Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR upgrades our pan-domain-authentication (panda) libraries to v4, which is a vital step towards our plan to improve key rotation.
How to review and test
Check if this branch is deployed to CODE. If not, deploy to CODE1.
We want to test that the Panda library can:
(1) verify valid Panda cookies
(2) issue Panda cookies through OAuth
(3) issue cookies that work 'pan domain', i.e. across tools on the same domain (in this case, dev-gutools.co.uk)
(4) but wait this time there's more! login.gutools logs other tools in with panda (which may not be able to issue panda cookies themselves) - we need to test a tool which depends on login.gutools
Choose another tool on the same domain to test with. For example, Composer CODE.
1. Verification
Open the other tool. If the tool asks you to login through Google Auth, log in. This will issue you a Panda cookie. If you are not directed to Google Auth, you already have a Panda cookie to test with.
Open login.gutools on an authed endpoint, e.g. https://login.code.dev-gutools.co.uk/showUser. You should see login.gutools as normal. Check your network tab - you should see no requests to OAuth.
This should give confidence that Panda has verified your cookie.
2. Issuing
Open login.gutools again on an authed endpoint, e.g. https://login.code.dev-gutools.co.uk/showUser.
In the DevTools, under the Application panel, you can find the Panda cookie. It has the name
gutoolsAuth-assym
:Delete the cookie, and refresh the page. You should see login.gutools as normal2. Check the network tab. You should see a request to OAuth.
Check the Application tab again. You should have a new
gutoolsAuth-assym
cookie - though it looks very similar to the old one!This should give confidence that Panda has issued you a cookie.
3. Pan-Domain
Open the other tool.
You should see the tool as normal. Check your network tab - you should see no requests to OAuth.
This should give confidence that your new cookie (issued by login.gutools) works across the domain3.
4. Dependant tools
Open a tool that depends on login.gutools, e.g. GuDocs CODE. Does it 'issue' and 'verify' cookies as above? If you delete the panda cookie, and refresh, does it make a successful request to login.gutools and show you GuDocs? Does this cookie work pan-domain?
Footnotes
You can also test this locally, but you will need to test with another local tool. CODE and local are scoped to different domains (
.code.dev-gutools.co.uk
and.local.dev-gutools.co.uk
). ↩If you are redirected to Google Auth, then your Auth session with Google may have expired. This is fine. Log in through Google Auth and repeat the test. If it keeps directing you to Google Auth, then there may be an issue! ↩
If you check the Application tab in the other tool, you might find the cookie has changed! This is still the same cookie, but it has been slightly edited. Each tool you access with the cookie will be added to the cookie's
authedIn
list. The edits are hard to see as the cookie is encrypted. If you check the first tool again, you will see the cookie has stabilised. ↩