[Bug?]: Upgrading to 7.1.3 - "You don't have permission to do that."

[johndevor]

What's not working?

Graphql is returning Error: You don't have permission to do that.

Me and at least one other person are seeing the issue. Works fine locally, but not in serverless (netlify) for me.

Apparently the context is not getting populated properly?

https://community.redwoodjs.com/t/redwood-v7-0-0-upgrade-guide/5713/52?u=john

How do we reproduce the bug?

No response

What's your environment? (If it applies)

No response

Are you interested in working on this?

• I'm interested in working on this

[johndevor]

Other person with the same issue:

https://community.redwoodjs.com/t/redwood-v7-0-0-upgrade-guide/5713/54

[Josh-Walker-GM]

Thanks for opening the issue @johndevor. I'll try to at least get started on reproducing this over the weekend as I imagine this is a blocker for you upgrading.

[chrismorrisprojects]

I am the other person in the thread having the issue, it is still happening on 7.1. I have created a work around that allows me to access the context but I don't know why accessing it directly returns undefined:

export const isAuthenticated = () => {
  const currentUserDescriptor = Object.getOwnPropertyDescriptor(context, 'currentUser');
  const currentUser = currentUserDescriptor ? currentUserDescriptor.value : null;
  return !!currentUser
}

[Josh-Walker-GM]

Thank you so much for the additional information! I haven't had a chance to properly look into this yet as I've been traveling. I will aim to get something substantially done on this by the end of the week.

[johndevor]

I tried that on netlify without success:

export const isAuthenticated = () => {
  const currentUserDescriptor = Object.getOwnPropertyDescriptor(
    context,
    'currentUser'
  )
  console.log('currentUserDescriptor', currentUserDescriptor)
  const currentUser = currentUserDescriptor ? currentUserDescriptor.value : null
  return !!currentUser
}

Mar 20, 10:49:43 AM: f451b5e9 INFO currentUserDescriptor undefined

[Josh-Walker-GM]

It took me far to long to get back to this so sorry about that!

I just tried deploying our dbAuth based test project to netlify and it seems to work just fine with auth and graphql. That was on redwood 7.3.0.

I'll try switching the auth to clerk tomorrow to see if that's a factor but context usually lives at a level below each provider so I would have naturally expected if it was broken for all auth providers to fail. I could easily be wrong though. I'll follow up with what happens when I switch it to clerk.

[Josh-Walker-GM]

Hi everyone. There have been multiple reports over a period of time that there is an unresolved issue with context. However, I'm having difficulty reproducing this error and so can't move forward with debugging and fixing.

What would help move this along is if someone can please provide a complete but small reproduction repository that I could clone down and reproduce the error. It appears this might only happen on deployed applications - especially serverless deployments. Given that information, it would also be helpful if this reproduction repo could be deployed to netlify/vercel.

I will keep trying to return to this when I can but until a reproduction is available I cannot move this forward. Hopefully this is a reasonable next step here? I appreciate that it could be blocking upgrading to v7 so apologies again that this issue has been so long running.

[chrismorrisprojects]

My build is a bare metal instance running in Azure cloud.

I have other bare metal instances of Redwoodjs, the only difference between them is the use of azure-active-directory authentication in the one that is not working.

I am not sure how I could set up a reproduce-able instance that involves azure-active-directory unless there is some free testing service Microsoft or someone provides?

[chris-morris-h2o]

I've made a completely new redwood project using 7.7.3. I've only made the following changes:

• a home page with AD login functionality added
• an API function call for testing authentication on API requests
• logging to the isAuthenticated call
• run yarn rw setup auth azure-active-directory
• configured Azure AD auth env variables

The repo is here. I am using Node 20.11.1 (using nvm in both Windows and Ubuntu environments). The problem happens when running yarn rw dev. I have tried to run this on both Windows 10 x64 and WSL 2.0 with Ubuntu 22.04.3.

The issue on both Windows and Ubuntu are the same, console.log(context) prints out the context as expected with expected attributes (e.g. context.currentUser) but when trying to access directly (return context.currentUser) they return undefined. I've pushed the full repo to here:

https://github.com/chris-morris-h2o/ad-test

Unfortunately I do not have an Active Directory environment I can publicly expose to troubleshoot this.

I can provide anymore information or help in any other way.

I have included a redacted logging output from auth.js. Everything was populated except the roles[] array, which I noted was blank in the unredacted log.

api | {
api |   value: {
api |     aud: '',
api |     iss: 'https://login.microsoftonline.com/',
api |     iat: ,
api |     nbf: ,
api |     exp: ,
api |     aio: '',
api |     name: 'Chris Morris',
api |     nonce: '',
api |     oid: '',
api |     preferred_username: 'Chris.Morris@h2obridge.com',
api |     rh: '',
api |     sub: '',
api |     tid: '',
api |     uti: '',
api |     ver: '',
api |     roles: [ROLES WAS COMPLETELY EMPTY IN UNREDACTED LOG]
api |   },
api |   writable: true,
api |   enumerable: true,
api |   configurable: true
api | }
api | {
api |   request: PonyfillRequest {
api |     bodyInit: <Buffer 7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20 5f 5f 52 45 44 57 4f 4f 44 5f 5f 41 55 54 48 5f 47 45 54 5f 43 55 52 52 45 4e 54 5f 55 53 45 52 20 7b ... 28 more bytes>,
api |     options: {
api |       method: 'POST',
api |       headers: [Object],
api |       body: <Buffer 7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20 5f 5f 52 45 44 57 4f 4f 44 5f 5f 41 55 54 48 5f 47 45 54 5f 43 55 52 52 45 4e 54 5f 55 53 45 52 20 7b ... 28 more bytes>
api |     },
api |     bodyUsed: false,
api |     contentType: 'application/json',
api |     contentLength: 78,
api |     _bodyFactory: [Function: bodyFactory],
api |     _generatedBody: null,
api |     bodyType: 'Buffer',
api |     _buffer: <Buffer 7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20 5f 5f 52 45 44 57 4f 4f 44 5f 5f 41 55 54 48 5f 47 45 54 5f 43 55 52 52 45 4e 54 5f 55 53 45 52 20 7b ... 28 more bytes>,
api |     cache: 'default',
api |     credentials: 'same-origin',
api |     headers: Headers {
api |       priority: 'u=4',
api |       'sec-fetch-site': 'same-origin',
api |       'sec-fetch-mode': 'cors',
api |       'sec-fetch-dest': 'empty',
api |       connection: 'close',
api |       origin: 'http://localhost:8910',
api |       'content-length': '78',
api |       authorization: 'Bearer TOKENHERE',
api |       'auth-provider': 'azureActiveDirectory',
api |       'content-type': 'application/json',
api |       referer: 'http://localhost:8910/.redwood',
api |       'accept-encoding': [ 'gzip', 'deflate', 'br', 'zstd' ],
api |       'accept-language': [ 'en-US', 'en;q=0.5' ],
api |       accept: '*/*',
api |       'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0',
api |       host: 'localhost:8910'
api |     },
api |     integrity: '',
api |     keepalive: false,
api |     method: 'POST',
api |     mode: 'cors',
api |     redirect: 'follow',
api |     referrer: 'about:client',
api |     referrerPolicy: 'no-referrer',
api |     _signal: undefined,
api |     headersSerializer: undefined,
api |     duplex: 'half',
api |     url: 'http://localhost/graphql',
api |     destination: 'document',
api |     priority: 'auto',
api |     [Symbol(Symbol.toStringTag)]: 'Request'
api |   },
api |   params: {
api |     query: 'query __REDWOOD__AUTH_GET_CURRENT_USER { redwood { currentUser } }'
api |   },
api |   currentUser: {
api |     aud: '',
api |     iss: '',
api |     iat: ,
api |     nbf: ,
api |     exp: ,
api |     aio: '',
api |     name: 'Chris Morris',
api |     nonce: '',
api |     oid: '',
api |     preferred_username: 'Chris.Morris@h2obridge.com',
api |     rh: '',
api |     sub: '',
api |     tid: '',
api |     uti: '',
api |     ver: '',
api |     roles: [ROLES WAS COMPLETELY EMPTY IN UNREDACTED LOG]
api |   },
api |   event: {
api |     httpMethod: 'POST',
api |     headers: {
api |       priority: 'u=4',
api |       'sec-fetch-site': 'same-origin',
api |       'sec-fetch-mode': 'cors',
api |       'sec-fetch-dest': 'empty',
api |       connection: 'close',
api |       origin: 'http://localhost:8910',
api |       'content-length': '78',
api |       authorization: 'Bearer BEARER TOKEN HERE',
api |       'auth-provider': 'azureActiveDirectory',
api |       'content-type': 'application/json',
api |       referer: 'http://localhost:8910/.redwood',
api |       'accept-encoding': 'gzip, deflate, br, zstd',
api |       'accept-language': 'en-US,en;q=0.5',
api |       accept: '*/*',
api |       'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0',
api |       host: 'localhost:8910'
api |     },
api |     path: '/graphql',
api |     queryStringParameters: {},
api |     requestContext: { requestId: 'req-2', identity: [Object] },
api |     body: '{"query":"query __REDWOOD__AUTH_GET_CURRENT_USER { redwood { currentUser } }"}',
api |     isBase64Encoded: false
api |   },
api |   requestContext: { callbackWaitsForEmptyEventLoop: false }
api | }
api | [ 'request', 'params', 'currentUser', 'event', 'requestContext' ]
api | [ undefined, undefined, undefined, undefined, undefined ]
api | [
api |   [ 'request', undefined ],
api |   [ 'params', undefined ],
api |   [ 'currentUser', undefined ],
api |   [ 'event', undefined ],
api |   [ 'requestContext', undefined ]
api | ]
api | undefined```

[chris-morris-h2o]

@Josh-Walker-GM - If we were able to get a second Azure AD tenant set up for testing, would there be a way for us to share the private information with you in a relatively secure way outside of this Github issue? I'm negotiating with our IT department right now about getting a second Azure AD environment set up that we could expose a little more publicly for this issue.

[Josh-Walker-GM]

Are you on our community forums? If so I think you can privately message me there: https://community.redwoodjs.com/u/josh-walker-gm. If not I'm also happy to just share my email address with you.

I (and the rest of the team) really appreciate the effort here! I have some work I must get done over the next two days. However, I will make sure I set aside time this weekend to go back through this issue and reattempt a reproduction, setting up my own azure resources as needed too. Hopefully I can make progress and I will report back on Monday.

[johndevor]

I've reproduced the issue in a new repo and a new netlify.

https://redwood-auth-test.netlify.app/

Using clerk auth.

[johndevor]

Ok! I fixed it here.

I disabled netlify's esbuild bundler in netlify.toml and that fixed it for me.

[functions]
  # node_bundler = "esbuild"

[johndevor]

@chris-morris-h2o Closing for now... lmk if you want me to reopen

[chris-morris-h2o]

I've not been able to get internal resources to set up a private tenant yet.

But we're using baremetal deployments and don't have any bundler specified, we're using redwood defaults for bundler, which I believe is Vite for the version I am running.