Fork me on GitHub
#ring
<
2020-07-09
>
synthomat12:07:26

Hey, I have a rather weird bug: after authentification with friend , the browser (sometimes?) redirects to /favicon.ico – I don’t have a favicon in my code and this error also happens from time to time in my other projects; is this a known ring issue, does it have to do with order of middlewares or is it connected to friend-auth? I can’t find a reason for this behaviour; Does someone have an idea? – Thank you!

jumar18:07:27

Browsers often request favicon.ico to display it as a mini-icon in the browser tab but I don't see a reason why you should be explicitly redirected there. We use both friend and ring and I've never seen such a behavior

synthomat21:07:09

so after a successful login the POST /login endpoint returns a 303, and a location header pointing to the favicon file 😐

synthomat22:07:46

seems like :default-landing-uri of friend is being ignored when this favicon thingy kicks in… on a subsequent login, it works as expected

synthomat22:07:28

just looking at the session data, there is :cemerick.friend/unauthorized-uri … I don’t even…

seancorfield22:07:35

@synthomat So a request is being made for the favicon before you've auth'd -- which makes sense. I would recommend setting up auth so /favicon.ico is allowed through without requiring auth -- make it an exempt route.

synthomat22:07:28

oh god, no please…

synthomat22:07:52

just found this out myself:man-facepalming:

synthomat22:07:13

had do inject a logging middleware to find out what’s going on…

synthomat22:07:37

so friend stores the originally requested resource before the authentication page kicks in to conveniently redirect the user back to the original request after successful authentification; but because (technically) favicon.ico happens to be the latest requested resource, friend redirects the user to that file after successful authentification

synthomat22:07:43

mind -> blown

seancorfield22:07:07

I only know because it has bitten me countless times in various situations and so now I always make sure that URL is readable regardless of auth/login stuff...

synthomat22:07:47

wouldn’t it be better if friend stored the redirect url in a query parameter like many other libs do instead in the session?

synthomat22:07:02

good point @seancorfield, I now just added a fake favicon to my resource folder and it seems to do the trick; friend does not intercept because it’s a file that can actually be fetched

seancorfield22:07:40

(I've never used Friend or Buddy or any other Clojure auth lib)