Ui request forwarding error #4275
Conversation
…les this otherwise
…licyviolation event
|
Seems totally reasonable 🤔 |
|
|
||
| remove() { | ||
| window.document.removeEventListener('securitypolicyviolation', this.handleCSP, true); | ||
| }, |
There was a problem hiding this comment.
Definitely not a change request, but I wondered how this service would look with ember-concurrency's waitForEvent. Untested:
import Ember from 'ember';
import { task, waitForEvent } from 'ember-concurrency';
const { Service, computed } = Ember;
export default Service.extend({
events: [],
connectionViolations: computed.filterBy('events', 'violatedDirective', 'connect-src'),
attach() {
this.get('monitor').perform();
},
remove() {
this.get('monitor').cancelAll();
},
monitor: task(function*() {
this.get('events').clear();
while (let event = waitForEvent(window.document.body, 'securitypolicyviolation')) {
this.get('events').addObject(event);
}
}).restartable(),
});There was a problem hiding this comment.
Oooo that is super nice, I may try updating that later. ❤ e-c.
| @@ -25,9 +27,21 @@ export default Ember.Component.extend({ | |||
| return `auth-form/${type}`; | |||
| }), | |||
|
|
|||
| hasCSPError: computed.alias('csp.connectionViolations.firstObject'), | |||
|
|
|||
| cspErrorText: `This is a standby Vault node but can't communicate with the active node via request forwarding. Sign in at the active node to use the Vault UI.`, | |||
There was a problem hiding this comment.
Nit: there's no templated code in here or in the string used in the tests below. Maybe you're just using it since the can't is in there?
There was a problem hiding this comment.
Yeah originally it was multi-line because it's a beefy error, but then I took that out so I didn't have to trim whitespace in tests 😂. THEN, when I went to single quote I noticed the can't and decided to leave the `s.
|
@thrashr888 I'll follow up with @joshuaogle - my worry is it'll create a "hole" in the text block, but if we make the change I'll address it in a separate PR because we have a number of error / message components like that. |
Some background:
connect-src 'self';to restrict any network calls made from the UI.When 1 & 2 collide, and you attempt to authenticate via the UI on a standby node without request forwarding, the UI redirects to a domain other than
selfand the user sees an unhelpful error.So! Now we detect CSP violations and show a (hopefully) more helpful error. We considered also displaying a link to the leader, but with the various ways Vault can be deployed, it may not be the case that the address of the active node that can be retrieved from the API would be resolvable in the browser and decided against that option.