Sign in issues with Safari's cross-site tracking prevention

[BBaoVanC]

The page I'm using for testing is https://bbaovanc.com/blog/the-redesign-of-my-website/.

With AUTH_SEND_JWT_HEADER=true commented out

Chrome and Firefox

Both OAuth and anonymous work properly.

Safari

If I sign in with GitHub, then it just doesn't sign in at all (it opens the GitHub OAuth page, but then when it closes and goes back to Remark, it's still not signed in). If I try signing in as anonymous, then it appears to work, but I get a big red banner that says "Not authorized." when I try and send a comment. If I reload the page, I'm not signed in

With AUTH_SEND_JWT_HEADER=true uncommented

Safari, Firefox, and Chrome

Signing in with GitHub gives a "{"error":"failed to get token"}" response on the callback URL. Signing in as anonymous works fine, and I can send messages properly.

My configs

version: '3'

services:
  remark:
    image: umputun/remark42:master
    restart: always
    environment:
      - REMARK_URL=https://remark.boba.best
      - SITE=bbaovanc.com,boba.best,remark
      - ALLOWED_HOSTS=remark.boba.best bbaovanc.com boba.best
      - SECRET
      - STORE_BOLT_PATH=/srv/var/db
      - BACKUP_PATH=/srv/var/backup
      - ADMIN_SHARED_ID=github_4cb43a41df2719c23f1aafc06d7a844288354217,email_3a84cbdb570d38d183c1d046e08974e15a2a156a
      - ADMIN_PASSWD
      - [email protected]
      - AUTH_SAME_SITE=none
      #- AUTH_SEND_JWT_HEADER=true
      - AUTH_ANON=true
      - VOTES_IP=true
      - ANON_VOTE=true
      - AUTH_GITHUB_CID
      - AUTH_GITHUB_CSEC
      - AUTH_EMAIL_ENABLE=true
      - [email protected]
      - SMTP_HOST=mail.boba.best
      - SMTP_PORT=465
      - SMTP_TLS=true
      - [email protected]
      - SMTP_PASSWORD
      - [email protected]
      - NOTIFY_ADMINS=email
      - NOTIFY_USERS=email
    volumes:
      - ./data/remark/var:/srv/var
    ports:
      - 127.0.0.1:86:8080

Caddy config:

# vim: ft=caddyfile

remark.boba.best {
    encode zstd gzip
    import hsts
    import log

    reverse_proxy localhost:86 {
        header_up X-Real-IP {remote_host}
    }

    import basicerrors
}

[umputun]

first of all, AUTH_SEND_JWT_HEADER is not a solution and not even a workaround for your issue. It is designed for a very specific use case where a third-party UI can't support cookies for some reason, for example, non-web frontend and things like this.

Regarding the issue with the GitHub auth - my first guess will be the incorrect setup of your callback URL or incorrect CID and/or CSEC parameters.

Either way, at the moment you do this failed auth attempt, remark's log should give you errors/warnings and those can help to diagnose the issue

[BBaoVanC]

alright, I'll keep it commented and I won't test it anymore. My callback url is https://remark.boba.best/auth/github/callback which looks to be what the docs say. That limits it to something Safari is doing differently.

I've added DEBUG=true to the docker compose config. Here's what I see for anonymous login in the logs:

remark_1  | 2021/10/30 23:05:41.075 [DEBUG] {avatar/avatar.go:157 avatar.(*Proxy).resize} avatar resize(): limit should be greater than 0
remark_1  | 2021/10/30 23:05:41.076 [DEBUG] {avatar/avatar.go:51 avatar.(*Proxy).Put.func1} saved identicon avatar to 1604eb6acc8dfdafda890406b5edacf50f7085d7.image, user "test123"
remark_1  | 2021/10/30 23:05:41.076 [INFO]  {logger/logger.go:130 logger.(*Middleware).Handler.func1.1} GET - /auth/anonymous/login?site=bbaovanc.com&user=test123&aud=bbaovanc.com - remark.boba.best - 3d9325bfb737 - 200 (215) - 20.509062ms
remark_1  | 2021/10/30 23:05:47.118 [DEBUG] {middleware/auth.go:76 middleware.(*Authenticator).auth.func1} auth failed, can't get token: token cookie was not presented: http: named cookie not present

Comparing the /api/v1/comment request headers, I noticed that Firefox is sending a Cookie header which contains JWT=[redacted]; XSRF-TOKEN=[redacted], and a XSRF-TOKEN header which contains the same XSRF-TOKEN as in the Cookie header. Safari isn't sending either of those two headers.

[BBaoVanC]

Actually Safari doesn't seem to be saving any cookies at all, other than __remark_comment_value in local storage.

[paskal]

#1093 discussion might be related.

[umputun]

one experiment I would suggest to rule out possible proxy-related (caddy) issues is to start the remark42 "naked" on some port and try /web. It will also eliminate cors-related issues as well from the picture.

another thing I noticed, which may be related to CORS issues - your remark42 runs on a subdomain of boba.best however your site is on bbaovanc.com. Not sure if this is the root cause but worths checking if possible. I.e. making remark.bbaovanc.com and using it to access remark42

[BBaoVanC]

I found another two clues:

• it works fine on https://remark.boba.best/web
• disabling the "Prevent cross-site tracking" option in Safari fixes the issue

I'll try using it as remark.bbaovanc.com in a moment, just takes a bit since I have to change the callback on the GitHub OAuth app, the remark settings, and caddy's config.

[umputun]

I don't think this is a solution yet though, because I'd like to use the same instance for comments on both bbaovanc.com and boba.best in the future.

Actually, you can do it. Run a single instance of remark42, set up reverse proxies with caddy on each site on "local" subdomains, i.e. remark.boba.best and remark.bbaovanc.com, and point them to that remark42 service. This way you keep subdomains local to your site and share the same remark42 service for both sites.

[BBaoVanC]

I don't think this is a solution yet though, because I'd like to use the same instance for comments on both bbaovanc.com and boba.best in the future.

Actually, you can do it. Run a single instance of remark42, set up reverse proxies with caddy on each site on "local" subdomains, i.e. remark.boba.best and remark.bbaovanc.com, and point them to that remark42 service. This way you keep subdomains local to your site and share the same remark42 service for both sites.

Only one of them can work though, because I have to choose one for REMARK_URL. Is there a way I'm missing to set two domains for that?

Also, I can only set one for the callback URL on GitHub.

[umputun]

yeah, you're right

Regarding CORS - this is what remark42 sets internally

corsMiddleware := cors.New(cors.Options{
			AllowedOrigins:   []string{"*"},
			AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
			AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-XSRF-Token", "X-JWT"},
			ExposedHeaders:   []string{"Authorization"},
			AllowCredentials: true,
			MaxAge:           300,
		})

I'm not sure why safari doesn't like it anymore, maybe AllowedOrigins: * is too wide open. You can completely disable internal CORS support by setting --proxy-cors (env PROXY_CORS=true) and adding CORS headers on caddy level. Maybe if you set the origin to your domain only, safari will like it better.

[BBaoVanC]

I tried this, it didn't work:

I searched the problem a bit and it sounds like Safari doesn't want to set cross-site cookies at all, unless that "Prevent cross-site tracking" option is disabled (which I don't want to have to force all my Safari users to do). As much as I want to use just a single instance I wonder if I should just split it up into two separate ones?

[BBaoVanC]

I think I'll just change the instance to be remark.bbaovanc.com right now. I don't need comments on boba.best yet.

[paskal]

Current, up-to-date documentation on the topic: https://remark42.com/docs/manuals/separate-domain/

[bashlk]

I think the documentation could use at least a short example of what kind of cross domain setups will not work. I saw the link to the discussion #1139 at the top of the page but then couldn't quite grasp what the issue was based on the contents of that discussion. So I went ahead with a setup where remark was hosted on comments.bash.lk and used on both www.bash.lk and www.frontendundefined.com. I would be happy to contribute such an example to the docs.

Also the docs say that the issue is solved if #1139 has a marked answer and it does 😆

I got it to work with email and annoymous auth by setting the AUTH_SEND_JWT_HEADER option which at least allows a user to login and post a comment on www.frontendundefined.com. But the session is immediately lost when the page is refreshed which is not nice.

Are they any plans to fix the cross domain setup? In the past, I got such setups to work by having the social auth domain redirect back to the site with a short lived token set as a query parameter and the site then requesting a long lived token from the auth service.

I am also open to pointing another subdomain at the same remark42 instance but since REMARK_URL only supports a single URL, I am unsure whether remark would like that.

[paskal]

Different second-level domains (like a.com and b.com) won't work with symptoms described in the documentation and ones you saw yourself. We have plans to fix it, but it requires a massive overhaul of the auth library, which is not a simple task, and I haven't gotten to it yet.