Issues with upgrade to v6 for a Rails app

I’ve followed the upgrade guide: Upgrade to v6 - Documentation and I was able to successfully login to Forest and access the data for my local environment, but when I’ve deployed the upgrade changes to one of my testing environments I was no longer able to access any data in Forest for that environment and I was getting 401 authorization errors.

Expected behavior

Should be able to login to Forest and select my testing environment and access the data

Actual behavior

In a banner, the following error is presented:

"You have been disconnected

An error occurred while accessing your data.

Please check that the agent is running, and that your browser accepts third-party cookies."

And due to this I’m not able to access the data in Forest for testing environment

Failure Logs

In the Rails backend the information related to the authorization errors is the following:

Request log:

{
  "level": "info",
  "dt": "2021-03-03T13:04:06.895128Z",
  "message": "Started GET \"/forest/Address\"",
  "event": {
    "http_request_received": {
      "body": null,
      "content_length": null,
      "headers_json": "{\"Version\":\"HTTP/1.1\",\"Host\":\"raylo-api-pr-2277.herokuapp.com\",\"Connection\":\"close\",\"Sec_Ch_Ua\":\"\\\"Google Chrome\\\";v=\\\"89\\\", \\\"Chromium\\\";v=\\\"89\\\", \\\";Not A Brand\\\";v=\\\"99\\\"\",\"Accept\":\"application/json\",\"Sec_Ch_Ua_Mobile\":\"?0\",\"User_Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36\",\"Origin\":\"https://app.forestadmin.com\",\"Sec_Fetch_Site\":\"cross-site\",\"Sec_Fetch_Mode\":\"cors\",\"Sec_Fetch_Dest\":\"empty\",\"Referer\":\"https://app.forestadmin.com/\",\"Accept_Encoding\":\"gzip, deflate, br\",\"Accept_Language\":\"en-GB,en-US;q=0.9,en;q=0.8\",\"X_Request_Id\":\"dc24d731-970a-4d5e-8b0b-271390431ee0\",\"X_Forwarded_For\":\"86.170.153.163\",\"X_Forwarded_Proto\":\"https\",\"X_Forwarded_Port\":\"443\",\"Via\":\"1.1 vegur\",\"Connect_Time\":\"1\",\"X_Request_Start\":\"1614776646891\",\"Total_Route_Time\":\"0\"}",
      "host": "raylo-api-pr-2277.herokuapp.com",
      "method": "GET",
      "path": "/forest/Address",
      "port": 443,
      "query_string": "fields%5BAddress%5D=id%2Cline1%2Cline2%2Cline3%2Cpostcode%2Cregion%2Ccity%2Ccountry%2Ccreated_at%2Cupdated_at\u0026fields%5Bcountry%5D=name\u0026page%5Bnumber%5D=1\u0026page%5Bsize%5D=5\u0026searchExtended=0\u0026sort=-id\u0026timezone=Europe%2FLondon",
      "request_id": "dc24d731-970a-4d5e-8b0b-271390431ee0",
      "scheme": "https",
      "service_name": null
    }
  },
  "context": {
    "system": {
      "hostname": "39bf3210-1d8f-4ee6-a1a5-d7e280fa62b3",
      "pid": 4
    },
    "runtime": {
      "thread_id": 79420
    },
    "http": {
      "host": "raylo-api-pr-2277.herokuapp.com",
      "method": "GET",
      "path": "/forest/Address",
      "remote_addr": "REMOTE_ADDRESS",
      "request_id": "dc24d731-970a-4d5e-8b0b-271390431ee0"
    },
    "user": {
      "client_auth_hash": null,
      "user_token_hash": null
    }
  }
}

Response:

{
  "level": "info",
  "dt": "2021-03-03T13:04:06.901430Z",
  "message": "Completed 401 Unauthorized in 7.013794ms",
  "event": {
    "http_response_sent": {
      "body": null,
      "content_length": null,
      "headers_json": "{\"Access-Control-Allow-Origin\":\"https://app.forestadmin.com\",\"Access-Control-Allow-Methods\":\"GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS\",\"Access-Control-Expose-Headers\":\"\",\"Access-Control-Max-Age\":\"86400\",\"Access-Control-Allow-Credentials\":\"true\",\"X-Frame-Options\":\"SAMEORIGIN\",\"X-XSS-Protection\":\"1; mode=block\",\"X-Content-Type-Options\":\"nosniff\",\"X-Download-Options\":\"noopen\",\"X-Permitted-Cross-Domain-Policies\":\"none\",\"Referrer-Policy\":\"strict-origin-when-cross-origin\",\"Content-Type\":\"text/html\",\"Vary\":\"Origin\"}",
      "request_id": "dc24d731-970a-4d5e-8b0b-271390431ee0",
      "service_name": null,
      "status": 401,
      "duration_ms": 7.013794
    }
  },
  "context": {
    "system": {
      "hostname": "39bf3210-1d8f-4ee6-a1a5-d7e280fa62b3",
      "pid": 4
    },
    "runtime": {
      "thread_id": 79420
    },
    "http": {
      "host": "raylo-api-pr-2277.herokuapp.com",
      "method": "GET",
      "path": "/forest/Address",
      "remote_addr": "REMOTE_ADDRESS",
      "request_id": "dc24d731-970a-4d5e-8b0b-271390431ee0"
    },
    "user": {
      "client_auth_hash": null,
      "user_token_hash": null
    }
  }
}

Context

The configurations on the Rails app are the following:

Forest application URL:

irb(main):001:0> ForestLiana.application_url
=> "https://raylo-api-pr-2277.herokuapp.com"

CORS:

allowed_web_origins = [Regexp.new(/\Anull\z/), 'app.forestadmin.com']

Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins(*allowed_web_origins)

    resource(
      '*',
      headers: :any,
      methods: %i[get post put patch delete options head],
      expose: ['Content-Disposition'],
      credentials: true
    )
  end
end

The configurations in Forest admin > Environments for this environment has 6.0.1 as the Liana version

The one thing I’ve noticed though is that this issue only happens when I access ForestAdmin using the Chrome browser but it doesn’t happen when I use Firefox. Even with the Chrome browser, if I switch to another environment using an older version of Forest Liana, everything works just fine.

  • Package Version: 6.0.1
  • Ruby: 3.0.0
  • Rails Version: 6.1.3
  • Database Dialect: Postgresql

Hi @sergior,

Did you try to fully login/logout on the environment you are experiencing this issue?
Also, could you share your project name so I can check if I can spot something on my end?

I have indeed fully login/logout, even cleared all the cookies associated the forest domain, and still experienced the same behaviour.

The project name is “Back Office”.

Hello @sergior,

I’d like to know 2 things about your testing environment:

  • do you deploy multiple instances of your app?
  • did you activate the cache on your environments?

On the first authentication request it receives, forest-rails makes a request to the Forest Admin server to register itself as a OpenId client, and then saves the clientId into the cache.

It is very important that all authentication requests are done using the same clientId throughout the whole authentication process for one user, otherwise the authentication fails.

So, if you are deploying your app to multiple instances, each instance gets a different clientId, and a user can start the authentication process using one instance and finish it by requesting another instance, which leads to an issue.

Similarly, if the cache is not active (we made it more clear in a recent fix), a client id is retrieved for each call, which leads to the same kind of issue.

If you have multiple instance or cannot activate the cache on your application, follow the documentation about static client ids.

Hello @sergior ,

We identified an issue with cookies sent by the liana in remote environments. I’d like to validate that you have the same kind of issue.

Can you please:

  • Open the developer tools in your browser
  • launch the authentication process again on your liana
  • open the call to /forest/session/callback
  • take a screenshot of the response headers please ?

Hi @GuillaumeGautreau , here’s the screenshot of the response headers:

Thank you for your answer @sergior

The issue is the same as the one described here: Impossible to access to production environment / Forest Admin Rails

We are working on a fix in forest-rails, we will keep you updated when the fix will be released.

In the meantime, as you shared a screenshot with a valid token on your install (I forgot to mention to blur the content), can you change the value of the FOREST_AUTH_SECRET on your install? It will invalidate all tokens and use a different secret for signing authentication tokens. Any random string should work here.

Hello @sergior

We just released forest-rails version 6.0.2 that should fix your issue. Can you please test with this fix and confirm that you can correctly authenticate on your project?

1 Like

Hi @GuillaumeGautreau, the upgrade to 6.0.2 did indeed fix the issue I was having when using caching and I’m now able to authenticate successfully.

Thank you!