bug: spacedeck authentication is partially broken

[andirueckel]

Unfortunately, spacedeck authentication is partially broken on latest main, and maybe even was broken for quite some time. I’m struggling to pinpoint the exact problem—if there even is only one problem resulting in this behavior—, but my findings might guide you on your journey to fixing this bug. 🧩

First things first, let’s reproduce the problem.

0. In your local medienhaus-docker-dev clone, please start from scratch via sh scripts/reset.sh.

   Disclaimer, as the reset helper script still might be rather new to you: This will delete your local matrix-synapse, etherpad, spacedeck, et cetera databases; everything but your manually created lldap accounts will be reset.

1. In your browser, open medienhaus-spaces via: http://localhost/

   Please use incognito mode for your tests, or remember to always clear your local storage, cookies, et cetera.

2. Login via one of your manually created lldap accounts; else create a new account via: http://ldap.localhost/

3. Navigate to /sketch via: http://localhost/sketch

4. Create a new sketch.

5. You should be able to sketch something in the Spacedeck iframe.

6. Close your incognito window(s), or clear our local storage, cookies, et cetera.

7. Repeat steps 1–3, and click/open/select your previously created sketch.

8. You should not be able to sketch something in the Spacedeck iframe, but be presented with Spacedeck’s login page.

We’ll fix it in POST.

After the first, initial, login to medienhaus-spaces, a POST request is sent via lib/auth/SpacedeckAuthProvider.js.

There’s no POST request being sent after any subsequent login.

Where’s my cookie!

Spacedeck really wants its cookies; if there’s no sdsession cookie, at least bring some x-spacedeck-auth header.

https://github.com/medienhaus/spacedeck-open/blob/mnt/middlewares/session.js#L25-L31

https://github.com/medienhaus/spacedeck-open/blob/mnt/public/javascripts/backend.js#L53-L55

… if there’s no x-spacedeck-auth header on _login(), we might have a problem.

https://github.com/medienhaus/medienhaus-spaces/blob/main/lib/auth/SpacedeckAuthProvider.js#L117-L133

The cookie is a lie.

I’m really struggling to definitely understand all the conditions and steps in lib/auth/SpacedeckAuthProvider.js; besides having a craving for cookies by now, I have the feeling that medienhaus-spaces suggests the x-spacedeck-auth token stored in the user’s Matrix account data would be perfectly valid, while Spacedeck either does not know anything about the token validaty, or has already invalidated this token.

Maybe … #68 (comment)

There’s also something about the following condition—my bug-senses are tingling.

You wouldn’t simply return false; instead.

It would mitigate the problem, though, and send the POST.

The end.

Do you remember when we reproduced the problem at the very beginning of this journey?

Interestingly enough, simply using /logout instead closing your incognito window(s), or clearing our local storage, cookies, et cetera does not result in the same problematic behavior, which leads me to believe that the /logout functionality is partially broken and not completely clearing all relevant artefacts from our local storage, cookies, et cetera. 💥

[robertschnuell]

should be fixed with if we will merge and deploy this PR for spacedeck: medienhaus/spacedeck-open#3