Adjust routing, fix logout, move session secret key to own variable (#…

…178)

.env.example

@@ -47,3 +47,4 @@ KEYCLOAK_CLIENT_ID=
 KEYCLOAK_CLIENT_SECRET=
 
 APISIX_PORT=9080
+APISIX_SESSION_SECRET_KEY=must_be_at_least_16_chars

README.md

@@ -64,6 +64,9 @@ The following settings must be configured before running the app:
 
   The URL for an optional "chooser" page. If the `establish_session` call happens without a valid system slug, the user gets sent here so they can choose which cart they want to see.
 
+- `APISIX_SESSION_SECRET_KEY`
+
+  The secret key that APISIX will use to encode session data. This has a reasonable default, but if you do specify this, make sure the key you specify is _at least_ 16 characters long and is not numeric. (It can contain numbers but if you just put in 12345.. it will complain.)
 
 ### Loading and Accessing Data
 
@@ -109,6 +112,8 @@ Use the documentation and the APISIX source code to determine what goes in each
 
 Note that, since APISIX is run in "decoupled"/"standalone" mode, you _cannot_ use the API to control it. All changes and state introspection is done from the yaml files.
 
+If you're getting 404 errors for all routes, make sure you've set the session key as noted above, and watch the logs for the `api` container. Debug mode is turned on so you should see errors on startup if it's unable to parse the routes file (`apisix.yaml`).
+
 ## Code Generation
 
 Unified Ecommerce uses [drf-spectacular](https://drf-spectacular.readthedocs.io/en/latest/) to generate an OpenAPI spec from Django views. Additionally, we use [OpenAPITools/openapi-generator](https://github.com/OpenAPITools/openapi-generator) to generate Typescript declarations and an API Client. These generated files are checked into source control; CI checks that they are up-to-date. To regenerate these files, run

config/apisix/apisix.yaml

@@ -8,20 +8,29 @@ routes:
   - id: 1
     name: "ue-unauth"
     desc: "Unauthenticated routes, including assets and checkout callback API"
-    priority: 0
+    priority: 1
     upstream_id: 1
-    plugins: {}
+    plugins:
+      cors:
+        allow_origins: "**"
+        allow_methods: "**"
+        allow_headers: "**"
+        allow_credential: true
+      response-rewrite:
+        headers:
+          set:
+            Referrer-Policy: "origin"
     uris:
-    - "/api/v0/payments/checkout/result/*"
-    - "/static/*"
-    - "/api/v0/schema/*"
+    - "/api/*"
+    - "/_/*"
+    - "/logged_out/*"
     - "/auth/*"
-    - "/_/v0/meta/apisix_test_request/"
-    - "/logged_out/"
+    - "/static/*"
+    - "/favicon.ico"
   - id: 2
     name: "ue-default"
     desc: "Wildcard route for the rest of the system - authentication required"
-    priority: 1
+    priority: 0
     upstream_id: 1
     plugins:
       openid-connect:
@@ -33,7 +42,9 @@ routes:
         bearer_only: false
         introspection_endpoint_auth_method: "client_secret_post"
         ssl_verify: false
-        logout_path: "/logout/"
+        session:
+          secret: ${{APISIX_SESSION_SECRET_KEY}}
+        logout_path: "/logout"
         post_logout_redirect_uri: ${{UE_LOGOUT_URL}}
       cors:
         allow_origins: "**"
@@ -45,6 +56,18 @@ routes:
           set:
             Referrer-Policy: "origin"
     uris:
-    - "/*"
+    - "/cart/*"
+    - "/admin/*"
+    - "/establish_session/*"
+    - "/logout"
+  - id: 3
+    name: "ue-logout-redirect"
+    desc: "Strip trailing slash from logout redirect."
+    priority: 0
+    upstream_id: 1
+    uri: "/logout/*"
+    plugins:
+      redirect:
+        uri: "/logout"
 
 #END

docker-compose.yml

@@ -76,14 +76,14 @@ services:
       - django_media:/var/media
 
   api:
-    image: apache/apisix
-    platform: linux/amd64
+    image: apache/apisix:latest
     environment:
     - KEYCLOAK_REALM=${KEYCLOAK_REALM:-ol-local}
     - KEYCLOAK_CLIENT_ID=${KEYCLOAK_CLIENT_ID:-apisix}
     - KEYCLOAK_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET}
     - KEYCLOAK_DISCOVERY_URL=${KEYCLOAK_DISCOVERY_URL:-https://kc.odl.local:7443/realms/ol-local/.well-known/openid-configuration}
     - APISIX_PORT=${APISIX_PORT:-9080}
+    - APISIX_SESSION_SECRET_KEY=${APISIX_SESSION_SECRET_KEY:-something_at_least_16_characters}
     - UE_LOGOUT_URL=${UE_LOGOUT_URL:-http://ue.odl.local:9080/auth/logout/}
     ports:
       - 9080:9080

unified_ecommerce/settings.py

@@ -134,7 +134,7 @@
 LOGIN_URL = "/login"
 LOGIN_ERROR_URL = "/login"
 LOGOUT_URL = "/logout"
-LOGOUT_REDIRECT_URL = "/logged_out"
+LOGOUT_REDIRECT_URL = "/logged_out/"
 
 ROOT_URLCONF = "unified_ecommerce.urls"
 

users/views.py

@@ -40,12 +40,14 @@ def establish_session(request):
     session check API endpoint.
     """
 
+    next_url = settings.MITOL_UE_PAYMENT_BASKET_CHOOSER
+
     if "next" in request.GET:
         try:
             system = IntegratedSystem.objects.get(slug=request.GET["next"])
             next_url = f"{settings.MITOL_UE_PAYMENT_BASKET_ROOT}{system.slug}/"
         except IntegratedSystem.DoesNotExist:
-            next_url = settings.MITOL_UE_PAYMENT_BASKET_CHOOSER
+            pass
 
     next_url = request.session.get("next", next_url)