Impossible to access to production environment / Forest Admin Rails

Hi there,

After the new forest admin x Rails, we chooses to start again our admin backend from scratch to be sure we won’t have issues … but we have one :

  • The development environment is working perfectly
  • When we deployed to Heroku, we added the 3 env variables (forest_auth_secret, forest_env_secret & forest_application_url), we defined our roles and assigned users to the roles but the production environment is not accessible.

Here’s the error we have :


Here what we have in the inspector :

Could you please help ?

Rails : 6.0.3.4
Liana : forest_liana (6.0.1)

Thanks a lot !

Hi @yonitou,

Which browser are you using?
Would you mind trying with a different one (Like Chrome, if it’s not the one you are already using) just to see if the issue is browser related?

Thanks in advance

I’m using Safari.

I tried with both Chrome & Safari and it doesn’t change anything.

I also tried to add a new user but it doesn’t change anything also.

This new error appeared for no reason :

So if I understand this right, these 3 variables are correctly defined in heroku (With the correct associated values)
FOREST_ENV_SECRET
FOREST_AUTH_SECRET
APPLICATION_URL ?

If that’s so, does config/secrets.yml bind the environment variables to some rails config, like

  forest_env_secret: <%= ENV["FOREST_ENV_SECRET"] %>
  forest_auth_secret: <%= ENV["FOREST_AUTH_SECRET"] %>
  application_url: <%= ENV["APPLICATION_URL"] %>

?

Exactly, the only difference is that the variable APPLICATION_URL is named as FOREST_APPLICATION_URL (in Heroku and in secrets.yml).

We didn’t set this variable name, it was automatically generated when we ran the liana install command line. Do you think it can fix it if we change FOREST_APPLICATION_URL to APPLICATION_URL ?

Pretty sure it’ll not, the essential part being that ForestLiana.application_url (in config/initializers/forest_liana.rb is actually set with the correct value.

I just did a quick test on my end, but I’m not able to reproduce. Do you have any logs in your rails console on the failing env?

FYI, we tried to create a remote environment with our staging one also and we have exactly the same issue (the only working environment is development), it’s crazy because we started from scratch (and deleted our older project that was on Node.js forest admin) … :confused:

Here inspector logs :


Here Heroku logs :

Just looked at it again, but still not able to reproduce.

Does config/initializers/forest_liana.rb contains

ForestLiana.env_secret = Rails.application.secrets.forest_env_secret
ForestLiana.auth_secret = Rails.application.secrets.forest_auth_secret
ForestLiana.application_url = Rails.application.secrets.forest_application_url

in your case?
Do you have any extensions that might block third party cookies ?

Yes exactly.

We don’t have nothing that block third party cookies.

We just created another account to do a new setup from scratch & guess what : forest admin is not working anymore even in development now.

Here what we have in console :


In inspector :

Hello @yonitou,

I’d like to know 2 things about your testing environment:

  • do you deploy multiple instances of your app?
  • did you activate the cache on your environments?

On the first authentication request it receives, forest-rails makes a request to the Forest Admin server to register itself as a OpenId client, and then saves the clientId into the cache.

It is very important that all authentication requests are done using the same clientId throughout the whole authentication process for one user, otherwise the authentication fails.

So, if you are deploying your app to multiple instances, each instance gets a different clientId , and a user can start the authentication process using one instance and finish it by requesting another instance, which leads to an issue.

Similarly, if the cache is not active (we made it more clear in a recent fix), a client id is retrieved for each call, which leads to the same kind of issue.

If you have multiple instance or cannot activate the cache on your application, follow the documentation about static client ids.

Hi @yonitou,

Thank you for your feedback. We are still trying to reproduce, but not able at the time.

Just to have more insights of your last setup done from scratch.

  • Did you add the following code in the file /config/initializers/forest_liana.rb ?
ForestLiana.application_url = Rails.application.secrets.forest_application_url
  • Also, have you set forest_application_url variable in the config/secrets.yml ?

  • Finally, have you run the command ?

rails dev:cache

We value your feedback, thanks in advance.

Hi guys,

Thanks for you replies.

@morganperre : yes we set the application_url as you described. We also ran rails dev:cache (which is enabling cache in development).

@GuillaumeGautreau We are deploying our application to a staging app and then production (via Heroku Pipeline). We didn’t know about this clientId thing so we tried to made a new setup from scratch by setting one static clientId for development and another one for production (which we copied and pasted into Heroku env variables) but it’s still not working.

On our last try, we successfully established a connection on development but still impossible in production. Do we need to do something to activate some cache mode we don’t know in production ?

Thanks again (let’s have a call / screen sharing if you can)

Hello,

We are working on a fix on forest-rails. As seen yesterday during a screen-sharing session, the liana sends cookies with the option SameSite=Lax whereas it should send SameSite=None. This difference makes the browser ignore this cookie.

We’ll keep you updated when the fix will be released

Hello again,

We just released forest-rails version 6.0.2 that should fix your issue. Can you please test with this fix and confirm that you can correctly authenticate on your project?

Hi Guillaume

Thanks for your speed.

We updated forest-rails to 6.0.2. My collaborator succeed to access to production environment but when he tried to add me, I have the same issue than yesterday.

Could you help?

It’s getting quite urgent for us to make it work :confused:

Hello, we saw it together during a screen sharing session @yonitou. Can you confirm that everything is working as expected?

Yes working perfectly ! Thanks for all your time :slight_smile:

Hello @yonitou,

We just released 3 versions of agents that will fix the issue you had with both Safari and Chrome in incognito mode:

  • forest-express-sequelize@7.0.1
  • forest-express-mongoose@7.0.2
  • forest_liana@6.0.3

Could you please test if the appropriate version for your project is fixing your issue? You should be able to check again the privacy option to reject 3rd party cookies in Safari.