Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Refresh the SAML request URL for each login attempt #10593

Merged
merged 2 commits into from
Dec 13, 2024
Merged

fix: Refresh the SAML request URL for each login attempt #10593

merged 2 commits into from
Dec 13, 2024

Conversation

Dschoordsch
Copy link
Contributor

The request contains the issue instant date, which needs to be fresh for CloudFlare Access.

Description

Fixes/Partially Fixes #[issue number]
[Please include a summary of the changes and the related issue]

Demo

[If possible, please include a screenshot or gif/video, it'll make it easier for reviewers to understand the scope of the changes and how the change is supposed to work. If you're introducing something new or changing the existing patterns, please share a Loom and explain what decisions you've made and under what circumstances]

Testing scenarios

[Please list all the testing scenarios a reviewer has to check before approving the PR]

  • Scenario A

    • Step 1
    • Step 2...

  • Scenario B

    • Step 1
    • Step 2....

Final checklist

  • I checked the code review guidelines
  • I have added Metrics Representative as reviewer(s) if my PR invovles metrics/data/analytics related changes
  • I have performed a self-review of my code, the same way I'd do it for any other team member
  • I have tested all cases I listed in the testing scenarios and I haven't found any issues or regressions
  • Whenever I took a non-obvious choice I added a comment explaining why I did it this way
  • I added the label Skip Maintainer Review Indicating the PR only requires reviewer review and can be merged right after it's approved if the PR introduces only minor changes, does not contain any architectural changes or does not introduce any new patterns and I think one review is sufficient'
  • PR title is human readable and could be used in changelog

@Dschoordsch
fix: Refresh the SAML request URL for each login attempt
1e5cb3a 
The request contains the issue instant date, which needs to be fresh for
CloudFlare Access.
mattkrick
mattkrick reviewed Dec 12, 2024
View reviewed changes
packages/client/components/EmailPasswordAuthForm.tsx
@@ -131,9 +130,10 @@ const EmailPasswordAuthForm = forwardRef((props: Props, ref: any) => {
const domain = getSSODomainFromEmail(email)
if (domain && domain !== pendingDomain) {
setPendingDomain(domain)
// Fetch the url to verify SSO is configured for this domain.
// Don't cache it as we need a fresh one for login
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given that the URL is generated on the fly by the server now, I'm curious, since this URL is generated but never used, why can't we use it for login? when does it go invalid?

Copy link
Contributor Author

@Dschoordsch Dschoordsch Dec 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It really depends on the IDP. For CloudFlare it's about a minute. So if they idle a bit between entering their email and pushing the button, it's outdated. We really just fetch it here to check whether or not SAML is enabled for that domain.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a minute, whoa!
we don't send off that request until the email field is blurred, so we can probably get away with caching it, but if the delay isn't too bad it shouldn't matter either way

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is we cannot really check if it will be rejected because it happens after the redirect, so I would like to stay on the safe side.

@Dschoordsch Dschoordsch merged commit 22d89e5 into master Dec 13, 2024
7 checks passed
@Dschoordsch Dschoordsch deleted the fix/refreshSAMLRequestURL branch December 13, 2024 08:57
@parabol-release-bot parabol-release-bot bot mentioned this pull request Dec 13, 2024
Merged
@github-actions github-actions bot mentioned this pull request Dec 13, 2024
Merged
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattkrick mattkrick mattkrick approved these changes

Assignees
No one assigned
Labels
size/s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Dschoordsch @mattkrick