FIX: Auth popup handling for Safari same-site cookie quirks

FIX: Auth popup handling for Safari same-site cookie quirks

When opening authentication popup, start with an on-site URL. Opening “about:blank”, and then POSTing the form does not send same-site=Lax cookies. Opening the popup to a page on the site domain, and then POSTing the form, works successfully.

diff --git a/app/assets/javascripts/discourse/models/login-method.js.es6 b/app/assets/javascripts/discourse/models/login-method.js.es6
index 0b12604..83e9a18 100644
--- a/app/assets/javascripts/discourse/models/login-method.js.es6
+++ b/app/assets/javascripts/discourse/models/login-method.js.es6
@@ -53,7 +53,7 @@ const LoginMethod = Ember.Object.extend({
         }
         LoginMethod.buildPostForm(authUrl).then(form => {
           const windowState = window.open(
-            "about:blank",
+            authUrl,
             "auth_popup",
             `menubar=no,status=no,height=${height},width=${width},left=${left},top=${top}`
           );

GitHub sha: 310a8ac2

1 Like

Revert "FIX: Auth popup handling for Safari same-site cookie quirks"

This commit has been mentioned on Discourse Meta. There might be relevant details there:

@davidtaylorhq we had to revert this because it broke Google auth. Our theory is the authUrl meant the CSRF is requested twice - once when the popup loads and once after that, at which point the token is invalidated.

Could you revisit this fix with a different URL?

2 Likes

I’ll get this sorted later this week. Removing the popup auth feature should remove any need for this workaround

3 Likes