Permission checks will fail on cordova because of wrong cookie domain

[menelike]

Service-side permission checks depending on cookies can not be used within cordova and will fail. Document.cookie can only access localhost as cordova connects to <content src="http://localhost:12008/"/> where the request for files with go along with the server set my meteor (--mobile-server) e.g. https://foo.bar/cdn/....
Might be wort mentioning that we use Crosswalk.

This may also be related to #97 and http://stackoverflow.com/a/36334857/1981426

Can someone reproduce this?
Is this even possible to fix without a cordova plugin?

Update

On deeper inspection I can see that there is client/server handshake which deals with this issue. Still leaves #97 (comment) open.

Headers being sent (Chrome Browser):

Headers being sent (Cordova/Crosswalk) (Cookie is missing):

This can be reproduced if ROOT_URL !== the webpage URL e.g. 'localhost' !== '127.0.0.1'`

[dr-dimitru]

I can reproduce it if I open Meteor app by local IP address or via 127.0.0.1, even without Cordova.
Other topic is if document.cookie really unaccessible.

1. @menelike could you console.log(document.cookie) on the cordova app?
2. Is it iOS or Android?

[menelike]

@menelike could you console.log(document.cookie) on the cordova app?

Outputs from Cordova/Crosswalk:

run with --mobile-server=https://foo.bar

window.location: {
...
host: "localhost:12008"
hostname: "localhost"
...
}

document.cookie = 'meteor_login_token=CIBXba1jySJ11Efbioi4YwAy2Qy8X8AW6pnAmoWCgA-'

__meteor_runtime_config__.ROOT_URL = 'https://foo.bar'
__meteor_runtime_config__.ROOT_URL_PATH_PREFIX = ''
window.navigator.userAgent = "Mozilla/5.0 (Linux; Android 6.0.1; SHIELD Tablet K1 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Crosswalk/17.46.448.10 Safari/537.36"

Is it iOS or Android?

Android.

Hope this helps. Thanks a lot @dr-dimitru

[dr-dimitru]

@menelike production Cordova uses localhost too? How it is even possible?

[menelike]

I'm using HMR which is still loaded but disabled in production, hope this doesnt conflict here.

I've never seen anything under cordova besides http://localhost:X/, but I'm not sure as I can't find a valid spec in this.
I can think of cordova setting up a layer to cache the webpage. Without that, the app would start with an working internet connection only. Therefore I guess that this is the default behaviour which is indeed a killer for cookies since this conflicts with cross domain security.

[dr-dimitru]

Can't find any info about Cordova cookies usage. I'll update this thread after some testing.

[dr-dimitru]

Hi @menelike ,

Could you reproduce this issue on Meteor@1.4 and MF@1.6.7 ?

[menelike]

@dr-dimitru sure, will test this within the next 24-48h. Thanks a lot for your help!

[dr-dimitru]

@menelike any news?

[menelike]

@dr-dimitru sorry for the waaayyy too long delay.

ostrio:cookies@2.0.5
ostrio:files@1.6.9

The results are the same:

From Webbrowser:

From Cordova:

At this point I'm not even sure if cookies are possible in cordova, it feels like we are trying to bypass the security system. Do you have any suggestions?

https://forums.meteor.com/t/meteor-1-3-beta-11-setting-cookies-from-cordova-on-android/18637/2 might help here.

[dr-dimitru]

To solve it on your end - use DDP upload, it doesn't relies on cookies.
I'm working on the major update, and try to fix it there.

[menelike]

@dr-dimitru thanks for you help.

On a side note, this issue impacts downloading files. Never had problems with uploads because we use DDP for uploads as you advised.

[dr-dimitru]

Hmmm... as fallback we can add support for sessionId= get query.
What do you think?

[dr-dimitru]

It won't violate security as you getting new sessionId at every login, and it very hard to guess

[menelike]

As a temporary solution this would work fine. Currently I disabled all permissions checks, this is by far a greater problem.
On the long term this needs to be fixed properly, as you mentioned before uploads without DDP should be affected as well. But I'm afraid that at this point I still have no clue how to solve this without touching cordova.

update

I think a solution could be achieved through signed requests. Imho this is the better solution as exposing the sessionId (security: MIM attacks etc.). On the bright side this should make this library also independent from cookies at all.

After all I just do not like the idea of exposing credentials in an unencrypted area.

update

A minimal invasive way would be something like explained here, it looks quiet promising. It would act as an cookie relay.