chore (iframe): cross cookie cleanup

mickael-kerjean · mickael-kerjean · commit 9baf4b0f747c · 2024-09-10T21:40:58.000+10:00
diff --git a/public/assets/boot/ctrl_boot_frontoffice.js b/public/assets/boot/ctrl_boot_frontoffice.js
@@ -15,6 +15,7 @@ export default async function main() {
             setup_blue_death_screen(),
             setup_history(),
             setup_polyfill(),
+            setup_iframe(),
         ]);
 
         await Promise.all([ // procedure with dependency on config
@@ -106,3 +107,22 @@ async function setup_polyfill() {
         await loadJS(import.meta.url, "../lib/polyfill.js");
     }
 }
+
+// In safari and duck duck go browser, cross domain iframe cannot inject cookies,
+// see https://support.apple.com/en-au/guide/safari/sfri40732/mac
+// hopefully one day, they provide support for partitioned cookie and we can remove this code
+// but until that happens we had to find a way to inject authorisation within ../lib/ajax.js
+async function setup_iframe() {
+    if (window.self === window.top) return;
+
+    window.addEventListener("pagechange", async() => {
+        if (location.hash === "") return; // happy path
+
+        const token = new URLSearchParams(location.hash.replace(new RegExp("^#"), "?")).get("bearer");
+        if (token) window.BEARER_TOKEN = token;
+
+        if (location.pathname === toHref("/logout")) {
+            delete window.BEARER_TOKEN;
+        }
+    });
+}
diff --git a/public/assets/pages/connectpage/ctrl_form.js b/public/assets/pages/connectpage/ctrl_form.js
@@ -199,7 +199,7 @@ export default async function(render) {
                 rxjs.tap(() => toggleLoader(true)),
                 rxjs.mergeMap(() => createSession(formData)),
                 rxjs.tap(({ responseJSON, responseHeaders }) => {
-                    if (responseHeaders.bearer) window.BEARER_TOKEN = responseHeaders.bearer; // fix https://support.apple.com/en-au/guide/safari/sfri40732/mac
+                    if (responseHeaders.bearer) window.BEARER_TOKEN = responseHeaders.bearer; // see ctrl_boot_frontoffice.js -> setup_iframe
                     let redirectURL = toHref("/files/");
                     const GET = getURLParams();
                     if (GET["next"]) redirectURL = GET["next"];
diff --git a/public/assets/pages/ctrl_homepage.js b/public/assets/pages/ctrl_homepage.js
@@ -24,8 +24,6 @@ export default function(render) {
     }
 
     // feature2: redirect user where it makes most sense
-    const token = new URLSearchParams(location.hash.replace(new RegExp("^#"), "?")).get("bearer");
-    if (token) window.BEARER_TOKEN = token;
     effect(getSession().pipe(
         rxjs.catchError((err) => {
             if (err instanceof AjaxError && err.err().status === 401) {
diff --git a/public/assets/pages/ctrl_logout.js b/public/assets/pages/ctrl_logout.js
@@ -13,7 +13,6 @@ export default function(render) {
     effect(deleteSession().pipe(
         rxjs.mergeMap(setup_config),
         rxjs.tap(() => {
-            delete window.BEARER_TOKEN;
             window.CONFIG["logout"] ? location.href = window.CONFIG["logout"] : navigate(toHref("/"))
         }),
         rxjs.catchError(ctrlError(render)),

Original file line number	Diff line number	Diff line change
`@@ -24,8 +24,6 @@ export default function(render) {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`// feature2: redirect user where it makes most sense`
`27`		`- const token = new URLSearchParams(location.hash.replace(new RegExp("^#"), "?")).get("bearer");`
`28`		`- if (token) window.BEARER_TOKEN = token;`
`29`	`27`	`effect(getSession().pipe(`
`30`	`28`	`rxjs.catchError((err) => {`
`31`	`29`	`if (err instanceof AjaxError && err.err().status === 401) {`