debugging cookies w/ burnettk

spiffworkflow-backend/bin/start_keycloak

@@ -39,7 +39,8 @@ docker run \
   -e KEYCLOAK_LOGLEVEL=ALL \
   -e ROOT_LOGLEVEL=ALL \
   -e KEYCLOAK_ADMIN=admin \
-  -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:20.0.1 start-dev \
+  -e KEYCLOAK_ADMIN_PASSWORD=admin \
+  quay.io/keycloak/keycloak:20.0.1 start-dev \
   -Dkeycloak.profile.feature.token_exchange=enabled \
   -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
 

spiffworkflow-backend/poetry.lock

@@ -462,21 +462,6 @@ toml = "*"
 conda = ["pyyaml"]
 pipenv = ["pipenv"]
 
-[[package]]
-name = "ecdsa"
-version = "0.18.0"
-description = "ECDSA cryptographic signature library (pure python)"
-category = "main"
-optional = false
-python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*"
-
-[package.dependencies]
-six = ">=1.9.0"
-
-[package.extras]
-gmpy = ["gmpy"]
-gmpy2 = ["gmpy2"]
-
 [[package]]
 name = "exceptiongroup"
 version = "1.0.4"
@@ -668,6 +653,22 @@ python-versions = "*"
 Flask = ">=0.9"
 Six = "*"
 
+[[package]]
+name = "flask-jwt-extended"
+version = "4.4.4"
+description = "Extended JWT integration with Flask"
+category = "main"
+optional = false
+python-versions = ">=3.7,<4"
+
+[package.dependencies]
+Flask = ">=2.0,<3.0"
+PyJWT = ">=2.0,<3.0"
+Werkzeug = ">=0.14"
+
+[package.extras]
+asymmetric-crypto = ["cryptography (>=3.3.1)"]
+
 [[package]]
 name = "Flask-Mail"
 version = "0.9.1"
@@ -1223,14 +1224,6 @@ category = "main"
 optional = false
 python-versions = ">=3.6"
 
-[[package]]
-name = "pyasn1"
-version = "0.4.8"
-description = "ASN.1 types and codecs"
-category = "main"
-optional = false
-python-versions = "*"
-
 [[package]]
 name = "pycodestyle"
 version = "2.8.0"
@@ -1384,41 +1377,6 @@ python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,>=2.7"
 [package.dependencies]
 six = ">=1.5"
 
-[[package]]
-name = "python-jose"
-version = "3.3.0"
-description = "JOSE implementation in Python"
-category = "main"
-optional = false
-python-versions = "*"
-
-[package.dependencies]
-ecdsa = "!=0.15"
-pyasn1 = "*"
-rsa = "*"
-
-[package.extras]
-cryptography = ["cryptography (>=3.4.0)"]
-pycrypto = ["pyasn1", "pycrypto (>=2.6.0,<2.7.0)"]
-pycryptodome = ["pyasn1", "pycryptodome (>=3.3.1,<4.0.0)"]
-
-[[package]]
-name = "python-keycloak"
-version = "2.6.0"
-description = "python-keycloak is a Python package providing access to the Keycloak API."
-category = "main"
-optional = false
-python-versions = ">=3.7,<4.0"
-
-[package.dependencies]
-python-jose = ">=3.3.0,<4.0.0"
-requests = ">=2.20.0,<3.0.0"
-requests-toolbelt = ">=0.9.1,<0.10.0"
-urllib3 = ">=1.26.0,<2.0.0"
-
-[package.extras]
-docs = ["Sphinx (>=5.0.2,<6.0.0)", "alabaster (>=0.7.12,<0.8.0)", "commonmark (>=0.9.1,<0.10.0)", "m2r2 (>=0.3.2,<0.4.0)", "mock (>=4.0.3,<5.0.0)", "readthedocs-sphinx-ext (>=2.1.8,<3.0.0)", "recommonmark (>=0.7.1,<0.8.0)", "sphinx-autoapi (>=1.8.4,<2.0.0)", "sphinx-rtd-theme (>=1.0.0,<2.0.0)"]
-
 [[package]]
 name = "pytz"
 version = "2022.6"
@@ -1494,17 +1452,6 @@ urllib3 = ">=1.21.1,<1.27"
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
 use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
-[[package]]
-name = "requests-toolbelt"
-version = "0.9.1"
-description = "A utility belt for advanced users of python-requests"
-category = "main"
-optional = false
-python-versions = "*"
-
-[package.dependencies]
-requests = ">=2.0.1,<3.0.0"
-
 [[package]]
 name = "restrictedpython"
 version = "6.0"
@@ -1528,17 +1475,6 @@ python-versions = "*"
 [package.dependencies]
 docutils = ">=0.11,<1.0"
 
-[[package]]
-name = "rsa"
-version = "4.9"
-description = "Pure-Python RSA implementation"
-category = "main"
-optional = false
-python-versions = ">=3.6,<4"
-
-[package.dependencies]
-pyasn1 = ">=0.1.3"
-
 [[package]]
 name = "ruamel.yaml"
 version = "0.17.21"
@@ -1851,7 +1787,7 @@ lxml = "*"
 type = "git"
 url = "https://github.com/sartography/SpiffWorkflow"
 reference = "main"
-resolved_reference = "5eed83ab12f67c01c7836424a22fc425a33fc55d"
+resolved_reference = "be26100bcbef8026e26312c665dae42faf476485"
 
 [[package]]
 name = "SQLAlchemy"
@@ -2222,7 +2158,7 @@ testing = ["flake8 (<5)", "func-timeout", "jaraco.functools", "jaraco.itertools"
 [metadata]
 lock-version = "1.1"
 python-versions = ">=3.9,<3.12"
-content-hash = "832c1b6cd8d9aebc8529fdce11167bddcb3634fd0767dd2e490b74ababcf2714"
+content-hash = "8592e94ba80b7d0338a9c003ca4d0e189b5f470d97391438ddc1fc9050febedb"
 
 [metadata.files]
 alabaster = [
@@ -2443,10 +2379,6 @@ dparse = [
     {file = "dparse-0.6.2-py3-none-any.whl", hash = "sha256:8097076f1dd26c377f30d4745e6ec18fef42f3bf493933b842ac5bafad8c345f"},
     {file = "dparse-0.6.2.tar.gz", hash = "sha256:d45255bda21f998bc7ddf2afd5e62505ba6134756ba2d42a84c56b0826614dfe"},
 ]
-ecdsa = [
-    {file = "ecdsa-0.18.0-py2.py3-none-any.whl", hash = "sha256:80600258e7ed2f16b9aa1d7c295bd70194109ad5a30fdee0eaeefef1d4c559dd"},
-    {file = "ecdsa-0.18.0.tar.gz", hash = "sha256:190348041559e21b22a1d65cee485282ca11a6f81d503fddb84d5017e9ed1e49"},
-]
 exceptiongroup = [
     {file = "exceptiongroup-1.0.4-py3-none-any.whl", hash = "sha256:542adf9dea4055530d6e1279602fa5cb11dab2395fa650b8674eaec35fc4a828"},
     {file = "exceptiongroup-1.0.4.tar.gz", hash = "sha256:bd14967b79cd9bdb54d97323216f8fdf533e278df937aa2a90089e7d6e06e5ec"},
@@ -2494,6 +2426,10 @@ Flask-Cors = [
     {file = "Flask-Cors-3.0.10.tar.gz", hash = "sha256:b60839393f3b84a0f3746f6cdca56c1ad7426aa738b70d6c61375857823181de"},
     {file = "Flask_Cors-3.0.10-py2.py3-none-any.whl", hash = "sha256:74efc975af1194fc7891ff5cd85b0f7478be4f7f59fe158102e91abb72bb4438"},
 ]
+flask-jwt-extended = [
+    {file = "Flask-JWT-Extended-4.4.4.tar.gz", hash = "sha256:62b521d75494c290a646ae8acc77123721e4364790f1e64af0038d823961fbf0"},
+    {file = "Flask_JWT_Extended-4.4.4-py2.py3-none-any.whl", hash = "sha256:a85eebfa17c339a7260c4643475af444784ba6de5588adda67406f0a75599553"},
+]
 Flask-Mail = [
     {file = "Flask-Mail-0.9.1.tar.gz", hash = "sha256:22e5eb9a940bf407bcf30410ecc3708f3c56cc44b29c34e1726fe85006935f41"},
 ]
@@ -2988,10 +2924,6 @@ psycopg2 = [
     {file = "psycopg2-2.9.4-cp39-cp39-win_amd64.whl", hash = "sha256:849bd868ae3369932127f0771c08d1109b254f08d48dc42493c3d1b87cb2d308"},
     {file = "psycopg2-2.9.4.tar.gz", hash = "sha256:d529926254e093a1b669f692a3aa50069bc71faf5b0ecd91686a78f62767d52f"},
 ]
-pyasn1 = [
-    {file = "pyasn1-0.4.8-py2.py3-none-any.whl", hash = "sha256:39c7e2ec30515947ff4e87fb6f456dfc6e84857d34be479c9d4a4ba4bf46aa5d"},
-    {file = "pyasn1-0.4.8.tar.gz", hash = "sha256:aef77c9fb94a3ac588e87841208bdec464471d9871bd5050a287cc9a475cd0ba"},
-]
 pycodestyle = [
     {file = "pycodestyle-2.8.0-py2.py3-none-any.whl", hash = "sha256:720f8b39dde8b293825e7ff02c475f3077124006db4f440dcbc9a20b76548a20"},
     {file = "pycodestyle-2.8.0.tar.gz", hash = "sha256:eddd5847ef438ea1c7870ca7eb78a9d47ce0cdb4851a5523949f2601d0cbbe7f"},
@@ -3059,14 +2991,6 @@ python-dateutil = [
     {file = "python-dateutil-2.8.2.tar.gz", hash = "sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86"},
     {file = "python_dateutil-2.8.2-py2.py3-none-any.whl", hash = "sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"},
 ]
-python-jose = [
-    {file = "python-jose-3.3.0.tar.gz", hash = "sha256:55779b5e6ad599c6336191246e95eb2293a9ddebd555f796a65f838f07e5d78a"},
-    {file = "python_jose-3.3.0-py2.py3-none-any.whl", hash = "sha256:9b1376b023f8b298536eedd47ae1089bcdb848f1535ab30555cd92002d78923a"},
-]
-python-keycloak = [
-    {file = "python-keycloak-2.6.0.tar.gz", hash = "sha256:08c530ff86f631faccb8033d9d9345cc3148cb2cf132ff7564f025292e4dbd96"},
-    {file = "python_keycloak-2.6.0-py3-none-any.whl", hash = "sha256:a1ce102b978beb56d385319b3ca20992b915c2c12d15a2d0c23f1104882f3fb6"},
-]
 pytz = [
     {file = "pytz-2022.6-py2.py3-none-any.whl", hash = "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427"},
     {file = "pytz-2022.6.tar.gz", hash = "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2"},
@@ -3205,10 +3129,6 @@ requests = [
     {file = "requests-2.28.1-py3-none-any.whl", hash = "sha256:8fefa2a1a1365bf5520aac41836fbee479da67864514bdb821f31ce07ce65349"},
     {file = "requests-2.28.1.tar.gz", hash = "sha256:7c5599b102feddaa661c826c56ab4fee28bfd17f5abca1ebbe3e7f19d7c97983"},
 ]
-requests-toolbelt = [
-    {file = "requests-toolbelt-0.9.1.tar.gz", hash = "sha256:968089d4584ad4ad7c171454f0a5c6dac23971e9472521ea3b6d49d610aa6fc0"},
-    {file = "requests_toolbelt-0.9.1-py2.py3-none-any.whl", hash = "sha256:380606e1d10dc85c3bd47bf5a6095f815ec007be7a8b69c878507068df059e6f"},
-]
 restrictedpython = [
     {file = "RestrictedPython-6.0-py3-none-any.whl", hash = "sha256:3479303f7bff48a7dedad76f96e7704993c5e86c5adbd67f607295d5352f0fb8"},
     {file = "RestrictedPython-6.0.tar.gz", hash = "sha256:405cf0bd9eec2f19b1326b5f48228efe56d6590b4e91826b8cc3b2cd400a96ad"},
@@ -3216,10 +3136,6 @@ restrictedpython = [
 restructuredtext-lint = [
     {file = "restructuredtext_lint-1.4.0.tar.gz", hash = "sha256:1b235c0c922341ab6c530390892eb9e92f90b9b75046063e047cacfb0f050c45"},
 ]
-rsa = [
-    {file = "rsa-4.9-py3-none-any.whl", hash = "sha256:90260d9058e514786967344d0ef75fa8727eed8a7d2e43ce9f4bcf1b536174f7"},
-    {file = "rsa-4.9.tar.gz", hash = "sha256:e38464a49c6c85d7f1351b0126661487a7e0a14a50f1675ec50eb34d4f20ef21"},
-]
 "ruamel.yaml" = [
     {file = "ruamel.yaml-0.17.21-py3-none-any.whl", hash = "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7"},
     {file = "ruamel.yaml-0.17.21.tar.gz", hash = "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af"},

spiffworkflow-backend/pyproject.toml

@@ -44,7 +44,6 @@ marshmallow-enum = "^1.5.1"
 marshmallow-sqlalchemy = "^0.28.0"
 PyJWT = "^2.6.0"
 gunicorn = "^20.1.0"
-python-keycloak = "^2.5.0"
 APScheduler = "*"
 Jinja2 = "^3.1.2"
 RestrictedPython = "^6.0"
@@ -72,6 +71,7 @@ simplejson = "^3.17.6"
 pytz = "^2022.6"
 dateparser = "^1.1.2"
 types-dateparser = "^1.1.4.1"
+flask-jwt-extended = "^4.4.4"
 
 
 [tool.poetry.dev-dependencies]

spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py

@@ -63,7 +63,6 @@ def setup_config(app: Flask) -> None:
     )
     app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
     app.config.from_object("spiffworkflow_backend.config.default")
-    print("loaded config: default")
 
     env_config_prefix = "spiffworkflow_backend.config."
     if (
@@ -71,7 +70,6 @@ def setup_config(app: Flask) -> None:
         and os.environ.get("SPIFFWORKFLOW_BACKEND_ENV") is not None
     ):
         load_config_file(app, f"{env_config_prefix}terraform_deployed_environment")
-        print("loaded config: terraform_deployed_environment")
 
     env_config_module = env_config_prefix + app.config["ENV_IDENTIFIER"]
     load_config_file(app, env_config_module)
@@ -90,14 +88,6 @@ def setup_config(app: Flask) -> None:
             "permissions",
             app.config["SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME"],
         )
-        print(
-            "set permissions file name config:"
-            f" {app.config['SPIFFWORKFLOW_BACKEND_PERMISSIONS_FILE_NAME']}"
-        )
-        print(
-            "set permissions file name full path:"
-            f" {app.config['PERMISSIONS_FILE_FULLPATH']}"
-        )
 
     # unversioned (see .gitignore) config that can override everything and include secrets.
     # src/spiffworkflow_backend/config/secrets.py

spiffworkflow-backend/src/spiffworkflow_backend/config/default.py

@@ -17,10 +17,12 @@ RUN_BACKGROUND_SCHEDULER = (
     environ.get("RUN_BACKGROUND_SCHEDULER", default="false") == "true"
 )
 SPIFFWORKFLOW_FRONTEND_URL = environ.get(
-    "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
+    # "SPIFFWORKFLOW_FRONTEND_URL", default="http://localhost:7001"
+    "SPIFFWORKFLOW_FRONTEND_URL", default="http://spiff.localdev"
 )
 SPIFFWORKFLOW_BACKEND_URL = environ.get(
-    "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
+    # "SPIFFWORKFLOW_BACKEND_URL", default="http://localhost:7000"
+    "SPIFFWORKFLOW_BACKEND_URL", default="http://api.spiff.localdev"
 )
 # service task connector proxy
 CONNECTOR_PROXY_URL = environ.get(
@@ -29,12 +31,16 @@ CONNECTOR_PROXY_URL = environ.get(
 
 # Open ID server
 OPEN_ID_SERVER_URL = environ.get(
-    "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+    # "OPEN_ID_SERVER_URL", default="http://localhost:7002/realms/spiffworkflow"
+    # "OPEN_ID_SERVER_URL", default="http://keycloak.spiff.localdev/realms/spiffworkflow"
+    "OPEN_ID_SERVER_URL", default="http://api.spiff.localdev/openid"
 )
+
 # Replace above line with this to use the built-in Open ID Server.
 # OPEN_ID_SERVER_URL = environ.get("OPEN_ID_SERVER_URL", default="http://localhost:7000/openid")
 OPEN_ID_CLIENT_ID = environ.get("OPEN_ID_CLIENT_ID", default="spiffworkflow-backend")
 OPEN_ID_CLIENT_SECRET_KEY = environ.get(
+    # "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
     "OPEN_ID_CLIENT_SECRET_KEY", default="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"
 )  # noqa: S105
 

spiffworkflow-backend/src/spiffworkflow_backend/routes/openid_blueprint/openid_blueprint.py

@@ -34,6 +34,8 @@ def well_known() -> dict:
     These urls can be very different from one openid impl to the next, this is just a small subset.
     """
     host_url = request.host_url.strip("/")
+    print(f"host_url: {host_url}")
+    print(f"request.path: {request.url}")
     return {
         "issuer": f"{host_url}/openid",
         "authorization_endpoint": f"{host_url}{url_for('openid.auth')}",

spiffworkflow-backend/src/spiffworkflow_backend/routes/process_groups_controller.py

@@ -1,5 +1,6 @@
 """APIs for dealing with process groups, process models, and process instances."""
 import json
+from flask import current_app
 from typing import Any
 from typing import Optional
 
@@ -88,7 +89,10 @@ def process_group_list(
             "pages": pages,
         },
     }
-    return Response(json.dumps(response_json), status=200, mimetype="application/json")
+    response = make_response(jsonify(response_json), 200)
+    current_app.logger.info("SETTING COOKIE")
+    # response.set_cookie('TEST_COOKIE', 'HEY', domain=".spiff.dev", secure=False, httponly=True)
+    return response
 
 
 def process_group_show(

spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py

@@ -23,6 +23,8 @@ from spiffworkflow_backend.services.authentication_service import (
 from spiffworkflow_backend.services.authorization_service import AuthorizationService
 from spiffworkflow_backend.services.user_service import UserService
 
+# from flask_jwt_extended import set_access_cookies
+
 """
 .. module:: crc.api.user
    :synopsis: Single Sign On (SSO) user login and session handlers
@@ -77,6 +79,7 @@ def verify_token(
                 except (
                     ApiError
                 ) as ae:  # API Error is only thrown in the token is outdated.
+                    print("HEY WE IN ERROR")
                     # Try to refresh the token
                     user = UserService.get_user_by_service_and_service_id(
                         decoded_token["iss"], decoded_token["sub"]
@@ -89,10 +92,12 @@ def verify_token(
                                     refresh_token
                                 )
                             )
+                            # set_access_cookies()
+                            print(f"auth_token: {auth_token}")
                             if auth_token and "error" not in auth_token:
                                 # We have the user, but this code is a bit convoluted, and will later demand
                                 # a user_info object so it can look up the user.  Sorry to leave this crap here.
-                                user_info = {"sub": user.service_id}
+                                user_info = {"sub": user.service_id, "iss": user.service}
                             else:
                                 raise ae
                         else:
@@ -106,7 +111,7 @@ def verify_token(
                         message="Cannot get user info from token",
                         status_code=401,
                     ) from e
-
+                print(f"USER_INFO: {user_info}")
                 if (
                     user_info is not None
                     and "error" not in user_info

spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py

@@ -53,8 +53,11 @@ class AuthenticationService:
     def open_id_endpoint_for_name(cls, name: str) -> str:
         """All openid systems provide a mapping of static names to the full path of that endpoint."""
         openid_config_url = f"{cls.server_url()}/.well-known/openid-configuration"
+        print(f"openid_config_url: {openid_config_url}")
         if name not in AuthenticationService.ENDPOINT_CACHE:
+            print("BEFORE")
             response = requests.get(openid_config_url)
+            print("AFTER")
             AuthenticationService.ENDPOINT_CACHE = response.json()
         if name not in AuthenticationService.ENDPOINT_CACHE:
             raise Exception(
@@ -137,6 +140,9 @@ class AuthenticationService:
                 message="Cannot decode id_token",
                 status_code=401,
             ) from e
+        print(f"decoded_token: {decoded_token}")
+        print(f"cls.service_url(): {cls.server_url()}")
+        # import pdb; pdb.set_trace()
         if decoded_token["iss"] != cls.server_url():
             valid = False
         elif (

spiffworkflow-frontend/src/config.tsx

@@ -1,4 +1,6 @@
 const { port, hostname } = window.location;
+console.log('START');
+console.log('window.location', window.location);
 let hostAndPort = `api.${hostname}`;
 let protocol = 'https';
 
@@ -10,12 +12,14 @@ if (/^\d+\./.test(hostname) || hostname === 'localhost') {
   hostAndPort = `${hostname}:${serverPort}`;
   protocol = 'http';
 }
+protocol = 'http';
 
 let url = `${protocol}://${hostAndPort}/v1.0`;
-// Allow overriding the backend base url with an environment variable at build time.
+console.log('OUR URL', url);
 if (process.env.REACT_APP_BACKEND_BASE_URL) {
   url = process.env.REACT_APP_BACKEND_BASE_URL;
 }
+console.log('NO THIS ONE', url);
 
 export const BACKEND_BASE_URL = url;
 

spiffworkflow-frontend/src/routes/TaskShow.tsx

@@ -184,6 +184,13 @@ export default function TaskShow() {
       );
     }
 
+    function customValidate(formData: any, errors: any) {
+      if (formData.pass1 !== formData.pass2) {
+        errors.pass2.addError("Passwords don't match");
+      }
+      return errors;
+    }
+
     return (
       <Grid fullWidth condensed>
         <Column md={5} lg={8} sm={4}>
@@ -193,6 +200,7 @@ export default function TaskShow() {
             schema={jsonSchema}
             uiSchema={formUiSchema}
             validator={validator}
+            customValidate={customValidate}
           >
             {reactFragmentToHideSubmitButton}
           </Form>

spiffworkflow-frontend/src/services/UserService.ts

@@ -21,6 +21,7 @@ const getCurrentLocation = () => {
 
 const doLogin = () => {
   const url = `${BACKEND_BASE_URL}/login?redirect_url=${getCurrentLocation()}`;
+  console.log('URL', url);
   window.location.href = url;
 };
 const getIdToken = () => {
@@ -77,6 +78,7 @@ const getAuthTokenFromParams = () => {
       localStorage.setItem('jwtIdToken', idToken);
     }
     // window.location.href = `${getCurrentLocation(queryParams.toString())}`;
+    console.log('THE PALCE: ', `${getCurrentLocation()}`);
     window.location.href = `${getCurrentLocation()}`;
   } else if (!isLoggedIn()) {
     doLogin();