Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to panda v4 #80

Merged
merged 1 commit into from
Jul 25, 2024
Merged

Upgrade to panda v4 #80

merged 1 commit into from
Jul 25, 2024

Conversation

Fweddi
Copy link
Contributor

@Fweddi Fweddi commented Jul 22, 2024

This PR upgrades our pan-domain-authentication (panda) libraries to v4, which is a vital step towards our plan to improve key rotation.

How to review and test

Check if this branch is deployed to CODE. If not, deploy to CODE1.

We want to test that the Panda library can:
(1) verify valid Panda cookies
(2) issue Panda cookies through OAuth
(3) issue cookies that work 'pan domain', i.e. across tools on the same domain (in this case, dev-gutools.co.uk)
(4) but wait this time there's more! login.gutools logs other tools in with panda (which may not be able to issue panda cookies themselves) - we need to test a tool which depends on login.gutools

Choose another tool on the same domain to test with. For example, Composer CODE.

1. Verification

Open the other tool. If the tool asks you to login through Google Auth, log in. This will issue you a Panda cookie. If you are not directed to Google Auth, you already have a Panda cookie to test with.

Open login.gutools on an authed endpoint, e.g. https://login.code.dev-gutools.co.uk/showUser. You should see login.gutools as normal. Check your network tab - you should see no requests to OAuth.

This should give confidence that Panda has verified your cookie.

2. Issuing

Open login.gutools again on an authed endpoint, e.g. https://login.code.dev-gutools.co.uk/showUser.

In the DevTools, under the Application panel, you can find the Panda cookie. It has the name gutoolsAuth-assym:
image

Delete the cookie, and refresh the page. You should see login.gutools as normal2. Check the network tab. You should see a request to OAuth.

Check the Application tab again. You should have a new gutoolsAuth-assym cookie - though it looks very similar to the old one!

This should give confidence that Panda has issued you a cookie.

3. Pan-Domain

Open the other tool.

You should see the tool as normal. Check your network tab - you should see no requests to OAuth.

This should give confidence that your new cookie (issued by login.gutools) works across the domain3.

4. Dependant tools

Open a tool that depends on login.gutools, e.g. GuDocs CODE. Does it 'issue' and 'verify' cookies as above? If you delete the panda cookie, and refresh, does it make a successful request to login.gutools and show you GuDocs? Does this cookie work pan-domain?

Footnotes

  1. You can also test this locally, but you will need to test with another local tool. CODE and local are scoped to different domains (.code.dev-gutools.co.uk and .local.dev-gutools.co.uk).

  2. If you are redirected to Google Auth, then your Auth session with Google may have expired. This is fine. Log in through Google Auth and repeat the test. If it keeps directing you to Google Auth, then there may be an issue!

  3. If you check the Application tab in the other tool, you might find the cookie has changed! This is still the same cookie, but it has been slightly edited. Each tool you access with the cookie will be added to the cookie's authedIn list. The edits are hard to see as the cookie is encrypted. If you check the first tool again, you will see the cookie has stabilised.

@Fweddi Fweddi marked this pull request as ready for review July 23, 2024 15:02
Copy link
Contributor

@phillipbarron phillipbarron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CHecked on CODE, all looks good.

@Fweddi Fweddi merged commit afb4e53 into main Jul 25, 2024
1 check passed
@Fweddi Fweddi deleted the fp/upgrade-panda-to-v4 branch July 25, 2024 08:39
@prout-bot
Copy link

Seen on PROD (merged by @Fweddi 4 minutes and 15 seconds ago) Please check your changes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants