php-crud-api icon indicating copy to clipboard operation
php-crud-api copied to clipboard

Published 20 hours ago verified publisher icon mevdschee

dbAuth not working with localhost frontend

Open icekemia opened this issue 2 years ago • 10 comments

Hello, I'm developing a small project with react-admin as frontend and php-crud-api as backend. I've set it up correctly and deployed. On production site it is working fine, but if I connect to API using development frontend on my PC the dbAuth middleware keeps logging me out from react-admin. I can successfully login, I get users table payload from the endpoint so it is not a CORS issue, but as soon as I send a request to any other endpoint I get logout and receive message: {"code":1011,"message":"Authentication required"}

I have tried switching off dbAuth and it works fine, so I guess there's an issue with it. It looks like either $_SESSION['user'] is not being correctly assigned or cookies are not set.

Any idea on how to solve/debug this case?

Thanks

icekemia avatar May 17 '23 09:05 icekemia

Look at this: https://github.com/mevdschee/php-crud-api/issues/953#issuecomment-1414236222

It may be a SameSite cookie setting issue.

mevdschee avatar May 17 '23 21:05 mevdschee

Hello, thanks for prompt reply. I have tried but it had no effect at all. Inspecting headers I have noticed that when I am on local machine it doesn't send authorization: Basic XXXXXXXX cookie: PHPSESSID=YYYYYYYYYY upon requests, while in production it sends both. I guess this could be the issue, though I couldn't see any piece of code requesting these headers in dbAuth middleware.

icekemia avatar May 18 '23 07:05 icekemia

It looks like I have found the solution. Or at least it looks like it is working now. I was using treeqlProvider without options, I had to specify "options.credentials = 'include';" and it magically started sending cookies to API from local frontend as well. Now it responds with correct payload. So it is definitely not a bug in php-crud-api, but maybe it can be documented in ra-data-treeql together with authorization token.

icekemia avatar May 22 '23 06:05 icekemia

Hi @icekemia,

I am the author of ra-data-treeql and I am facing the same issue right now.

Could you describe your solution in more detail please?

nkappler avatar May 24 '23 09:05 nkappler

@mevdschee I've noticed that the session cookie returned by php-crud-api differs each time. I am not sure if this is caused by my localhost setup or the backend setup

nkappler avatar May 24 '23 09:05 nkappler

@nkappler Can you try setting the "SameSite" property of the Cookie to "None"? It seems to solve most people's problems while developing (it is not recommended in a production environment).

mevdschee avatar May 24 '23 10:05 mevdschee

I've fixed my setup for now by pointing the proxy to the exact URL of api.php I had it setup with the .htaccess template file so all requests to myurl.com/api/*would be pointed to myurl.com/api/api.php but for some reason this doesn't work entirely. It seems like the route is lost or something, but I'm not sure and I also don't know how to debug it properly... I'm no expert on this topic and I do not fully understand yet why this isn't working as expected, but it seems that it's a proxy issue rather than an issue with php-crud-api or dbAuth, at least with my setup...

nkappler avatar May 26 '23 06:05 nkappler

@nkappler Sorry for late response. This is what I have edited in my authProvider.js

const authProvider = { // called when the user attempts to log in login: ({ username, password }) => { const request = new Request(url, { method: 'POST', body: JSON.stringify({ username, password }), headers: new Headers({ 'Content-Type': 'application/json' }), credentials: 'include', });

The last line is the magic one. I am not sure whether it is a fix for all kinds of setup, but it is now working on my local version even if I switch API url from local to remote.

icekemia avatar May 26 '23 15:05 icekemia

I've done some further research and my issue seems to relate entirely to the request url. I have a slight mismatch for the api url in the production and development landscape, but I'll find a different solution for that. My getting-logged-out-problem seems to boil down to the fact that browsers won't set cookies from a cross origin domain, i.e. I'm sending a login request from localhost directly to mydomain.com which is successful. In return i get a session cookie, which isn't stored and thus the server doesn't recognize me on the subsequent GET record/xyz request, replying with a 1011 Authorization Required error. This is what the proxy is for, redirecting the requests so cookies aren't lost.

Either way, I think both my issue and @icekemia's issue have nothing to do with either php-crud-api nor ra-data-treeql. I do agree that the documentation for setting all this up could be improved but I see this responsibility over at the react-admin folks.

tldr; I think we should close this issue.

nkappler avatar May 31 '23 19:05 nkappler

I've figured out why my proxy was not working. I have used the .htaccess file from the root of the php-crud-api repository to redirect requests from /api/login to /api/api.php/login. However, without the P flag the request is not proxied but converted to a GET request and the username and password do not reach api.php.

Ive changed the flags from [QSA,L] to [QSA,P] and now it works... (I had to ask ChatGPT to explain what these flags where doing 😅)

nkappler avatar May 31 '23 21:05 nkappler