gristlabs_grist-core/app
Paul Fitzpatrick 561d9696aa (core) clean up interaction of forward auth with session
Summary:
For self-hosted Grist, forward auth has proven useful, where
some proxy wrapped around Grist manages authentication, and
passes on user information to Grist in a trusted header.
The current implementation is adequate when Grist is the
only place where the user logs in or out, but is confusing
otherwise (see https://github.com/gristlabs/grist-core/issues/207).
Here we take some steps to broaden the scenarios Grist's
forward auth support can be used with:

  * When a trusted header is present and is blank, treat
    that as the user not being logged in, and don't look
    any further for identity information. Specifically,
    don't look in Grist's session information.
  * Add a `GRIST_IGNORE_SESSION` flag to entirely prevent
    Grist from picking up identity information from a cookie,
    in order to avoid confusion between multiple login methods.
  * Add tests for common scenarios.

Test Plan: added tests

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D3482
2022-06-15 13:06:12 -04:00
..
client (core) Disable overscroll in gridview 2022-06-13 11:28:33 -07:00
common (core) clean up interaction of forward auth with session 2022-06-15 13:06:12 -04:00
gen-server (core) Product update popups and hosted stripe integration 2022-06-08 21:10:49 +02:00
plugin (core) Update Plugin API documentation 2022-05-24 17:27:34 -07:00
server (core) clean up interaction of forward auth with session 2022-06-15 13:06:12 -04:00
tsconfig.json (core) move home server into core 2020-07-21 20:39:10 -04:00