Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix infinite redirect loop when multiple cookies are sent #50452
Fix infinite redirect loop when multiple cookies are sent #50452
Changes from 3 commits
f75d72b
4176916
60d7789
129d6b4
c7f9e12
16ad27c
85e51fd
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to keep the functionality while calling
clearInvalidCookie
outside ofvalidateFunc
? Adding behaviour in a validation method looks like introducing side effects to me, so I would prefer to avoid it if we can.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't love that it's there, but I couldn't think of a better place to put it.
I originally had it in the X-Pack authentication module in the Security plugin:
kibana/x-pack/plugins/security/server/authentication/index.ts
Lines 68 to 99 in 60d7789
However, I wanted to keep usage of the Hapi toolkit abstracted away from X-Pack, so I decided to move that code into Core in
cookie_session_storage.ts
.If you have a better idea of where to put it, I'm all ears!
FWIW, Hapi's default behavior to clear the cookie (which I've overridden in this commit) already originates in its validation method. https://github.com/hapijs/cookie/blob/3a6e046e7adafafc382054000239c338a1a55d8c/lib/index.js#L197-L199
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it's we are doing nothing that hapi was already doing, this should be alright. Unless someone has a better idea on where we could move this (don't have much experience on hapi lifecycle), maybe @joshdover or @restrry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if the platform doesn't handle the removal, but the plugin controls it? Security plugin already has access to CookieStorage and can perform all setup/teardown logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about that, but we are relying on the Hapi toolkit for the actual cookie removal -- right now we don't expose Hapi directly to plugins in the New Platform, we abstract it away. My impression was that we wanted to keep it that way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, but we can extend API and provide methods to remove the cookie. This method will be a wrapper around hapi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, nvm. The core defines the auth strategy and sets the cookie in hapi. Probably, it's better to keep your current implementation with explicit removal in the core. Ok for me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, thanks!
@pgayvallet any other concerns or nits?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned above, we no longer need Hapi to automatically clear invalid cookies.