Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multisite preview cross domain shows login #68

Open
JodebaDigitalPulse opened this issue Sep 26, 2023 · 5 comments
Open

Multisite preview cross domain shows login #68

JodebaDigitalPulse opened this issue Sep 26, 2023 · 5 comments

Comments

@JodebaDigitalPulse
Copy link

Describe the bug

Opening an entry preview in the control panel shows the login page. Only for entries of other domain names.

Steps to reproduce

  1. Multisite with several domainnames
  2. Open control panel on main domain (only one domain has the /admin enabled)
  3. Open Entry of other domain
  4. Click preview button

Craft CMS version

4.5.4

Plugin version

2.0.10

Multi-site?

Yes

Additional context

I checked issue #21 , but the code is not the same anymore.

In KnockKnock.php:100
an authenticated user is required.

But it is impossible for the other domain to be authenticated, because the /admin always redirects to the main domain.
@engram-design
Copy link
Member

So I can see the issue that we're enforcing an authenticate session, and that's mainly to protect against a very simple workaround people could use if the check was just "is the request a live preview one". This opens up a way to circumvent the plugin.

I'll have to give it some more thought, but for the moment, previewing other domains will present you with the login challenge.

@JodebaDigitalPulse
Copy link
Author

I forgot to mention that, when you try to login, there is a CSRF error because the token cookie is blocked because of the cross-domain fact as well. So it is impossible to preview, even when trying to login to knock knock. Even when you logged in to knock knock before, I guess not all the cookies are usable because the preview is loaded in an iframe from another domain.

But indeed, $request->getIsPreview() is not checking for a valid token, so easy to work around it.

For our needs, it is not as much of a security issue. So I was thinking of adding an allow-url-pattern with the preview query, but the querystring is removed before checking the allowed url's.

So, there is no way to make this work for our case for now.

@engram-design
Copy link
Member

Right, all good points. I'll give it some further thought, and it may very well come down to an additional setting to just allow live preview requests. I know some people like to use Knock Knock as a bit of a security mechanism for sensitive sites/projects, so I would hate to annoy those people be exposing a "vulnerability".

@JodebaDigitalPulse
Copy link
Author

Thanks, you're absolutely right about the security.

@sm9
Copy link

sm9 commented Mar 12, 2024

Just adding this quick note to say that we've also just come cross this issue with a multi-site setup. We've added a new site to the multi-site setup, and are using Knock Knock for just this one new site whilst the client adds content to it, before it's put live. The site is hosted on Servd and is using Craft CMS 4.7.4 and Knock Knock 2.0.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@engram-design @sm9 @JodebaDigitalPulse