to it. If we store it in localstore JS and any possible vulnerability may read and leak the token.

[umputun]

@Reeywhaar - maybe this is not such a bad idea to provide such a cookie-less auth as an option? If you think it worth the risk, the backend may (optionally) return the token as login's response and it will indicate for the frontend - "send it back on each request as JWT header`.

If you think it is ok idea we may discuss details on a separate ticket.

[Reeywhaar]

I think I should dig better what disqus does to make it work. First what I can suggest is that instead of opening auth window first we open clone of a page and then proceed auth, so it would seem as first party:

• User is on page domain2.com/post-with-comments with iframe embed comments.domain1.com/web/iframe.html?...
• User clicks auth with Twitter
• We open new window comments.domain1.com/web/iframe.html?auth-me-please-with=twitter
• Window we opened therefore opens another window with twitter auth (or navigates to).
• User authenticates.
• Twitter auth window closes.
• On comments.domain1.com/web/iframe.html?auth-me-please-with=twitter we wait for twitter window close (just as we do now). When it close we close comments.domain1.com/web/iframe.html?auth-me-please-with=twitter as now cookie should be set
• On domain2.com/post-with-comments iframe waits for comments.domain1.com/web/iframe.html?auth-me-please-with=twitter and then reloads.

Don't know yet if it would work. Also AFAIK Safari rules will be even tighter over time, and I think everything which works with third party domains eventually will be broken :-)

[umputun]

Don't know yet if it would work

Me neither, all yours ;) To me all of this sounds a little bit blurry as it looks like that trickery may help to write the auth cookie but I'm not sure if our problem is just writing. From the browser's point of view reading (and sending back) third-party could be the same privacy issue.

[Reeywhaar]

@Flameborn couple of questions:

• Is it right that right after auth the window with auth closes, or is there any message? Like "failed: can't get token"
• Is there something in server logs about xsrf mismatch?
• How do you embed comments into page, how do script looks? Is host there and is same as "REMARK_URL" on server?
• What version of Safari?

I've tried to reproduce in Safari (13.0.1) with "prevent cross-site tracking" on and was able to login just fine.

By the way it's better to add NODE_ENV=production before npm run build so you don't get warning.

And also you can add REMARK_URL=https://comments.domain1.com to hardcode url of remark server.

Resulting build command will be REMARK_URL=https://comments.domain1.com NODE_ENV=production npm run build

@umputun i've checked again what we can do to bypass third party blocking, and we can do nothing, AFAIK. LocalStorage wouldn't work as it gets wiped after page close in such case. Except I can obtain token cookie and store it on domain of a page which hosts iframe. Totally unsecure and complicated.

[umputun]

LocalStorage wouldn't work as it gets wiped after page close in such case.

Are you sure this is true for local storage and not for session storage? I have used this method once in a similar situation (for jwt but without iframe involved) and local storage was persistent.

[Reeywhaar]

Yes, it's either sandboxed or unavailable to prevent tracking:

Trying to find credible link: https://forums.developer.apple.com/thread/109909