I am testing <firebase-auth> signInWithPopup() using polymer serve, everything works fine on localhost, but when tried from mobile browser via 192.168.0.x:8080, it fails. Any idea?
Is that because I am signing in from 192.168.0.x, and <firebase-auth> only support either localhost for local testing, or https only (which polymer serve is only http)?
For it to work, you'll need to add in 192.168.0.x into OAuth redirect domains' Authorized domain in Firebase console
Related
I have a project which I have dockerised here: https://github.com/redis-projects/redis-movies/tree/gitpod
I am in the process of trying to get it to work correctly on GitPod, however I am having issues with the frontend react app hitting the backend java service. The react app is running in my local browser so I am confused by which network settings I should use and how to correctly configure.
The docker-compose file when used locally can simply use localhost:8080 to interact with the backend services, but GitPod generates a unique domain over HTTPS. Currently this causes the issues:
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint '<URL>'. This request has been blocked; the content must be served over HTTPS.
This is self-explanatory, I cant make HTTP requests when the site is loaded via HTTPS. & even if I could, its pointing # localhost so the service wont resolve.
How can I setup my docker-compose + gitpod configuration to correctly configure the React URL
Currently use env vars:
REACT_APP_MOVIE_SERVICE_HOST=localhost
REACT_APP_MOVIE_SERVICE_PORT=8080
and this simply builds a url like so (apiConfig.js): http://${process.env.REACT_APP_MOVIE_SERVICE_HOST}:${process.env.REACT_APP_MOVIE_SERVICE_PORT}
Assuming that the backend services are exposed via a public endpoint, I will need to handle any CORs issues since these services are no longer 'local'?
The whole url gets replaced and I don't see the testcafe frame anymore.
It happens when the test is ran against the website being hosted on amazon cloudfront, but if I run the test against the website hosted on localhost, then the redirection works, it doesn't replace the whole url and I can still see the testcafe frame.
Redirect on localhost looks like:
http://<testcafe-ip>:38279/I2zW8XmMh*tOCn5CTOd/<some-new-url>
Redirect on cloudfront looks like:
<some-new-url>
Do you know if amazon cloudfront has some security integrated which might be preventing the website from being embedded into testcafe?
I had the same issue. It works after setting the flag "disablehttp2" https://testcafe.io/documentation/402638/reference/configuration-file#disablehttp2
It seems testcafe-hammerhead has issues with redirection and http2. For me disabling http2 is fine, but there might be cases where it's not. Hope they fix this in hammerhead.
I recently bought a domain name at OVH for an app I hosted on Heroku. I then paid for the dynos in order to set an automatic SSL certificate.
Everything seems to me working fine:
Domain Status Last Updated
─────────── ─────────── ────────────
mpjrigot.eu Cert issued 2 minutes
mpjrigot.fr Cert issued 2 minutes
But my URL is still in HTTP. What am I missing?
EDIT
I'm using React.js for this app
I also have a Ruby on Rails back but for nom i'm keeping that on the heroku.app, works fine
2nd EDIT
Using react-https-redirect, force-https or react-ssl-redirect...
Basically, chrome tells me that "this is not a safe space", and that this is a fake https that might want to steal the user's passwords and stuff
So I got an SSL that is set on my HerokuApp,
I got a domain on OVH that points to the IP of the app
But the http isn't secure somehow
I really think I missed something obvious as I'm new to this...
You can add HTTPS to your app with the following methods.
Method1 (Recommended)
Since, you're using rails for the backend, you can configure your rails app to always use HTTPS.
in your production.rb add
config.force_ssl = true
More Info: https://help.heroku.com/J2R1S4T8/can-heroku-force-an-application-to-use-ssl-tls
ActionDispatch SSL: https://api.rubyonrails.org/v6.1.4/classes/ActionDispatch/SSL.html
Method2 (Easy Setup)
You can also signup for cloudflare's free plan and easily setup https redirects with cloudflare's 'Always Use HTTPS' or 'Automatic HTTPS Rewrites' feature.
The 'Always Use HTTPS' feature will redirect all http requests on your site to https address.
The 'Automatic HTTP Rewrites' feature will change the HTTP links on your site to HTTPS links.
More Info here:
Always use HTTPS: https://blog.cloudflare.com/how-to-make-your-site-https-only
Automatic HTTPS: https://www.cloudflare.com/website-optimization/automatic-https-rewrite/
Cloudflare's SSL: https://www.cloudflare.com/ssl/
cloudflare dashboard
What am I missing?
Heroku provides a certificate, so you should be able to access your application using https://. However it does not redirect HTTP requests to HTTPS for you:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
Exactly how you do that depends on the language and libraries or framework that you are using. Several common examples are listed in the link I provided above.
If you edit your question to tell us what technology you have used to build your application I'll be happy to add those details to this answer. In case you are using Scala, please see How to disable HTTP requests on Heroku and/or auto-redirect to HTTPS?
solution
I eventually read about Heroku needing a specific host that takes in the address they tell you to point to when setting a domain name...
So I switched to Gandi for my domain name and set the ALIAS to point to said adress
Works like a charm
I know there are about a hundred questions of this on SO, but none of them are maybe up-to-date with what seems to be happening on facebook platform right now. It seems the switch that turns off SSL is disabled:
It may be hard to see, but the "Enforce HTTPS" toggle is greyed out and can't be toggled. I'm all for enforcing HTTPS in production, but is everyone who is building against facebook API really setting up an SSL certificate on their local server just for this?
You will still be able to use HTTP with “localhost” addresses, but
only while your app is still in development mode.
You can change the App mode to Development Mode from App Dashboard:
In this mode you can only test your application with Facebook test user accounts. You can obtain the test accounts login credentials from your app dashboard.
Please note, http://localhost redirects are automatically allowed while in development mode only and do NOT need to be added in Valid OAuth Redirect URIs section.
Read more about it in this Facebook Blog.
2021 update: Facebook do not allow localhost over HTTP any more. You will need to get your site working locally over HTTPS for testing. This is despite their blog post and the literal Facebook developer console assuring you that they allow localhost over HTTP by default.
paste this in your client json
"start": "set HTTPS=true&&react-scripts start",
next copy and enter this in your url bar .
chrome://flags/#allow-insecure-localhost,
and set Allow invalid certificates for resources loaded from localhost to enabled
The most simple way to test your facebook login, since you cannot dissable anymore "Enforce HTTPS" option, is to use ngrok:
ngrok.com
Im linux user. After installing it just type at your terminal:
ngrok http 80
and automaticly will be created a new https domain just for your local project. You will see an ui interface in your terminal and your secure domain will be that who starts with https://
Copy the domain and use it in developers.facebook.com in your app to see if you code is good or not.
If is good its ok keep going until you will host your project on a secure domain.
For more info and docs about ngrok.com see:
ngrok docs
This setting requires HTTPS for OAuth Redirects, and it requires and Facebook JavaScript SDK calls that return or require an access token are only from HTTPS pages. All new apps created as of March 2018 have this setting on by default, and you should plan to migrate any existing apps to use only HTTPS URLs by October 6, 2018.
Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.
https://developers.facebook.com/docs/facebook-login/security
I have a ruby on rails 3 app hosted on heroku with a custom domain. It uses oauth to allow the user to log in through Facebook. After a user logs in through Facebook, the next time they type in our domain in Firefox (tested on FF 15.0.1 on Mac) it automatically fills in https before the address (So the user is used to typing "example.com" into the address bar and pressing ENTER, but Firefox changes that to https://www.example.com). This of course shows the "This Connection is Untrusted" warning page (http://support.mozilla.org/en-US/kb/connection-untrusted-error-message) since we do not have an SSL certificate instead of loading our page.
This only seems to happen with Firefox (tested on Chrome and Safari as well).
I've tried redirecting the rails action that we point to for root to the http protocol version using this example (http://captico.com/securing-specific-routes-in-rails-3/2011/02), but that didn't work. I've also tried adding the ssl_requirement gem (https://github.com/bartt/ssl_requirement) and excluding the action that we point to for the root domain, but then I just got a bad URI error.
We're in money saving mode right now as we test out the site and slowly grow in users. I believe the best thing to do is to pay the money for our own SSL cert, as well as the $20/month to heroku to get SSL for our custom domain. But for now, we'd like to avoid having these extra costs.
Is there a way to fix this for free?
To fix it for free, use the *.herokuapp.com domain instead of a custom domain.