Alright, can confirm this will work for our use case; I do have to add a line (via this plugin) to PostsController to allow it to skip CSRF checking via the api:
One thing I wasn’t clear on was whether we are posting all of the responses in a single topic, or each response gets its own topic?
Next up: There’s CORS trouble with hitting the multisite endpoint as well (obviously 'localhost:8080 isn’t a great thing to put in your list of accepted origins), but I’m hoping I’ll be able to install that plugin locally as well and get an end-to-end test going soon.
Hey @matthias, could you confirm or deny for me that users created via multisite_account.json are set to ‘active’ or not? They’ll need to be based on this line in Discourse:
I believe there’s an option in the discourse api to pass active or not when creating an sso user, but I’m not sure if we’re using it or not:
So the new “master account” over at our SSO provider site communities.edgeryders.eu is not set to active, but the new edgeryders.eu account is set to active. Due to that, you should be able to use the returned edgeryders.eu API key immediately.
Alright, I think this is ready for an initial test run; I’ve gotten it posting to a local discourse instance using the multisite-accounts plugin and mimicing the setup we’ll have in production as closely as possible.
Three things will need to happen on the edgeryders.eu instance:
Set the DISCOURSE_ENABLE_CORS env to something truthy if it’s not already
Add the domain hosting the vue app to the cors_origins site setting on the admin panel
Steps 1 and 2 will need to be repeated on communities.edgeryders.eu as well.
Here’s the env we’ll want to set for the vue app:
VUE_APP_DISCOURSE_USER_URL=http://communities.edgeryders.eu/multisite_account.json
VUE_APP_DISCOURSE_AUTH_KEY=<auth_key>
VUE_APP_DISCOURSE_DOMAIN=edgeryders.eu
VUE_APP_DISCOURSE_TOPIC_URL=http://edgeryders.eu/posts.json
VUE_APP_DISCOURSE_CATEGORY=343 (<-- this will be changed to 339 for the actual category)
Let me know what snags you run into, and if it successfully gets going, what additional design / styling / functionality work should be done?
I’ll get this done as soon as I can carve out the time. Could still be 2 days from now since we’re all squeezed right now to finish some website and communications materials for parallel projects …
Hey @matthias what’s the ETA on this one? I’m aware of the tight deadline and want to make sure we’re not in a position where the conference is looming and things aren’t working properly
The env file naming in your Vue.js application is automatically including the deployment environment? So should I name the file .env.production probably? If so, how does it get to know about what deployment environment it’s in?
(I’ve set up the Vue.js application on https://bio26testing.edgeryders.eu/ now. Not sure yet about the env part though. Anyway, now to finishing the changes to Discourse …)
Ok @gdpelican … we’re getting closer to success here, but it’s still a bit of way to go I followed all your instructions, and:
Now when testing https://bio26.edgeryders.eu, in the last step I get a red error message “TypeError: Failed to fetch” on screen, and “Failed to load response data” in the web dev tools’ “Network” tab for the request to https://communities.edgeryders.eu/multisite_account.json. I guess that means my CORS settings on communities.edgeryders.eu are not yet accepted.
So far I have:
Created a file app.yml in the root of the Discourse project file tree and put in the following:
env:
DISCOURSE_ENABLE_CORS: true
(We’re running Discourse standalone, without Docker. So we don’t have the app.yml file by default.)
Added the following entry the “cors origins” setting in the communities.edgeryders.eu admin backend:
Thanks, that helped! The setting was even already in the discourse.conf file, waiting to be enabled. Just not named DISCOURSE_ENABLE_CORS …
Now the user is created alright, on both communities.edgeryders.eu and edgeryders.eu. The final call to https://edgeryders.eu/posts.json still fails, indicating another CORS problem. On this now …
Ok, I got past the CORS problem … means, the browser is sending the final posts.json request now. Also, when I simulate a CORS pre-flight request with curl, I get the expected response incl. Access-Control-Allow-Headers: […] Api-Key, Api-Username. Which means your plugin is running, as it’s adding these two values.
So far, so good. But I get a “403 Forbidden” response for the actual POST request to posts.json.
tl;dr: That must be a bug in the version of Discourse running edgeryders.eu and happens for all authentication with an Api-Key: header. It does not happen on our Communities sites (listed in the top-right menu “Communities” above), which is running a very recent Discourse version. Solution: I’ll make a test environment on a Communities sites, and get our Discourse guy to update the edgeryders.eu installation upon his return. If he’ll not get back in time, we’ll also have to place @natalia_skoczylas’s responses into a Communities site at first. Really don’t have the time myself right now for a full Discourse update
@gdpelican please have a little more patience while I create a testing environment on one of the Communities websites …
Details about investigating the error
But I get this as a response to the posts.json query:
status code: 403 Forbidden
response content:
{
"errors": ["You need to be logged in to do that."],
"error_type": "not_logged_in"
}
server access log entry by Discourse:
Started POST "/posts.json" for [IP address] at 2019-10-25 12:50:48 +0200
Processing by PostsController#create as JSON
Parameters: {"title"=>"…", "raw"=>"…", "category"=>"339", "post"=> {"raw"=>"…"}}
Completed 403 Forbidden in 1ms (Views: 0.1ms | ActiveRecord: 0.0ms)
This happens with all requests that use Api-Key: header for authentication, regardless of the API route / endpoint. Even a simple GET request to an access protected topic is failing on edgeryders.eu:
curl 'https://edgeryders.eu/t/about-the-survey-tests-category/11116' -H 'Api-Key: [redacted]' | less
Things that are not causing this:
Wrong API key. Because the same API key works, for GET requests, when appended as a GET parameter.
Reverse proxy setup. Our Discourse site is reverse proxied by Apache, but the same behavior is seen when accessing the Discourse Puma server directly at http://edgeryders.eu:9292 (note: HTTP only; also note: works with curl, but does not show anything in the browser as JS and other static assets are served by the Apache reverse proxy). So I can exclude that this is because the Api-Key: header would get lost during the proxying.
The error, as tested with the above simple curl GET query for an access protected topic, does not happen on our more recent Discourse installation running the Communities sites. So it must be due to a bug in Discourse, and needs an update of the edgeryders.eu installation.
Necessarily, the target category is public, as the new users are not members of any groups that would allow them to post in a hidden category. Due to this, let’s be a bit careful when testing to not spam everyone else on the platform. (Just a bit careful. 30 posts are still ok, just not 300.)
Also when testing, please use consistent naming for the e-mail addresses and also so that it expresses that these are for testing purposes only. That will help me delete all test users in the end. The e-mail addresses do not have to exist, so you can for example use a scheme like this:
Next step: I added a few issues on Github I found during my testing, for @gdpelican to work on. @natalia_skoczylas should do thorough testing now and report everything that should be changed, either in this thread or as a Github issue. No need to report spelling mistakes etc. though, this is our part to adapt when we install the live version. Also @nadia may want to have a look to see how a similar form can be used for the H2020 projects.