Volto seamless deployment issue with /@@download/

rnunez · September 29, 2021, 8:54pm

My configuration file works if I'm logging to both volto proxied by Nginx and the Plone on 8080, but as soon as I sign out of 8080. I get unauthorized on the @@download file in the proxied content (the files are not met to be public).

Looking at the network activity, the proxy serves the files if the __AC cookie exists in that domain, but volto does not set a __ac cookie when logging in.

Any advice on how to get volto and Plone to play nice?

sneridagh · September 30, 2021, 10:12am

Files (and images) have a special treatment in Volto, so the token is used when accessing to them.

Take a look at https://volto.kitconcept.com/ (before tonight, when it will be reseted).

I added a file and a link to that file:

https://volto.kitconcept.com/plone-icon.pdf/@@download/file

So Volto proxies the request for you and return the data from Plone (using the token, thus authenticated).

Don't know the source where you encounter your problem, but I bet that if you are getting the file from the backend by a custom component, you should use flattenToAppUrl helper:

import {
  flattenToAppURL
} from '@plone/volto/helpers';

and use it in your code. It does transform an API response using Plone URL to the Volto one, see how it is used in Volto core:

github.com

plone/volto/blob/42b1391c63847493e7a9472895cef515d3c2f7af/src/components/manage/Blocks/Image/Edit.jsx#L275-L290

    
      
          src={
            isInternalURL(data.url)
              ? // Backwards compat in the case that the block is storing the full server URL
                (() => {
                  if (data.size === 'l')
                    return `${flattenToAppURL(data.url)}/@@images/image`;
                  if (data.size === 'm')
                    return `${flattenToAppURL(
                      data.url,
                    )}/@@images/image/preview`;
                  if (data.size === 's')
                    return `${flattenToAppURL(data.url)}/@@images/image/mini`;
                  return `${flattenToAppURL(data.url)}/@@images/image`;
                })()
              : data.url
          }

However, in seamless mode that should not be a problem. Did the responses that you get from the API has the same URL than where Volto is hosted?

Hope this helps!

sneridagh · September 30, 2021, 10:14am

Reading again your problem, could be more specific and tell us more about your deployment? I might have answered the wrong question.

rnunez · September 30, 2021, 2:29pm

We created a custom content type and custom views in volto to list the items, which works when developing but when we are testing out deployment (nginx, volto, plone) the files downloaded from volto only if you are logged in to both volto and plone.

NGING Config:

upstream frontend {
  server IP-ADRESS-HERE:3000;
}
upstream backend {
  server IP-ADRESS-HERE:8080;
  server IP-ADRESS-HERE:8081;
  # server localhost:8082;
  # server localhost:8083;
  # server localhost:8084;
  # server localhost:8085;
  # server localhost:8086;
  # server localhost:8087;
}

server {
  listen 80 default_server;
  server_name  _;
  client_max_body_size 300m;

  access_log  /var/log/nginx/volto-access.log;
  error_log /var/log/nginx/volto-error.log debug;

  location ~(.*)$ {
    location ~* \.(js|jsx|css|less|swf|eot|ttf|otf|woff|woff2)$ {
      add_header Cache-Control "public";
      expires 1y;
      proxy_pass http://frontend;
    }

    location ~* static.*\.(ico|jpg|jpeg|png|gif|svg)$ {
      add_header Cache-Control "public";
      expires 1y;
      proxy_pass http://frontend;
    }

    if ($http_accept = 'application/json') {
      proxy_pass http://backend/VirtualHostBase/http/$host/enc/plone/ycdocs/VirtualHostRoot$request_uri;
    }

    location ~ (.*)/@@images/ {
      add_header Cache-Control "private";
      expires 1m;
      proxy_pass http://backend/VirtualHostBase/http/$host/enc/plone/ycdocs/VirtualHostRoot$request_uri;
    }

    location ~ (.*)/@@download/ {
      add_header Cache-Control "private";
      expires 1m;
      proxy_pass http://backend/VirtualHostBase/http/$host/enc/plone/ycdocs/VirtualHostRoot$request_uri;

    }

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_pass              http://frontend;
  }

}

sneridagh · September 30, 2021, 2:49pm

So as far as I can understand, for private images while accessing anonymously, the redirect brings you to directly to Plone, that since it sees the image private, then it asks you for login.

For the use case when you are authenticated via Volto auth I think the problem should not be present if you use latest plone.restapi and latest Volto.

While developing, the problem is not there, since the development proxy is present, then it redirects to the backend properly. For me it has nothing to do with the __ac cookie.

The solution is not straightforward, and probably we should add more logic to the Volto SSR server to be able to handle this in seamless mode adequately.

I will create an issue noting this problem and try to tackle asap. Seamless mode is in "experimental" mode and further should be done in the subject, specially refine production deployments. The idea behind seamless mode was the "Zero configuration" for this mode, so the builds do not depend on any build-time config. Any feedback like this one from you is very much appreciated!

If you need to work this out in short, I recommend you to switch to a "traditional" Volto/Plone deployment where the API is under a directory (eg. /api).

rnunez · September 30, 2021, 3:32pm

Thanks

sneridagh · September 30, 2021, 6:07pm