nebari icon indicating copy to clipboard operation
nebari copied to clipboard

Published 20 hours ago verified publisher icon nebari-dev

[bug] Conda Store auth redirects via http not https

Open danlester opened this issue 3 years ago • 5 comments

When logging into Conda Store, the redirect back from Keycloak seems to get confused between HTTP and HTTPS.

This can cause blocked content in the browser (in particular, within Cypress tests).

This is the flow:

https://qhub.mycompany.com/auth/realms/qhub/login-actions/authenticate?session_code=...
Returns a 302 to https://qhub.mycompany.com/conda-store/oauth_callback?state=...
Which returns a 308 to http://qhub.mycompany.com/conda-store/oauth_callback/?state=... (note http)
Which returns a 308 to http://qhub.mycompany.com/conda-store/oauth_callback/?state=...
For some reason this loads https://qhub.mycompany.com/conda-store/oauth_callback/?state=... (instead of http)
Which returns a 302 to http://qhub.mycompany.com/conda-store/user/
Which returns a 302 to http://qhub.mycompany.com/conda-store/user/
For some reason this loads https://qhub.mycompany.com/conda-store/user/

Where I say "for some reason this loads https", I think that's related to Upgrade-Insecure-Requests provided by the browser's request headers, and the CSP response - however, I suspect that will all be irrelevant if we work to ensure no HTTP is involved in the first place.

I'm not sure if this is a problem inside Conda Store or within QHub's integration of Conda Store.

danlester avatar Feb 25 '22 11:02 danlester

Ah yes I remember this issue. It was fixed by https://github.com/Quansight/conda-store/pull/230 in the 0.3.10 conda-store-server release. I've bumped the conda-store version in https://github.com/Quansight/qhub/pull/1118 which should resolve this issue. I'll make that PR close this issue with an appropriate test to make sure it is working.

costrouc avatar Feb 25 '22 20:02 costrouc

The PR in question didn't quite work. Another one in progress.

danlester avatar Mar 01 '22 16:03 danlester

I think some of this has been fixed (and I'm not sure if Cypress will still fail) but I still see an http creep in during the OAuth2 login process:

https://qhub.mycompany.com/conda-store/oauth_callback?state=...
returns a 302 to 
http://qhub.mycompany.com/conda-store/user/

danlester avatar Mar 01 '22 16:03 danlester

When it is available, upgrade QHub's conda-store to 0.3.11 or higher.

danlester avatar Mar 03 '22 16:03 danlester

This needs to be tested and see if it disappears but I believe this should be resolved.

costrouc avatar Apr 26 '22 15:04 costrouc

@costrouc I believe this has been resolved but feel free to open this if you think this is still an issue.

iameskild avatar Jun 12 '23 16:06 iameskild