Cannot Login: Authentication aborted

[jonnyowenpowell]

Hi 👋

I was using Decap CMS and somewhat satisfied with the results. However, I felt it lacked polish, so I went looking for an alternative and found this project. It immediately worked locally (after I changed the backend from git-gateway to github and added the repo key) and is much more polished in my opinion; nice work!

However, upon deployment to production, I find that I cannot login. The admin page loads fine, there are no console errors, CSP warnings, etc. When I click login, I immediately see 'Authentication aborted. Please try again.' and a corresponding 'Authentication aborted undefined' console error.
The https://api.netlify.com/auth?provider=github&site_id=<my domain>&scope=repo%2Cuser page opens, with content 'Not found' and a 404 response code.

My backend configuration is the following:

backend:
  name: github
  repo: jonnyowenpowell/<my site repo>
  branch: main

The repository is private, I'm unsure if this matters but I'm including it for completeness.

I have tried with and without the Netlify Identity widget loaded on the admin page. I have tried clearing my site data. I did not change any Netlify Identity settings when I switched from Decap CMS.

I cannot find any issues about this, so I assume I'm doing something wrong, but I'm not sure what.

Update:

I have resolved the 404 response from Netlify - I simply changed the backend from git-gateway to github and didn't stop to configure the backend according to Decap CMS documentation. Silly me! I now have a GitHub OAuth app setup, and get a nice 'Authenticated' message - but the site still displays the same 'Authentication aborted. Please try again.' message.

[jonnyowenpowell]

I have resolved this issue - and will close.

For anyone reading this, my issue was I had the Cross-Origin-Opener-Policy: same-origin header set. This is known to break OAuth flows as it servers the connection to the OAuth popup window. What I needed was Cross-Origin-Opener-Policy: same-origin and then everything worked.

I do have a small suggestion, which is to clarify in the documentation that using the GitHub backend is rather a different setup to the git-gateway backend and you will no longer be using Netlify Identity at all, but rather the Netlify OAuth flow.

One of my motivations for moving away from Decap CMS was to avoid the need for unsafe-eval in my CSP - it may be the same for others too. Such security minded folk may also be setting the Cross-Origin-Opener-Policy: same-origin across their site - it might be worth including a note, even though it's not specific to sveltia, that you will need to relax this to -allow-popups, at least for the CMS route, for the OAuth flow to work.

[kyoshino]

Hey @jonnyowenpowell, welcome to Sveltia CMS, and glad you have solved the problem yourself! I have updated the README to briefly explain these issues. In a few months, I’ll prepare full documentation for Sveltia to make the migration easier. 😃

[RDjarbeng]

Sorry to resurrect this. @jonnyowenpowell from your comment above does this mean you were able to get the cms to work without hosting the site on netlify?
That is, you get the cms working at my-site/admin, where my-site is not a netlify hosted page, for example github pages site.

Also in which file did you set the 'Cross-Origin-Opener-Policy: same-origin'?