0

I have a tricky scenario here and I cannot find the solution by myself yet. This is perfectly working in production (no ngrok).

Here is the setup.

  • Rails API (6.1.6)
  • 2 engines mounted via subdomain
    1. Main API - MainAPI -> api.lvh.me:3003
    2. Temp front for users TempFront (will be removed in a couple of months). -> temp.lvh.me:3003

On the TempFront, I've setup what's missing on a Rails API to be able to have a front available. Everything works fine except omniauth redirection. I've tracked down the error until WardenManager#call

After redirection, session is not stored. I've obviously skip the protect_from_forgery on callback method based on FAQ but it is still not working.

Flash are not shared as well. I thought it might be linked to the same issue. I'm pretty sure it is coming from my custom configuration somewhere but I cannot find exactly where.

Locally I'm using ngrok to have the callback. Url is api.ngrok.my-domain.com (which does not match *.lvh.me but direct to the correct engine MainAPI).

After manual sign_in(@user, event: :authentication), there is a correct session key warden.user.v1_user.key with value [user_id]. This is the correct behaviour. This same key disappears after the redirect.

Here is the initializer I've set on temp_front/lib/temp_front/engine.rb

require 'webpacker'

module TempFront
  ##
  # Engine initializers
  class Engine < ::Rails::Engine
    isolate_namespace TempFront

    initializer 'webpacker.proxy' do |app|
      insert_middleware =
          begin
            TempFront.webpacker.config.dev_server.present?
          rescue StandardError
            nil
          end
      next unless insert_middleware

      app.middleware.insert_before(
          0, Rails::VERSION::MAJOR >= 5 ?
                 Webpacker::DevServerProxy : 'Webpacker::DevServerProxy',
          ssl_verify_none: true,
          webpacker: TempFront.webpacker
      )
    end

    initializer 'use action cookies and dispatch flash' do |app|
      app.config.session_store :cookie_store, { key: '_my_app', domain: :all }
      app.config.middleware.insert_before(Warden::Manager, ActionDispatch::Cookies)
      app.config.middleware.insert_after(ActionDispatch::Cookies, ActionDispatch::Session::CookieStore,
                                     opts)
      app.config.middleware.insert_after(ActionDispatch::Session::CookieStore, ActionDispatch::Flash)
      # https://guides.rubyonrails.org/configuring.html#configuring-middleware
      # Rack::MethodOverride allows the method to be overridden
      # if params[:_method] is set.
      # This is the middleware which supports
      # the PATCH, PUT, and DELETE HTTP method types.
      app.config.middleware.use Rack::MethodOverride
    end
  end
end

Here is my callback controller:

module MainAPI
  class OmniauthCallbacksController < Devise::OmniauthCallbacksController

    before_action :some_callbacks_to_handle_data

    def facebook
      sign_in @user, event: :authentication
      flash[:notice] = 'You have done it!'
      redirect_to mod_temp_front_engine.profile_url(subdomain: 'temp')
    end
  end
end

Does anybody have another idea to fix that?

brcebn
  • 1,571
  • 1
  • 23
  • 46

0 Answers0