/forest/sessions returns 404 unable to log in/unlock data

Feature(s) impacted

• Access to forest admin app, user login, can not unlock data.
• forest_liana rails gem

Observed behavior

Can not unlock data, error is returned from rails app. 404 to route myappurl/forest/sessions

Expected behavior

Able to unlock data.

Failure Logs

image1111×367 55.2 KB

Context

I have a Rails app that I am trying to update from the forest_liana v5 gem.

My Rails version is v5, my Ruby version is 2.6.8 - all is in progress of rewrite to update, not relevant to issue. forest_liana v5 working fine.

Have attempted both forest_liana versions 6.6.3 and 7.7 - both have same issue.

Have followed upgrade documentation from v5 to v6.

/forest/ is mounting, as I was able to call the route /forest/authentication/callback via curl to generate the JWT needed for client_id that is requested in the upgrade documentation Upgrade to v6 - Developer guide

CORS is setup and working as expected.

This is a Heroku staging environment, paths redacted, all env vars appear correct.

My routes are mounted as they were in v5 and earlier mount ForestLiana::Engine => '/forest'

This app has been using Forest for over 5 years now, and updated progressively through that time. Could newer versions have introduced something different that is absent from the upgrade docs?

Help please, I’m stuck!

Hello @webdev.kiwi,

Thanks for your feedback ! We will try to understand and solve your problem as soon as possible. Can you tell me what is your project name please?

Kind regards,

Florian

Hello @Florian_Gonzales,

Thanks for your reply, the project name is ihub-api

Hello @webdev.kiwi

The /forest/session route no longer exists on versions >=6 .
It seems that the frontend does not recognize the gem update.
Did you push the .forestadmin-schema.json file into production?

The file contains the version number. Here an example :

Hello @matthv

This schema file is out of date. I believe that we only introduced this file when upgrading to v5.

Would you know the expected workflow for how this file is generated and updated as models change?

Using the regular bundle type commands to update the gems did not update this file, and I did not see reference to this in the documentation Upgrade to v6 - Developer guide

Please excuse my misunderstanding of workflow, we only recently upgraded to v5, we had used a much earlier version for many years prior.

I have manually updated the liana_version version to 7.7.0 in the .forestadmin-scema.json, this matches the gem version installed. While my issue has not resolved, the symptoms have changed.

The CORS rules are set inline with that described in the Upgrade to v6 - Developer guide documentation.

Thank you for your assistance

On the development environment the file is automatically generated when you start your rails server application (rails server).
(You must also check that the cache is active on this environment ‘rails dev:cache’)

Otherwise you can also force the generation of this file via the command rails forest:send_apimap

Regarding the CORS configuration I don’t recommend to leave * for the origins parameter.

Thanks for your response @matthv

I think I may be misunderstanding the outcome of rails dev:cache, to enable caching in a development environment. I have run this command with no affect. We do not wish to enable caching in production, and the production API has multiple instances and is behind a load balancer, serving mobile applications and SPAs from unknown origins.

This is being pushed onto a staging server, which is only a single instance and not load balanced, however I followed the instruction to generate the client_id for that domain, and those calls are successful.

forest caching753×504 32 KB

If I look into the console for forest, there are 500s being returned.

image1094×514 42.9 KB

Could you also share the browser console tab. It might help to understand the issue

Thanks matthv, sorry I am not sure I understand to share the browser console tab, is that in my last post?

I have also tried setting up a new forest project, and following the guide in a new rails project to see if there was difference. I am also unable to connect in that instance. The screen is stuck on “waiting for your backend to run…”, which it is. I then refresh the page and simply get stuck at this point.

image1019×518 58.4 KB

This is a “development” environment following the new project setup guide exactly. I have also noted that the setup does not step through various steps that the upgrade to v6 docs mentioned, such as requiring an application_url set in secrets.yml or a client_id, or making any changes to CORS configuration.

I can see by tailing the production logs that the forest_liana 7.7.0 gem throws error,

image1108×208 17.9 KB

As reference for anyone encountering similar issues, I have a progress update.

While I was not able to get a ‘development’ environment working through the setup tutorial for creating a new rails forest project with my specific codebase, I have a staging environment connecting to a new ‘project’ I have created in forest admin that was created for testing. We will need to make some architectural changes for production which we are in process of discussing.

There was an issue with an earlier version of rack-cors we were running (0.4.1), updating this to 1.1.1, with some other changes to our cors config has lead to successfully connecting using the forest_liana 7.70 gem.

There is a caveat to this setup. Forest admin requires that credentials: true is set in the rack-cors config, while rack-cors: 1.1.1 does not allow wildcard origins '*' and credentials: true to be set at the same time, the app will not start and will crash with an error informing so. Understandable security concerns with credentials: true, your app will run with credentials: false and origins '*' but you will not be able to unlock your data in forest.

This will be a limitation for some where their API is public. There are ways around this, such as running a separate instance of the app for forest admin with a differing cors config, or standing up another app for the public API that acts as a proxy, and other ideas you may have. This is not advice on what you should do to address this, that will be up to your own business requirements.

If you are running an ionic Mobile app, see CORS Errors: Cross-Origin Resource Sharing - Ionic Documentation for details on the ports used for your version to set cors config to allow mobile apps to connect (not yet tested for our setup).

We also have a React Native app in development which will require some different config to set cors too, these are expected to be similar, if not the same, to ionic.

If you’re running a native app on iOS or Android, you may need to consider setting up different app instances for forest with a different cors config if your native app framework enforces cors. Same will go for desktop and Electron type apps, you will need to investigate further if you experience any issues there .

known working versions:
Ruby: 2.6.x
Rails: 5.2.x
Rack-cors: 1.1.1
forest_liana: 7.7.0

Your rack-cors config will need to match the following exactly, with only changes to append additional known origins you may have, and/or pass those in with the environment variable CORS_ORIGINS.

image766×351 9.1 KB

Did you manage to solve the problem also on your project?

About CORS as you indicate you can’t leave origins ‘*’ with credentials at ‘true’.
More information here: Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*' - HTTP | MDN

Thanks for all your assistance @matthv,

from this we have solved our issue with a branch of our rails api hosted on a staging server connecting to a ‘test’ project in forest. I am fairly confident this will be the solution, we’re currently discussing our options of running separate app instances (and CORS config) for forest and public api.