I’m currently working on integrating Discourse with our website as a internal discussion board for senior users of the system. We are obviously using the SSO feature for this, and that bit is working just fine.
One of the requirements of this integration is that we need to implement a short session timeout to match the main site. Currently I have the maximum session length set to Discourse’s minimum of 1 hour. It seems like setting this does work and the session does expire, however, the way this interacts with the SSO feature seems to be a bit broken – if I leave my browser tab idle for over an hour, coming back and clicking on any of the links (such as “Top” or “Latest”) results in a network error:
Network Error
while trying to load /latest.json?order=default
Please check your connection.
Go Back Try Again
In the Chrome console, there are a few errors, the most notable one appearing to be the one relating to a CORS pre-flight check:
Access to XMLHttpRequest at 'https://admin.staging.mysite.com/forum_signon?sso=bm9uY2U9OTY1M2Q1ZjlmOGUxMjZmZjhhODJjYTdhOTYyZjFiMjUmcmV0dXJuX3Nzb191cmw9aHR0cHMlM0ElMkYlMkZmb3J1bS5zdGFnaW5nLnRyYWMuam9icyUyRnNlc3Npb24lMkZzc29fbG9naW4%3D&sig=2889e690213982ba4f58dd69bb25701310f4ac70c77e290b97cfc78f3bf80b62' (redirected from 'https://forum.staging.mysite.com/latest.json?order=default&_=1546878286501') from origin 'https://forum.staging.mysite.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
{readyState: 0, getResponseHeader: ƒ, getAllResponseHeaders: ƒ, setRequestHeader: ƒ, overrideMimeType: ƒ, …}
Error while processing route: discovery.latest
undefined
That forum_signon URL is the SSO endpoint. It looks like what Discourse is doing is responding to the AJAX request for /latest.json with a 302 redirect to the SSO URL, which then fails because the SSO provider doesn’t allow the CORS request. In fact according to the Network panel the requests go /latest.json → /session/sso → https://admin.staging.mysite.com/forum_signon
Note that I did also try modifying the SSO provider to set an Access-Control-Allow-Origin header, but this didn’t seem to help either.
Have I managed to mess up the configuration somewhere, or is this a bug in Discourse’s SSO / AJAX handling?
We’re running a couple of minor releases behind the latest stable at 2.1.2 (although I couldn’t see anything relevant in the git logs between that and 2.1.6).