Closed
Conversation
SQUASHME: client creation in Nav rename contentful implementation file remove unnecessary type declaration don't override page data with the document; pass query to frontend rename contentful/client to contentful/graphqlClient
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
ignore unused vars that start with _ improve server loading enable previewing in nav graphql query WIP fix import add management client to try block delete cookie on logout don't store the user token in localStorage; let it expire fix oauth callback page make sure user is activated add some debug logging decode the cookie values fiddling with the cookie move logout logic to an action use sveltekit's fetch function instead of global fetch when possible debugging reduce token scope can we use the user's token instead of a global one? move codegen config; separate schema and schema type generation switch default scalar type to "unknown" to avoid "any" pollution update package scripts to generate schema types correctly make preview authentication universal let contentful embed the site fix package scripts throw preview authentication errors in layout not handler fix broken oauth link request correct token WIP disable layout error WIP catch preview auth errors with an actual layout import component remove unused preview client add missing baseURL variable stop throwing errors in the root layout make errors more detailed silly mistake another silly mistake set CSP in a hook in addition to vercel settings try it again try with x-frame-options allow cookies to pass to frame fix sameSite setting WIP does this work fix cookie samesite handling tighten up CSP improve CSP headers create the server-side contentful client in a single place add previewing to all gql queries
Benaiah
force-pushed
the
benaiah/server-side-previewing
branch
from
1f5d042 to
9f42117
Compare
|
Coverage after merging benaiah/server-side-previewing into benaiah/graphql-contentful-client will be
Coverage Report
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Reports for 1aa1a84 have been deployed to Vercel: |
Benaiah
force-pushed
the
benaiah/server-side-previewing
branch
from
fd33529 to
c840cf8
Compare
Benaiah
force-pushed
the
benaiah/graphql-contentful-client
branch
from
ff5e920 to
b63a6ff
Compare
Contributor
Author
|
Closing in favor of the rebased version (with a lot more added), #274. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira ticket: LDAF-201
We want to allow content editors to view the site with unpublished changes applied.
Proposed changes
handleTokenand useslocalsto pass it to the server-sideloadfunctions.handleTokenserver hook, if thepreviewquery parameter is present and an access token is provided (either as aldafUserTokencookie or as anAuthorization: Bearer ...header), creates a Contentful client that uses the preview API token and automatically adds apreviewvariable with the valuetrueto all GraphQL requests.Screenshots
Logged out:
Upon clicking the "Login" button:
After approving the login on Contentful's side and going thru the login flow:
Video of the login flow:
loginflow-1.mov
Acceptance criteria validation
Other details
Alternate solutions
We could store the user's management API token and "whether they have been authenticated or not" in a persistent cache like Redis. This would have the advantage of not exposing a Contentful Management API token in a JS-accessible cookie that has to use
SameSite=noneto work in the Contentful preview pane.We could make the cookie inaccessible to JS by introducing another request on login whose response includes
Set-Cookiewith theHttpOnlyflag.Possible drawbacks
iframe, so the cookie returned by the OAuth login flow must be set toSameSite=Noneto include it in cross-origin requests (which includes requests made by aniframeembedded in another domain). On top of that, the current implementation uses a JS-accessible cookie. This is rather insecure, because we are sending the authorization cookie on requests to third-party domains, and any JS in the page has access to the API token. To make things worse, this is a Contentful Management API token (not a delivery token), so it has write access to Contentful equivalent to the user it was created for.Requested feedback