send uppyAuthToken via wss #4110
Conversation
… when plugins authenticate via companion on mobile devices
S0c5
force-pushed
the
fix/send-uppy-auth-token-via-wss
branch
from
de8a938
to
d11dab1
Compare
There was a problem hiding this comment.
Hi and thanks for attempting to fix this!
I think your PR contains some unrelated changes that should be removed.
Also I'm not sure I understand why it doesn't work currently. Is it because on Android window.opener is undefined?
I think also some tests broke (hang forever)
| enableGlobalCache: false | ||
|
|
||
| initScope: uppy | ||
|
|
||
| enableGlobalCache: false | ||
| nodeLinker: node-modules | ||
|
|
||
| plugins: | ||
| - path: .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs | ||
| spec: "@yarnpkg/plugin-workspace-tools" | ||
| - path: .yarn/plugins/@yarnpkg/plugin-version.cjs | ||
| spec: "@yarnpkg/plugin-version" | ||
|
|
||
| yarnPath: .yarn/releases/yarn-3.2.1.cjs |
| @@ -17,7 +18,7 @@ const htmlContent = (token, origin) => { | |||
| <head> | |||
| <meta charset="utf-8" /> | |||
| <script> | |||
| window.opener.postMessage(${serialize({ token })}, ${serialize(origin)}) | |||
| if (window.opener) window.opener.postMessage(${serialize({ token })}, ${serialize(origin)}) | |||
There was a problem hiding this comment.
given that window.opener is null, next line is not executed when window.close.
There was a problem hiding this comment.
According to https://developer.mozilla.org/en-US/docs/Web/API/Window/opener:
In the following cases, the browser does not populate window.opener, but leaves it null:
- The opener can be omitted by specifying rel=noopener on a link, or passing noopener in the windowFeatures parameter.
- Windows opened because of links with a target of _blank don't get an opener, unless explicitly requested with rel=opener.
- Having a Cross-Origin-Opener-Policy header with a value of same-origin prevents setting opener. Since the new window is loaded in a different browsing context, it won't have a reference to the opening window.
Writing the code in order that it doesn't crash when window.opener === null is definitely worth it 👍
There was a problem hiding this comment.
I vaguely remember the discussion around the reason for not checking window.opener before calling it. IIRC the reason was that it is better that the page crashes with an error message in the browser console than having it just close the page without any error or anything happening. I think if we add this check we will not why it's not working if this happens again in the future.
| @@ -11,7 +11,7 @@ let emitter | |||
| module.exports = (redisUrl, redisPubSubScope) => { | |||
| if (!emitter) { | |||
| emitter = redisUrl ? redisEmitter(redisUrl, redisPubSubScope) : nodeEmitter() | |||
| Object.assign(emitter, { __TEST__: Math.random() }) | |||
| <!DOCTYPE html> | ||
| <html> | ||
| <head> | ||
| <meta charset="utf-8" /> | ||
| <script> | ||
| window.opener.postMessage({"token":"${token}"}, "http:\\u002F\\u002Flocalhost:3020") | ||
| if (window.opener) window.opener.postMessage({"token":"${token}"}, "http:\\u002F\\u002Flocalhost:3020") |
| @@ -3,6 +3,8 @@ module.exports = () => { | |||
| generateState: () => 'some-cool-nice-encrytpion', | |||
| addToState: () => 'some-cool-nice-encrytpion', | |||
| getFromState: (state, key) => { | |||
| if (key === 'callbackToken') return 'client-token' | |||
There was a problem hiding this comment.
I can remove that, I was reading the code and adding a few lines to test how that mocks works.
| @@ -255,26 +256,30 @@ export default class ProviderView extends View { | |||
| // Check if it's a string before doing the JSON.parse to maintain support | |||
| // for older Companion versions that used object references | |||
| const data = typeof e.data === 'string' ? JSON.parse(e.data) : e.data | |||
| window.removeEventListener('message', handlePostMessageToken) | |||
| handleToken(data) | |||
There was a problem hiding this comment.
not sure what's happening here, care to explain with a comment?
| @@ -34991,7 +34992,7 @@ hexo-filter-github-emojis@arturi/hexo-filter-github-emojis: | |||
|
|
|||
| "typescript@patch:typescript@*#~builtin<compat/typescript>, typescript@patch:typescript@^4.0.3#~builtin<compat/typescript>, typescript@patch:typescript@^4.6.2#~builtin<compat/typescript>, typescript@patch:typescript@~4.8#~builtin<compat/typescript>": | |||
| version: 4.8.2 | |||
| resolution: "typescript@patch:typescript@npm%3A4.8.2#~builtin<compat/typescript>::version=4.8.2&hash=f456af" | |||
| resolution: "typescript@patch:typescript@npm%3A4.8.2#~builtin<compat/typescript>::version=4.8.2&hash=7ad353" | |||
There was a problem hiding this comment.
what's the purpose of this change?
|
After digging and thinking some more, I think I understand the problem here: In the normal auth flow with Uppy:
However in the case of Instagram, it's a bit different:
With your PR it will instead do this:
Is my understanding correct? If so, maybe it would make sense to completely remove the whole |
|
here are GPT's thoughts on handling the Instagram auth token problem: https://chat.openai.com/share/ac97acff-bfab-49c3-8997-e9d6a111bdc2 |
Hello guys!
This PR solves #4107,
when users have Instagram installed on android and get redirected to authorize, the app is opened and after this, the app opens the browser to the authorization url, it provokes a lost of context for window.opener, meaning that the token is not sent to the client via postMessage
this PR sends the uppyAuthToken via WSS using a token reference for wss.
It was tested locally and added the tests to callbac.js in the companion package.