Upgrade panda to v4 #194
Merged
Upgrade panda to v4 #194
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rhystmills
approved these changes
Jul 22, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR upgrades our pan-domain-authentication (panda) libraries to v4, which is a vital step towards our plan to improve key rotation.
How to review and test
Check if this branch is deployed to CODE. If not, deploy to CODE1.
We want to test that the Panda library can:
(1) verify valid Panda cookies
(2) issue Panda cookies through OAuth
(3) issue cookies that work 'pan domain', i.e. across tools on the same domain (in this case, dev-gutools.co.uk)
Choose another tool on the same domain to test with. For example, Composer CODE.
1. Verification
Open the other tool. If the tool asks you to login through Google Auth, log in. This will issue you a Panda cookie. If you are not directed to Google Auth, you already have a Panda cookie to test with.
Open Story Packages. You should see Story Packages as normal. Check your network tab - you should see no requests to OAuth.
This should give confidence that Panda has verified your cookie.
2. Issuing
Open Story Packages.
In the DevTools, under the Application panel, you can find the Panda cookie. It has the name
gutoolsAuth-assym:Delete the cookie, and refresh the page. You should see Story Packages as normal2. Check the network tab. You should see a request to OAuth.
Check the Application tab again. You should have a new
gutoolsAuth-assymcookie - though it looks very similar to the old one!This should give confidence that Panda has issued you a cookie.
3. Pan-Domain
Open the other tool.
You should see the tool as normal. Check your network tab - you should see no requests to OAuth.
This should give confidence that your new cookie (issued by Story Packages) works across the domain3.
Footnotes
You can also test this locally, but you will need to test with another local tool. CODE and local are scoped to different domains (
.code.dev-gutools.co.ukand.local.dev-gutools.co.uk). ↩If you are redirected to Google Auth, then your Auth session with Google may have expired. This is fine. Log in through Google Auth and repeat the test. If it keeps directing you to Google Auth, then there may be an issue! ↩
If you check the Application tab in the other tool, you might find the cookie has changed! This is still the same cookie, but it has been slightly edited. Each tool you access with the cookie will be added to the cookie's
authedInlist. The edits are hard to see as the cookie is encrypted. If you check the first tool again, you will see the cookie has stabilised. ↩