Redirection Problem / Google indexing.

[arminvburren]

Hello,

So I have realized I have two problems currently on my website which use fief, which may be linked.

The first problem is that at random times, mostly when it's been a while that i've connected on it, going in a page of my website after a while (especially the main page) sends me toward the "login" page defined in the auth_callback method. Because of the way I've implemented the login page it it leads to a blank page and nothing more happens..

I am not sure I suspect this started to appear since I've been using the "Cached Auth" method, and that it may happens when fief is somehow trying to refresh a token or something. Here's the code I use to define a page (I put the diff so you can see what was used before this happened):

And the code of the fief functions:

import uuid
from datetime import datetime
from typing import Dict, Optional

from fastapi import Depends, FastAPI, HTTPException, Query, Request, Response, status
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi.security import APIKeyCookie
from fief_client import FiefAccessTokenInfo, FiefAsync, FiefUserInfo
from fief_client.integrations.fastapi import FiefAuth

fief = FiefAsync(  # !
    "https://simu-immo.fief.dev",
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
)

def make_https_if_not_local(redirect_uri):
    if not '127.0.0.1:8000' in redirect_uri or 'localhost:8000' in redirect_uri:
        return redirect_uri.replace("http://", "https://")
    return redirect_uri

class CustomFiefAuth(FiefAuth):  # !
    client: FiefAsync

    async def get_unauthorized_response(self, request: Request, response: Response):
        redirect_uri =  make_https_if_not_local(request.url_for("auth_callback"))
        auth_url = await self.client.auth_url(redirect_uri, scope=["openid"])
        raise HTTPException(
            status_code=status.HTTP_307_TEMPORARY_REDIRECT,
            headers={"Location": auth_url},
        )

# Cache 
class MemoryUserInfoCache:  # 
    def __init__(self) -> None:
        self.storage: Dict[uuid.UUID, FiefUserInfo] = {}  # 
    async def get(self, user_id: uuid.UUID) -> Optional[FiefUserInfo]:  # 
        return self.storage.get(user_id)
    async def set(self, user_id: uuid.UUID, userinfo: FiefUserInfo) -> None:  # 
        self.storage[user_id] = userinfo
memory_userinfo_cache = MemoryUserInfoCache()
async def get_memory_userinfo_cache() -> MemoryUserInfoCache:  # 
    return memory_userinfo_cache


scheme = APIKeyCookie(name="user_session_cookie", auto_error=False)
auth = CustomFiefAuth(fief, scheme, get_userinfo_cache=get_memory_userinfo_cache)


###################
### Auth Router ###
###################

from fastapi import APIRouter

authrouter = APIRouter()

@authrouter.get("/auth-callback", name="auth_callback")
async def auth_callback(request: Request, response: Response, code: str = Query(...), 
                        memory_userinfo_cache: MemoryUserInfoCache = Depends(get_memory_userinfo_cache)):
    redirect_uri = make_https_if_not_local(request.url_for("auth_callback"))
    tokens, userinfo = await fief.auth_callback(code, redirect_uri)

    response = RedirectResponse(make_https_if_not_local(request.url_for("login")))
    response.set_cookie(
        "user_session_cookie",
        tokens["access_token"],
        expires=int(datetime.now().timestamp() + tokens["expires_in"]),
        httponly=True,
        secure=False,  # ❌ Set this to `True` in production !
    )

    await memory_userinfo_cache.set(uuid.UUID(userinfo["sub"]), userinfo)

    return response

@authrouter.get("/login", name="login")
async def login(access_token_info: FiefAccessTokenInfo = Depends(auth.current_user())):
    response = HTMLResponse(f"<script>window.close();\
                              if(window.opener.location.pathname.includes('simulation')) \
                              {{window.opener.document.forms['simu_params_form'].submit();}} else \
                              {{window.opener.location.reload();}} \
                              </script>")
    return response

@authrouter.get("/logout", name="logout")
async def logout(request: Request):
    logout_redirect = "http://localhost:8000/" if request.client.host == "127.0.0.1" else "https://simu-immo.fr/"
    logout_url = await fief.logout_url(logout_redirect)
    response = RedirectResponse(logout_url)
    response.delete_cookie("user_session_cookie")
    return response

( The implementation of the login is as such it enables refreshing a form in case the user wants to connect after having done a simulation, so login is always opened in a new window, then closed and the form is re-submitted automatically )

Also it's important to note that I've seen it happen recently, even after changing the times of the login and refresh token to a high value like 1 year.

The second problem is that I have lost my indexing on google, and it says "page with redirect". Apaprently it happened starting as early as 9 august, which is after I added the cached auth. For all my website page, I have this on the google console:

Do you have any clue of what is happening and what I should do to correct it ?

[frankie567]

Hi @arminvburren 👋

So, lot of things are going on here. I'll try to dig things one by one.

The login endpoint

I understand that you're trying to open Fief's login page in another window with some JS code to avoid to lose data user may have input in the form. I'm not a big fan of this solution since it breaks a bit the redirection flow.

IMO, I would suggest to revisit this so you store your form data reliably on the user browser. Something like LocalStorage looks like a good candidate: when the user makes change to the form, save it in the local storage. When the user opens the page, you can check if there is data in the LocalStorage and load it into the form. The nice thing with this solution is that it works for the login redirection, but also if your visitor comes to your site, leave and come back a few hours/days later.

The token expiration

In the implementation of current_user, when optional=True:

• If there is no token, nothing happens
• If there is a valid token, the user is returned
• If there is an expired token, get_unauthorized_response is raised. I'm wondering if this is a good behavior or not for optional. We could probably expect nothing happens in this case, as if the user was not authenticated at all. I'll probably revisit this.

That said, this should not be a big issue if you solve the previous point: redirections would make their work and you would be authenticated again without even noticing.

Side note

From the tests I've made, it looks like your access token is still valid for only 24 hours, not a year. Are you sure you set the parameter correctly?

Google Console

From what I see, I don't think this is a problem related to Fief. There is a few things that could explain that things go wrong:

• Your sitemap is declared on http://simu-immo.fr/sitemap.txt (not HTTPS). If you try to access it, there is a redirection on the HTTPS address.
• Your sitemap declares non-HTTPS URL, like http://simu-immo.fr/simulation. If you try to access them, there is a redirection on the HTTPS address.
• I'm not aware of a TXT format for sitemaps. Usually, we see XML format for such file: https://www.sitemaps.org/protocol.html

So I would suggest to implement your sitemap using the XML format. You can even implement it with FastAPI and use request.url_for to generate the URL dynamically (they will be correctly generated with your domain and HTTPS). I added an example implementation from one of my project below.

**FastAPI Sitemap example**

deployment_date = datetime.date.today()

@router.get("/sitemap.xml")
async def sitemap(request: Request):
    urls = [
        # Homepage
        {
            "loc": request.url_for("index"),
            "lastmod": deployment_date,
            "changefreq": "weekly",
            "priority": 1.0,
        },
        # Accelerators
        {
            "loc": request.url_for("index"),
            "lastmod": deployment_date,
            "changefreq": "weekly",
            "priority": 1.0,
        },
    ]

    # Generate list of urls
    urls_xml = ""
    for url in urls:
        urls_xml += f"""
            <url>
                <loc>{url["loc"]}</loc>
                <lastmod>{url["lastmod"].isoformat()}</lastmod>
                <changefreq>{url["changefreq"]}</changefreq>
                <priority>{url["priority"]}</priority>
            </url>
        """

    # Generate final sitemap
    sitemap = f"""<?xml version="1.0" encoding="UTF-8"?>
    <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
        {urls_xml}
    </urlset>
    """

    return Response(content=sitemap, media_type="application/xml")

[arminvburren]

Hello,

Thanks again for the quick an comprehensive answer, here are my answers (in reverse order):

• Indeed, the problem with the search console was in the https redirection. I have fixed that and another problem by digging into it.

• I agree that it would make sense to change the default behavior when optional=True, that said I assume the problem will not appear anymore since I've bumped the lifetimes x100 to 86400000 / 259200000 (?).

• About this: I'm almost sure I had already bumped them already before writing the previous message. After you checked and told me it was still 24h I tried again, and I saw it was not taken into account after I refreshed the fief config page. So i bumped it first x10, and then x10 again and .. then it was ok. Maybe I've just done some total nonsense the 2 first times but i thought I'd bring the issue.

Problem(s) solved for now anyway!
Armin

[frankie567]

The issue regarding expired tokens with optional=True is now solved with the latest version of the Python SDK: https://github.com/fief-dev/fief-python/releases/tag/v0.16.1