Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass the cookie to /cgi/auth.pl #10140

Closed
g123k opened this issue Apr 16, 2024 · 4 comments · Fixed by #10146
Closed

Pass the cookie to /cgi/auth.pl #10140

g123k opened this issue Apr 16, 2024 · 4 comments · Fixed by #10146
Assignees
@stephanegigandet
Labels
🔐 API auth The API requires auth in order to perform editing.There is a common mechanism & a Robotoff mechanism 🔐 Auth ✨ Feature Features or enhancements to Open Food Facts server

Comments

@g123k
Copy link
Collaborator

g123k commented Apr 16, 2024
edited
Loading

Hi everyone,

Let me explain the issue first.
In the mobile app, we need to call the API to GET the knowledge panels for a product (eg: https://world.openfoodfacts.org/api/v3/product/3017620422003?fields=knowledge_panels)

But more specifically, we want the other than the cookie of the response.
It appears that the only way to get this version is to pass a cookie in the headers.

However, the mobile app uses the /cgi/auth.pl route and in this route (contrary to /cgi/login.pl) the cookie is never passed.

So here, we have two solutions:

  • Pass a cookie to /cgi/auth.pl
  • Allow the product endpoint to be authenticated other than via a cookie
@github-project-automation github-project-automation bot moved this to To discuss and validate in 🍊 Open Food Facts Server issues Apr 16, 2024
@teolemon teolemon added 🔐 API auth The API requires auth in order to perform editing.There is a common mechanism & a Robotoff mechanism 🔐 Auth labels Apr 16, 2024
@g123k g123k mentioned this issue Apr 16, 2024
Closed
@teolemon teolemon added the ✨ Feature Features or enhancements to Open Food Facts server label Apr 16, 2024
@hangy
Copy link
Member

hangy commented Apr 16, 2024

However, the mobile app uses the /cgi/auth.pl route and in this route (contrary to /cgi/login.pl) the cookie is never passed.

I don't understand. Both URLs call my $request_ref = ProductOpener::Display::init_request();, which uses the session or user+password internally. Am I missing something or should both URLs not behave the same way regarding that?

@g123k
Copy link
Collaborator Author

g123k commented Apr 16, 2024

The only difference is about the response received.
/cgi/auth.pl doesn't contain any set-cookie header

@monsieurtanuki
Copy link
Contributor

More generally, this cookie issue is problematic for Smoothie as there are other actions that cannot be performed without cookie.
For instance, if I want to delete my own account, it's not possible because I need to be logged in first, and I cannot pass my cookie for the additional "delete" action.
I know that for the "prices" API when we log in we can set a cookie (web version) OR retrieve a "bearer token" (API calls from flutter/dart for instance).

@hangy
Copy link
Member

hangy commented Apr 18, 2024

For instance, if I want to delete my own account, it's not possible because I need to be logged in first, and I cannot pass my cookie for the additional "delete" action.

Does it have to be done from the app? When moving to Keycloak, we'd probably have to limit that to specific scopes to avoid abuse by other people's apps. I'd rather prefer user deletion to be done from Keycloak in most cases. cc @john-gom

I know that for the "prices" API when we log in we can set a cookie (web version) OR retrieve a "bearer token" (API calls from flutter/dart for instance).

See #9251 for our progress of OIDC auth (with the help of Keycloak)

@stephanegigandet stephanegigandet self-assigned this Apr 18, 2024
stephanegigandet added a commit that referenced this issue Apr 18, 2024
@stephanegigandet
fix: send cookie in auth.pl #10140
a6f70b7
@stephanegigandet stephanegigandet mentioned this issue Apr 18, 2024
Merged
teolemon pushed a commit that referenced this issue Apr 18, 2024
@stephanegigandet
fix: send cookie in auth.pl (#10146)
6ae219c 
fix: send cookie in auth.pl #10140
@github-project-automation github-project-automation bot moved this from To discuss and validate to Done in 🍊 Open Food Facts Server issues Apr 18, 2024
@openfoodfacts-bot openfoodfacts-bot mentioned this issue Apr 18, 2024
Merged
@teolemon teolemon moved this from Backlog to Done in Revamping auth across Open Food Facts Apr 29, 2024
john-gom pushed a commit that referenced this issue May 24, 2024
@stephanegigandet @john-gom
fix: send cookie in auth.pl (#10146)
ba0d286 
fix: send cookie in auth.pl #10140
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stephanegigandet stephanegigandet

Labels
🔐 API auth The API requires auth in order to perform editing.There is a common mechanism & a Robotoff mechanism 🔐 Auth ✨ Feature Features or enhancements to Open Food Facts server
Projects
Revamping auth across Open Food Facts
Status: Done
🍊 Open Food Facts Server issues
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: send cookie in auth.pl openfoodfacts/openfoodfacts-server
5 participants
@hangy @g123k @teolemon @stephanegigandet @monsieurtanuki