400 error after POST when redirecting with an action

davidpmccormick · April 27, 2022, 11:39am

The docs for redirecting with actions indicate that when passing information back to the action this should be done as a POST.

We’re using axios to POST a JWT back to the /continue endpoint, with all the keys that the docs indicates are required (including state), but this results in a 400 Bad Request.

If instead we redirect with a GET putting the session_token and the state as query params, everything works, but this is counter to the recommendation in the docs which (maybe?) indicate that POSTing is necessary ‘to avoid replay attacks’.

Is there something missing from the docs regarding what needs to be included/configured for a POST to the /continue endpoint. Is a GET request a security concern/not recommended?

dan.woda · April 27, 2022, 5:40pm

Hi @davidpmccormick,

Welcome to the Auth0 Community!

Can you please share a code snippet of the POST request you are making? Additionally, can you share the full error message? Usually there is some more info about why the request failed.

davidpmccormick · April 28, 2022, 9:10am

Hi @dan.woda

Thanks for getting back.

Here’s the NextJS api route that is handling the POST

Here’s a gist of the error

And a gist of the post-login action we’re testing with for good measure.

As I mentioned, this does work if we do it with a redirect rather than using axios to POST.

dan.woda · April 28, 2022, 3:24pm

Thanks for posting your code!

From what I can tell, you are missing the state param in this request:

github.com

wellcomecollection/wellcomecollection.org/blob/main/identity/webapp/pages/api/registration.ts#L33


      
              );
          
          
    const accessToken = response.data.access_token;
              const decodedToken = jwt.decode(accessToken);
              if (decodedToken && typeof decodedToken === 'object' && decodedToken.exp) {
                return { accessToken, expiresAt: decodedToken.exp };
              } else {
                throw new Error("Can't extract expiry claim from token");
              }
            },
            () => ({
              baseURL: config.remoteApi.host,
              headers: {
                'x-api-key': config.remoteApi.apiKey,
              },
              timeout: 10 * 1000, // 10 seconds
            })
          );
          
          
/** Extracts the user ID from a session token, or throws if the user ID
           * can't be retrieved.

You should be passing the state param from the original request back like this:

https://YOUR_DOMAIN/continue?state=abc123

I have to admit, the docs aren’t very clear on this. I am going to submit some feedback to the team and let them know this could be improved.

davidpmccormick · April 28, 2022, 7:33pm

Thanks @dan.woda.

The state claim is part of the jwt (newToken) i.e. you can see it if you decode the below at jwt.io. Although I had already tried what you suggest, and ~~the error remains the same~~ edit: the error is then a 401 (here’s a gist of that error).

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NTExNzQxNzcsImlzcyI6Imh0dHBzOi8vZGV2LXVpcWx1MmN4LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiI4T3JKNmlBWGlzd1RXS3Y3anRrRmVEZ2NPcFNnVnh4eiIsImV4cCI6MTY1MTE3NTA3NywiaXAiOiI4MS4xMTAuMjI5LjE1NyIsImF1ZCI6Imh0dHBzOi8vd2VsbGNvbWVjb2xsZWN0aW9uLm9yZy9hY2NvdW50L3JlZ2lzdHJhdGlvbiIsInN0YXRlIjoiaEtGbzJTQmliblpzWDFCSWJsOHpaa294WVUxV1JuWkhTbVJHUVdWcmFrVm1kSGxzVnFGdXFISmxaR2x5WldOMG8zUnBaTmtnYVV0RVpHaG1SWE5sZVZKbU1FTTJSbTh0U2tZMUxWWXhWVTFDTVRSWFUxcWpZMmxrMlNBNFQzSktObWxCV0dsemQxUlhTM1kzYW5SclJtVkVaMk5QY0ZOblZuaDRlZyIsImh0dHBzOi8vd2VsbGNvbWVjb2xsZWN0aW9uLm9yZy90ZXJtc19hZ3JlZWQiOiJ0cnVlIiwiaHR0cHM6Ly93ZWxsY29tZWNvbGxlY3Rpb24ub3JnL2ZpcnN0X25hbWUiOiJEYXZpZCIsImh0dHBzOi8vd2VsbGNvbWVjb2xsZWN0aW9uLm9yZy9sYXN0X25hbWUiOiJNY0Nvcm1pY2sifQ.7OzD5hdLOdeFGTLT36nwAHKu2ICvpUMBrMiTtIxxq3w

What authorization or config is required/possibly missing here?

melrogan · May 4, 2022, 6:14am

Hey Dan and auth0 folks,

Really appreciate your help on this. Just wondering if you’re able to help further with this issue? A redirect to /continue with state works but an axios POST to /continue with state doesn’t work (David shared the error above).

The documents don’t make it super clear, should a POST work?

Many thanks for the help, after a few days of debugging and trawling documents any light you can shed or help you can offer would be very much appreciated.

dan.woda · May 4, 2022, 8:09pm

Hi @melrogan, @davidpmccormick,

Sorry for the delay, I think the confusion here is related to next js (I’m not intimately familiar with the framework.)

I suspect this issue is because you are making a post from your backend, and it doesn’t include the cookies needed in the request. Stated in this doc: 401 Unauthorized error when calling /continue endpoint after a redirect from the rules

I am able to make a POST to the /continue endpoint and continue my transaction. here is an example:

davidpmccormick · May 5, 2022, 9:37am

Thanks @dan.woda

I’d previously pursued that line of enquiry but had concluded it wasn’t the root of the issue. I’ve had another bash this morning, sending all the cookies along with the POST, but still getting a 401.

I’d love to get to the bottom of this for 1. anyone else who encounters this issue and 2. my own sanity. But in the meantime we’re going to resort to using the management API and circumvent the requirement to do it this way.

I couldn’t see any immediately relevant-looking cookies (hence why I sent them all along). Do you know which one/ones we should be looking for?

I’ll probably keep tinkering away at it to see what I’m missing.

dan.woda · May 5, 2022, 2:50pm

@davidpmccormick,

I would suspect it would be the auth0 cookie.

Is it possible to make the request from your frontend?

jamie.9 · June 27, 2022, 2:13am

Hi @davidpmccormick,
Were you able to resolve this one? even we are trying to implement the same but only a GET request is working and POST is failing.

@dan.woda , could you please help us with concrete resolution, Also, as per the document it says state should be passed within the token.

davidpmccormick · June 27, 2022, 8:53am

I’m afraid we never did @jamie.9 – we ended up opting for a different approach off the front channel. IIRC our suspicion was that the issue was likely to do with cookies not being set, though.

konrad.sopala · January 8, 2024, 12:49pm

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!