Cookies for auth

183 views
Skip to first unread message

David Evans

unread,
Jun 9, 2012, 1:58:41 PM6/9/12
to sha...@googlegroups.com
Has anyone had any luck accessing agent.headers.cookie in an auth function?

I'm fairly sure my cookie is set correctly for cross-domain to '.domain.com', it shows up in req.headers.cookie if I access a simple url using express. But doesn't seem to appear in either the agent or the request.

As a side note, there doesn't seem to be any way of sending extra headers over the browserchannel socket either. Looks like browserchannel supports setExtraHeaders() but it doesn't seem to be exposed/accessible from ShareJS. Seems like this would be a nice way to send something like an OAuth access token for auth purposes?

Dave

Collin Miller

unread,
Jun 9, 2012, 5:21:14 PM6/9/12
to sha...@googlegroups.com
I've had luck with this setting: ( Where server is the express server. )


server.all "/*", (req, res, next) ->
  res.setHeader("Access-Control-Allow-Origin", "*")
  res.setHeader("Access-Control-Allow-Credentials", "true")
  next()

Obviously I'm not recommending that you use "*" in these security related features.

David Evans

unread,
Jun 10, 2012, 5:50:29 AM6/10/12
to sha...@googlegroups.com
That doesn't seem to make any difference unfortunately, it looks like browserchannel doesn't set 'withCredentials' on the XHR so no cookies are sent.

Collin Miller

unread,
Jun 10, 2012, 12:26:59 PM6/10/12
to sha...@googlegroups.com
Alright, I poked around some sources and found:

This is the underlying xhr wrapper used by BrowserChannel: http://closure-library.googlecode.com/svn/docs/class_goog_net_XhrIo.html

The wrapper class has a setWithCredentials method.

This is where the BrowserChannel (that 'hasA' XhrIo) is created: https://github.com/josephg/node-browserchannel/blob/master/lib/bcsocket.coffee#L186

And this is where it's created in the ShareJS Connection class: https://github.com/josephg/ShareJS/blob/master/src/client/connection.coffee#L35

Hope this helps, but it does look like a patch to ShareJS and possible node-browserchannel are required.

Joseph Gentle

unread,
Jul 13, 2012, 10:59:19 PM7/13/12
to sha...@googlegroups.com
What changes need to be made to browserchannel?

-J

Collin Miller

unread,
Jul 14, 2012, 2:14:02 PM7/14/12
to sha...@googlegroups.com
I'm not 100% sure, but it looks like the method 'goog.net.BrowserChannel.createXhrIo' has to be overridden in a subclass of BrowserChannel.

'createXhrIo' returns a 'goog.net.XhrIo' object.

'goog.net.XhrIo' has a 'setWithCredentials' method that needs to be called with 'true' to get 'withCredentials' set on the DOM XMLHttpRequest object.

Does that sound reasonable?

David Evans

unread,
Jul 15, 2012, 4:31:05 AM7/15/12
to sha...@googlegroups.com
As an aside I ended up adding a setExtraHeaders method to browser channel.

https://github.com/daredevildave/node-browserchannel/commit/72d982ddabe6e29a84bfffb15359e934d9807fdf

I'm sending an Authorization header instead of using cookies.

On Saturday, 14 July 2012 03:59:19 UTC+1, Joseph Gentle wrote:
> What changes need to be made to browserchannel?
>
> -J
>
>

> On Mon, Jun 11, 2012 at 2:26 AM, Collin Miller wrote:
> > Alright, I poked around some sources and found:
> >
> > This is the underlying xhr wrapper used by BrowserChannel:
> > http://closure-library.googlecode.com/svn/docs/class_goog_net_XhrIo.html
> >
> > The wrapper class has a setWithCredentials method.
> >
> > This is where the BrowserChannel (that 'hasA' XhrIo) is created:
> > https://github.com/josephg/node-browserchannel/blob/master/lib/bcsocket.coffee#L186
> >
> > And this is where it's created in the ShareJS Connection class:
> > https://github.com/josephg/ShareJS/blob/master/src/client/connection.coffee#L35
> >
> > Hope this helps, but it does look like a patch to ShareJS and possible
> > node-browserchannel are required.
> >
> > On Sun, Jun 10, 2012 at 4:50 AM, David Evans wrote:
> >>
> >> That doesn't seem to make any difference unfortunately, it looks like
> >> browserchannel doesn't set 'withCredentials' on the XHR so no cookies are
> >> sent.
> >>
> >>
> >> On Saturday, 9 June 2012 22:21:14 UTC+1, Collin Miller wrote:
> >>>
> >>> I've had luck with this setting: ( Where server is the express server. )
> >>>
> >>>
> >>>> server.all "/*", (req, res, next) ->
> >>>> res.setHeader("Access-Control-Allow-Origin", "*")
> >>>> res.setHeader("Access-Control-Allow-Credentials", "true")
> >>>> next()
> >>>
> >>>
> >>> Obviously I'm not recommending that you use "*" in these security related
> >>> features.
> >>>
> >>>
> >>>
> >>> On Sat, Jun 9, 2012 at 12:58 PM, David Evans wrote:
> >>>
> >>>> Has anyone had any luck accessing agent.headers.cookie in an auth
> >>>> function?
> >>>>
> >>>> I'm fairly sure my cookie is set correctly for cross-domain to
> >>>> '.domain.com', it shows up in req.headers.cookie if I access a simple url
> >>>> using express. But doesn't seem to appear in either the agent or the
> >>>> request.
> >>>>
> >>>> As a side note, there doesn't seem to be any way of sending extra
> >>>> headers over the browserchannel socket either. Looks like browserchannel
> >>>> supports setExtraHeaders() but it doesn't seem to be exposed/accessible from
> >>>> ShareJS. Seems like this would be a nice way to send something like an OAuth
> >>>> access token for auth purposes?
> >>>>
> >>>> Dave
> >>>
> >>>
> >

Joshua Gross

unread,
Jan 11, 2013, 1:11:36 AM1/11/13
to sha...@googlegroups.com
This seems pretty important (and it's affecting me now), is there any reason this never made its way to a pull request? 

David Evans

unread,
Jan 11, 2013, 11:32:48 AM1/11/13
to sha...@googlegroups.com

Adding extra headers only works if you are using browserchannel and won't work with websockets. I added an authentication token when connecting so there was no need for the extra headers.

Dave
Reply all
Reply to author
Forward
0 new messages