Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cookie Issues, Episode 3?
See original GitHub issueHello again!
It’s been a while and over at @risetechnologies we have been doing pretty well with Meteor-Files and the ?xmtok=... authentication approach, as necessitated by cordova-plugin-meteor-webapp.
Recently I have been researching the topic again because we faced a similar issue on another front - the AWS loadbalancer only supports ‘sticky sessions’ using Cookies, but as we know, these are tricky with cordova.
In the process of researching this (details in cordova-plugin-meteor-webapp#64), I have found two things:
- all non-XHR requests (e.g.
img.srcetc) could totally be authenticated with Cookies, it’s just thatostrio:cookiessets the Cookie from the client side, and so it ends up being set on thelocalhost:12008proxy server and not on the alternate-originROOT_URL. Clientside JS is disallowed from reading or manipulating cookies there but server responses can read and write cookies. - XHR requests by default exclude Cookies and Auth information, but if
.withCredentialsis set on the XHR before sending they behave just like described above. Most web packages that use either expose this option or are easily modified to set it. This is the case for all our bundled asset-viewers (threejs, hlsjs, pdfjs).
With the above information, the only missing piece to fix ‘The Cookie Experience’ is a serverside route, e.g. ${downloadRoute}/_cookie, that responds with the correct Set-Cookie: x_mtok=... header. On cordova (or in general), the client bundle can then trigger a .withCredentials XHR there when the connection is established, and all further requests, browser- or XHR-initiated, will be authenticated.
We are thinking about implementing this ourselves, but it sounds mostly trivial to add to Meteor-Files and I am sure others could be interested in this approach.
A more widely-scoped solution would change the way ostrio:cookies works on Cordova, to something like this: (pseudocode)
client:
Meteor.call('cookies.set', { [name]: value }, (err, res) => {
if (res) {
const xhr = new XmlHTTPRequest();
xhr.withCredentials = true;
xhr.open('GET', res.pickupURL);
xhr.send(null);
}
});
server:
Meteor.methods({
'cookies.set': (to_set) => {
// store cookies temporarily
const pickupId = Random.ID();
return `${pickupRoute}?id=${pickupId}`;
}
});
....onRequest(pickupRoute, (req, res) => {
const pickupId = req.params.id;
// retrieve cookies from temp storage
res.set_cookies(cookies);
})
Issue Analytics
- State:
- Created 5 years ago
- Comments:22 (20 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@s-ol sorry I have missed your question. @dr-dimitru Thanks for the heads up.
This issue can be closed as this works now (tested against 1.13.0).
Thanks @s-ol @dr-dimitru for all the effort you’ve put into this! 🚀❤️
@menelike are you able to use stock meteor-files + meteor-cookies in production on Cordova now?