Internal Proxy Cookies & docker-latest

[tamaskan]

According to https://stackoverflow.com/questions/47870786/express-proxy-api-calls-with-cookie it seems possible to add the cookies from the initial request to the proxy request, therefore enabling cookie-based sso

The :latest seems to point to version 0.26 (probably because of the breaking changes). That should be mentioned

[goniszewski]

Hi @tamaskan! Let me look into it shortly. Thank you for spotting this possible improvement.

As for the Docker tags, 0.3.0, 0.3, latest, and main are pointing to the same image at the moment.

[tamaskan]

Shouldn't they have the same digest then ? https://hub.docker.com/r/goniszewski/grimoire/tags

[goniszewski]

As I can see in the CI log on GitHub, the push to the main branch and an actual release fired the workflow separately. Because of the different SHA of those commits, the digest value also differs.:

• https://github.com/goniszewski/grimoire/actions/runs/8493669976
• https://github.com/goniszewski/grimoire/actions/runs/8493674783

[tamaskan]

Thanks for clarifying. I was wondering why the package.json on main is still on 0.2.6 ( https://github.com/goniszewski/grimoire/blob/main/package.json )

[goniszewski]

@tamaskan it should be updated automatically, but for some reason wasn't.

I looked into the documentation, and it looks like cookies are always passed to the proxy request. We don't need to overwrite them. Or maybe do you have something different in mind?

[tamaskan]

I think i found my issue. In pb.ts it seems that only an internal pocketbase-installation can be used when is_dev is true

[goniszewski]

I see there's a wrong port being specified for the default on DEV: should be http://localhost:8090 instead of `http://localhost:5173".

It's now fixed on latest and main. Sorry for that!

As for the logic behind PB URLs for specified environments:

• production: defaults to proxy (<PUBLIC_ORIGIN>/internal/pb) which then uses PUBLIC_POCKETBASE_URL if set or defaults to http://pocketbase (default PB container host using internal Docker network)
• development: doesn't use proxy, but directly connects to PUBLIC_POCKETBASE_URL if set or defaults to http://localhost:8090

[tamaskan]

I see. My problem is that executing an internal call to <PUBLIC_ORIGIN>/internal/pb is missing the cookies to bypass the sso on this url

[goniszewski]

Ok, I thought it was a problem with the auth cookie for PocketBase auth.

We can add some way to inject additional headers. The simplest solution would be to store stringified representation of additional headers in .env file, and then just parse and inject it. But maybe there's a more elegant way to do it :)

[tamaskan]

that would be a beautiful solution :-)

[goniszewski]

@tamaskan could you review the changes from the linked PR? If yes, it would be great to have your opinion on this implementation!

[tamaskan]

isn't it missing the variable-assignment in dockerfile ?

[goniszewski]

Yes, indeed 😄 Fixed!

[tamaskan]

I was able to build the branch with "--no-cache" in Dockerfile (segfaulting without).
It wasn't working until i added the headers to the initial pocketbase-connection like this pocketbase/pocketbase#2618 in src/lib/pb.ts . I am currently not able to test it further (heritage yee is not an object or null-error)

[goniszewski]

@tamaskan the error you're referring to, heritage yee, should be now resolved in https://github.com/goniszewski/grimoire/releases/tag/v0.3.3.