AGURRU
Redirecting from external URL remaining authenticated
Hi I am struggling to achieve the flow that I would like. I have a form that a user submits and if successful I redirect the user to an external url to complete some actions.
This external url can POST back to my site via a web hook that I can validate and either do an action or just redirect the user to a page I want.
However the issue I am facing is that we lose the csrf_token or it become invalidated and it no longer has the current_user assigns.
How can I have it so the webhook triggers and the user returns to our site with valid csrf token and the current_user assigned?
I have no control to change the external webhook but I can validate it as being a genuine message from said source.
Could it be as simple as not redirecting a user after the form submits but opening a new tab instead?
All suggestions welcome
Most Liked
LostKobrakai
I’d suggest looking a the oauth2 flow. What you described sounds like 90% of the flow they use for external authentification.
LostKobrakai
The session does continue if the user is making the http request from their browser.
Your issue is that it’s not the user making the http request, but the external server if I understood you correctly. That web hook http request essentially has no relationship with your user and even less with the browser window your user has open.
You either want that external page to redirect the user(s browser) back to your website or you’re better of embedding the external site e.g. in an iframe.
derek-zhou
You can’t; if the browser attaches your session cookie with cross site posts then all hell breaks loose. Think about all the phishing sites / emails out there.
The best you can do is redirect and post again. I had a blog post on this: Pass data from site A to site B Basically, you let the user confirm the data again.
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #javascript
- #code-sync
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








