pennersr/django-allauth

[Headless] Auth not working in headless mode via sessionid cookie

mecampbellsoup opened this issue · 1 comments

mecampbellsoup commented

I am working on switching from non-headless (legacy AJAX pattern) to headless for our consumption of the allauth API.

After switching from hitting the MFA view mfa_activate_totp to headless:app:mfa:manage_totp, I start to get Unauthorized errors, even though the cookie is being sent to allauth:

cloud-console  | INFO:     Started server process [78]
cloud-console  | INFO:     Waiting for application startup.
cloud-console  | INFO:     Application startup complete.
cloud-console  | request <ASGIRequest: POST '/_allauth/app/v1/account/authenticators/totp'> <class 'django.core.handlers.asgi.ASGIRequest'>
cloud-console  | request.headers {'Content-Length': '0', 'Host': '0.0.0.0:8000', 'Connection': 'keep-alive', 'Accept': 'application/json', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://0.0.0.0:8000', 'Referer': 'http://0.0.0.0:8000/api/', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': 'sessionid=qjju80mc18ohwbr40fsueg9461se750p', 'Dnt': '1', 'Sec-Gpc': '1', 'X-Requested-With': 'XMLHttpRequest', 'Sentry-Trace': '5cab1ffcab50465c92c7c349ed57dabd-b377f2fa8c14528a', 'Baggage': 'sentry-trace_id=5cab1ffcab50465c92c7c349ed57dabd,sentry-environment=production'} <class 'django.http.request.HttpHeaders'>
cloud-console  | request.user.is_authenticated False
cloud-console  | Unauthorized: /_allauth/app/v1/account/authenticators/totp

However, when I then use headless:browser, it seems to work OK:

cloud-console  | request <ASGIRequest: POST '/_allauth/browser/v1/account/authenticators/totp'> <class 'django.core.handlers.asgi.ASGIRequest'>
cloud-console  | request.headers {'Content-Length': '0', 'Host': '0.0.0.0:8000', 'Connection': 'keep-alive', 'Accept': 'application/json', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://0.0.0.0:8000', 'Referer': 'http://0.0.0.0:8000/api/', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Cookie': 'sessionid=qjju80mc18ohwbr40fsueg9461se750p', 'Dnt': '1', 'Sec-Gpc': '1', 'X-Requested-With': 'XMLHttpRequest', 'Sentry-Trace': 'e0b6bddb6b584cc28f851104f1d56f18-b7c7fe32d2759791', 'Baggage': 'sentry-trace_id=e0b6bddb6b584cc28f851104f1d56f18,sentry-environment=production'} <class 'django.http.request.HttpHeaders'>
cloud-console  | request.user.is_authenticated True
cloud-console  | Bad Request: /_allauth/browser/v1/account/authenticators/totp

I don't see this distinction between app and browser documented anywhere but, is it?