Gated content not working in Chrome (or Chredge)

I’ve been developing in Firefox as usual and my app uses gated content with auth. This has been working perfectly but I’ve just found it fails in edge / chrome and I have no idea why. the netlify CDN returns 404

Everything is as per the documentation so my redirect rule

/applicant/* 200! Role=applicant,admin

and my user(s) have role: applicant set in the Netlify identiy portal.

I get no errors anywhere so am provinding my headers in case they help shed light. I really needot get this going ASAP please as it’s fundamental for the charity project I’m working on.

Firefox Request

GET /applicant HTTP/2
Host: deploy-preview-3--twam-gallant-swirles-d68516.netlify.app
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://deploy-preview-3--twam-gallant-swirles-d68516.netlify.app/
Cookie: nf_jwt=<blah>
Upgrade-Insecure-Requests: 1
If-None-Match: "3f21f180ab30c8cb69aba35ce51f03d2-ssl-df"
TE: Trailers

Firefox Response

HTTP/2 200 OK
cache-control: public, max-age=0, must-revalidate
content-type: text/html; charset=UTF-8
date: Wed, 12 Aug 2020 16:23:20 GMT
etag: "3f21f180ab30c8cb69aba35ce51f03d2-ssl-df"
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-robots-tag: noindex
content-encoding: br
content-length: 2870
age: 2
server: Netlify
vary: Accept-Encoding
x-nf-request-id: b7d296dd-59e6-4e7b-a9e0-fb5899affc9d-839837
X-Firefox-Spdy: h2

Chrome Request

:authority: deploy-preview-3--twam-gallant-swirles-d68516.netlify.app
:method: GET
:path: /applicant
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,en-US;q=0.8
cookie: nf_jwt=<blah>
referer: https://deploy-preview-3--twam-gallant-swirles-d68516.netlify.app/
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: same-origin
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Mobile Safari/537.36 Edg/84.0.522.58

Chrome Response

age: 2999
cache-control: public, max-age=0, must-revalidate
content-encoding: br
content-length: 2230
content-type: text/html; charset=utf-8
date: Wed, 12 Aug 2020 15:31:03 GMT
etag: 1596043786-ssl-df
server: Netlify
status: 404
vary: Accept-Encoding
x-nf-request-id: 091ac76c-8d6a-4c7e-900a-0c614c504dd9-1007492
x-robots-tag: noindex

Sorry but only FFx provides a “raw headers” option"

having just redacted the cookies I notice the last part is different thepart after the “.” IS that du t odiffent times of request

1 Like

So using Auth0’s JWT.io I can see the tokens are identical except the “exp” as you’d expect and the signatures.

I’m stuck as I don’t understand all those headers.

1 Like

Hey @slim :wave:t2:

May you share with me a few more details please? More of the content of your _redirects file if possible and the current deploy preview of this site so I can attempt to cURL it a few times?

Can you also confirm that your account supports role-based redirects please? I believe that’s a business tier-only feature.

For starters though, can we make sure that you’re following a 2 step approach to the role-based redirects? There should be a rule that allows a pass-through if the correct role but also a second rule that directs users somewhere else if they don’t meet that criteria.

# Two-step route-based protection by role
/admins/*           200!    Role=administrator
/admins/*    /	    301!

Beyond that, is your app a pure static setup where each page is a full browser refresh and location change to pull files from Netlify? Or is it a PWA that’s XHR’ing and/or client-side rendering new content within the same view? That can have large implications around what the code needs to look like to get everything working.


Jon

1 Like

Thanks again jon

/rdm/*	      200!  Role=rdm,admin
/applicant/*  200!  Role=applicant,admin

That’s 2 endpoints .

current deploy preview of this site

https://deploy-preview-3--twam-gallant-swirles-d68516.netlify.app/applicant

As per those headers. Feel free to just create an account etc.

so I can attempt to cURL it a few times?

my fave tool to, though sometimes I do use Postman

Can you also confirm that your account supports role-based redirects please? I believe that’s a business tier-only feature

I got that impression too but it’s been working just fine on my free account with firefox so assume it had changed. I did mention this to JLonsdorf. I do hope you not going to say it should not be working? Im my view it is fundamentally required for Jamstack - or else you have to have a function for each endpoint to gate access, not at the edge.

can we make sure that you’re following a 2 step approach to the role-based redirects?

The extra 301 you mention is not documented anywhere I saw and I trawled ALL the docs. But a 404 and custom page is perfect for me while I’m in proof of concept stage at least.

Beyond that, is your app a pure static setup where each page is a full browser refresh and location change to pull files from Netlify?

Yes, it’s built with netlify. It’s in a private GitHub repo but I can add you if it helps.

1 Like

Role-based routing is a feature implemented as part of Netlify’s CDN, so it shouldn’t matter which browser you’re using - you should get the same responses from any browser/CLI alike.

I can’t speak to whether or not it works on a non-business-tier account, but fundamentally it shouldn’t and it’s going to be hard to try to support you in building something on a feature set that you shouldn’t have access to. I recognize that you believe it to be a fundamental requirement for Jamstack, but Netlify has to keep the lights on too and provides a massive amount of functionality on their free tier. Role-based routing just isn’t one of those things.


As for all the redirect rules and role based routing, I’m not sure if you were able to find this page, but all of the processing order and rules and how-to is super well documented here:

So I’d recommend reading that page thoroughly. That should explain what I meant by having two rules per route.


Jon

1 Like

Agree and exactly my reason for raising this issue :slight_smile:

I can’t speak to whether or not it works on a non-business-tier account, but fundamentally it shouldn’t and it’s going to be hard to try to support you in building something on a feature set that you shouldn’t have access to.

But as it works in Firefox and taking the above point about browsers I had to assume what worked is what is provided. I did try to query it as seemed strange. How do I get an official position on this? Is it supposes to work or not on free and above?

I recognize that you believe it to be a fundamental requirement for Jamstack, but Netlify has to keep the lights on too and provides a massive amount of functionality on their free tier.

Of course and I’ve not complaints at all on that score. I was just saying for Jamstack to work as well as we like ot say it will we need more edge intelligence in the long run. I can use a function per endpoint to return HTML as long as you support streaming - Azure Functions didn’t

Role-based routing just isn’t one of those things.

Again I’d like an official position because it DOES work. If it should not that does raise some serious concerns.

’m not sure if you were able to find this page, but all of the processing order and rules and how-to is super well documented here:

Yes and it says my simplistic 404 approach is fine, you seemed to indicate it was not.

Thanks again for all your support. I really appreciate it. I’m not sure if you are a volunteer. If so thank you even more.

If Edge gating is only premium I’ll have to rework the code as the charity i am pro bono working for will never afford that tier (https://www.twam.uk/) Iasked about non profit rates but it sems Netlify do not have a scheme so I might see if they will concider open sourcing (I own the IP anyway).

Thanks and I look forward to hearing the offical sposiiton on gating availability. I assume you will be raising this further?

1 Like

No problem :slight_smile: I am indeed a volunteer and you’re quite welcome.

Here’s where I’ll leave the ball for now. Tagging in @perry and @jen both of whom are official Netlify Support folks. They should be able to speak to the official mechanics on the viability of Role-based routing for a non-business-tier account. I’ll leave that to them :grin:

Upon reviewing the docs myself a bit deeper, you are correct! I forgot that the 404 fallback was built-in… I redirect to other pages for unauthorized users on all of my sites for the sake of UX, but the 404 works too! My apologies there.

That said, I think that’s what I was seeing when I poked at your site too. Looking at https://deploy-preview-3--twam-gallant-swirles-d68516.netlify.app and attempting to hit the “RDM” button shows a request going out (in dev tools) and getting a status 404 response. I believe that’s correct behavior.

Is the issue that when logged in as a valid user, you still can’t access the gated content?


Jon

1 Like

I am indeed a volunteer

well you rdoing a stirling job both supporting us and understanding Netlify

Tagging in @perry and @jen

thanks.

My apologies there.

none needed but appreciated :slight_smile:

Attempting to hit the “RDM” button shows a request going out (in dev tools) and getting a status 404 response. I believe that’s correct behavior.

Yes as any new user will automatically get Applicant role. RDM is currently manually added and so will fail.

Is the issue that when logged in as a valid user, you still can’t access the gated content

Yes. Except you can when using Firefox which may actually be a bug it seems, depending on offical position wit hgating on free teir. . As I use Firefox as my dev browser I assumed all was well and carried on developing the proof of concept happy I could use the awesome feture. It was only when someone else tried it faild. They tried Chredge (or perhaps old Edge), Chrome and Opera. - so that’s 2 engines

1 Like

Interesting. Yeah I would pretty much expect it to not work on FireFox either… so I’m wondering if maybe there’s just some strange session carry-over or cookie bugs? Can you try some private tabs or something?

I have to imagine it’s not working because it’s a paid-tier feature :confused: but you’re right, that is odd.


Jon

3 Likes

I got someone else to try firefox and it works for them too. But not on other browsers. spooky!

Can you try some private tabs or something?

Sorry, I don’t understand this?

1 Like

PS flushing cookies seems to make no difference to either user - and I also cleared out my local storage :slight_smile:

1 Like

PPS I just tried in a shiney new FFx profile (no add ons, cache, cookies etc) and I login and can access the gated page I have role for and not other - ie gating works just fine :slight_smile:

1 Like

So let me boil this down because it’s quite strange and I want to make sure we’re being really clear about what you’re seeing:

On a free-tier Netlify site with Identity activated, role-based redirects are, correctly, not working and instead passing back 404’s for the “gate” rule (the 200! role=xyz) even if the role set for that user is xyzexcept when the client browser is Firefox, where somehow that rule kicks in and allows the user through the gate.

Is that correct? What a doozy!

1 Like

Yep!

I guess I got lucky and should have kept quiet! :stuck_out_tongue:

If that is a bug I can only think it must be related to those FFx heads I started this thread with. There’s nothing else surely?

1 Like

In my Team settings

Current plan: Starter

1 Like

Oddly enough, having created an account on your preview site, https://deploy-preview-3--twam-gallant-swirles-d68516.netlify.app/applicant then given a minute for any sort of background updates / plumbing, I too can now see the /applicant path. Didn’t expect that :thinking: This is Safari on macOS 10.15.6.

Fascinating

2 Likes

So that’s FFx or webkit.

We really need to know the offical position on role based gating to know which way to go :slight_smile:

1 Like

If I was going to guess, I’d guess that the role-based gating is actually working, and what you’re seeing in Chromium-browsers is just content-change hiccups. If you used incognito tabs or log out/back in sort of workflows, I’d guess that would work.

My high-level guess at this point is that the role-based gating is actually working for this site. I can’t speculate on why or how. I’ll defer any of that to official Netlify support :slight_smile:


Jon

2 Likes

Sounds eminently feasable. Would need to test chromium on a Business plan.

It also apparently fails in Opera too but I seem to recall they changed engine a while back, perhaps to Chromium.

1 Like

I just recalled I have Brave installed on this windows desktop - works fine too. So your hunch seems even more likely!

1 Like