-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate Static Web App Auth + SvelteKit #102
Comments
I've successfully been using auth in SWA with SvelteKit. I did a short writeup now: https://tt.weblog.lol/2023/01/protecting-pages-in-an-azure-static-web-app-built-with-sveltekit I haven't looked too much into how to handle this in local development, I just have an environment variable that I use to control whether I am logged in or not. I wish there was an easy way to run the SWA locally with both frontend and backend, but I couldn't get that to work. I was intending to perhaps make a PR here for the code that parses the auth header, so it can be injected automatically by the adapter, instead of needing to add a hook. |
Ah, thanks so much for writing that! It fills in some of the blanks from my experimentation this weekend. The most puzzling thing has to do with the import { json } from "@sveltejs/kit";
/** @type {import('./$types').RequestHandler} */
export const GET = async (event) => {
return json({
headers: Object.fromEntries(event.request.headers)
});
}; I was super confused why this wasn't returning the client principal header (though I was getting
If I specify However, I think the underlying behavior is a bug in SWA. I saw in a SWA GitHub issue thread somewhere that only /api requests will include the client principal header. I think this is (hopefully) a bug that happens because we're rewriting requests to /api/__render instead of hitting the /api route directly -- we should have that header all the time because /api/__render is an API route. I'll likely open an issue on the SWA repo to confirm. EDIT: opened the issue. It seems to be an issue with routes that use To see the headers passed to /api/__render, I updated my import { json } from "@sveltejs/kit";
/** @type {import('@sveltejs/kit').Handle} */
export async function handle({ event, resolve }) {
if (event.request.url.includes("/api")) {
return json({
headers: Object.fromEntries(event.request.headers)
});
}
const response = await resolve(event);
return response;
} While it's nice that it works if you lock down routes via the config, I'd also like it to be possible to login with SWA and handle all route protection in SvelteKit directly, even when no allowedRoles are specified. Other awkward things with using the
One possible solution to these issues is to get the client principal header coming back consistently so that you can handle all auth in SvelteKit instead of the routes config (though ideally we could support both options).
I have some ideas for local development that I'll add over on #96.
PRs welcome! I've opened #103 to track that work and add some pointers. No worries if you can't get to it, I'll likely get to it at some point. |
Oh, another awkward thing: if you add allowedRoles to a route that has non-GET methods, you need to also add
Not sure if there's a way to make this nicer. Maybe we'd preprocess the routes to add this, but is there a case where you wouldn't want to rewrite to the Azure function? |
You've discovered a lot of stuff I didn't encounter when just trying to make my app work. I agree it seems likely that most of these can be solved if the SWA bug for sending the client principal header is solved. However, I think handling all auth in SvelteKit is a no-go, because pre-rendered pages would not hit the I'll give #103 a go tonight. |
Reading this thread to gather more context for #102
@tlaundal I've been developing a SWA + Svelte project recently, I was able to get frontend & backend working by passing the Svelte address as the API dev server url:
It's been working for APIs (I'm getting the x-ms-client-principal in my +server.ts), I haven't been using auth headers for SSR or rewriting yet though, I can try it out |
From a quick test this seems to work perfectly! It gives a really nice flow for testing logout and login. It would be nice to have a way for |
I think the folks on this thread have already seen it, but I'm tracking SWA CLI config improvements in #96. Looks like we landed on something similar: #96 (comment). |
One thought I want to write down re: @tlaundal 's comment
I haven't tested this myself, but I'm wary about protecting prerendered pages via SWA config
So IMO you shouldn't count on prerendered pages being completely inaccessible - a dedicated person could probably get to it if they really wanted to |
I realized that #89 prevents the use of a /api route, which is what I was relying on to claim the above (going to deploy made me realize that that is not possible). So I am currently stuck trying to get my auth working locally (injected by SWA CLI) for routes other than the /api route (like /rpc for instance, which is what I renamed my api routes to). I'm also encountering Azure/static-web-apps#1053, which is still blocking my usage of /rpc (and trying to access clientPrincipal in there) |
For those following this issue, I opened a somewhat-related issue on better supporting the |
Regarding Azure/static-web-apps#1053, that should now be fixed, please have a look and let me know if this allows you to achieve what you wanted with SvelteKit |
Azure Static Web Apps provides built-in auth features. However, I'm not sure how well they play with SvelteKit, especially during development.
We should investigate the following and document anything the adapter cannot support. It would also be good to integrate with a demo app.
Possibly to consider:
a custom handle hook provided by the adapter that mocks out or otherwise forwards auth requests to the SWA emulator.edit: this part not needed, see #96 (comment)Relevant docs:
Additional TODOs
x-ms-client-principal
header not included when request rewritten to API vianavigationFallback
Azure/static-web-apps#1053)The text was updated successfully, but these errors were encountered: