PWA-Chrome issue

[arturv2000]

Current Behavior

Hello

This issue is related to #817 it seems that the fix applied in #881 is not sufficient, at least for Android.

Just updated one of the instances I have to v1.11.1 to check if this was fixed or not.

According to my tests:

• In Windows PC using Edge or Chrome there are issues, it show a white page upon opening the page, with the same error that was being generated before
  
• Same thing in Linux (raspberryPi) using Chromium and Firefox
• Same thing in Android using Chrome

In order for this error to show, is necessary to open the page in the browser (wait until the new PWA version is downloaded and the popup to reload appears), after this is necessary to close the browser window (all instances of chrome / edge / etc.., in windows is necessary to close the chrome icon on the notification tray and in android is necessary to force close the chrome browser), when trying to access again the site the page does not load until we force an incorrect address (like 'https://my.site.com/dashboar') at this point the login popup is shown and we can access the real address https://my.site.com/dashboard.
If we close the browser it is necessary to repeat the process.

The fix seems simple, according to my attempts is necessary to change the file ui/src/main.mjs the catch for the fetch('_setup') needs to change to:

    .catch((err) => {
        if (err instanceof TypeError) {
            if (err.message === 'Failed to fetch') {
                console.log('auth error:', err)
                console.log('redirecting to:', window.location.origin + '/dashboard')

                // window.location.replace(window.location.origin + '/dashboard') //Original, seems to have no issues with Edge and Chrome on Windows, doesn't work on Android (Not tested on Linux browser)
                // window.location.href = window.location.origin + window.location.pathname + window.location.search + (window.location.search ? '&' : '?') + 'reloadTime=' + Date.now().toString() + window.location.hash; // Also works on Edge + Chrome on windows, doesn't work on android

                // Reloading dashboard without using cache by apending a cache-busting string to fully reload page to allow redirecting to auth
                window.location.replace(window.location.origin + '/dashboard' + '?' + 'reloadTime=' + Date.now().toString() + Math.random()) // Seems to work on Edge and Chrome on Windows, Chromium and Firefox on Linux, and also on Chrome Android (and also as PWA App)
            } else {
                // handle general Type errors here
                console.error('An error occurred:', err)
            }
        } else {
            // handle general errors here
            console.error('An error occurred:', err)
            window.location.replace(window.location.origin + '/dashboard' + '?' + 'reloadTime=' + Date.now().toString() + Math.random()) // Seems to work on Edge and Chrome on Windows, Chromium and Firefox on Linux, and also on Chrome Android (and also as PWA App)
        }
    })

It seems the original fix was enclosed in a series of if statements that are not catching the correct error, since I just added the original fix window.location.replace.... to the else of the first if

Expected Behavior

No response

Steps To Reproduce

No response

Environment

• Dashboard version: 1.11.1
• Node-RED version: 3.1.7
• Node.js version: 20.11.0
• npm version: 10.4.0
• Platform/OS: Server (Ubuntu 22.04.3
• Browser: windows (Edge, chrome), Linux (Chromim, Firefox), Android (Chrome)

Have you provided an initial effort estimate for this issue?

I am not a FlowFuse team member

[cgjgh]

@arturv2000 @cstns Seems we made error handling too specific… I was afraid this would happen if we tried to add conditions.

Can you show a console log of the error type so we can add it to error handling?

[arturv2000]

@cgjgh Hi, No idea if doing this in the correct way, compiled in 'dev' and was able to put a breakpoint on source code, the error message is the one shown..

Tried in ´npm run build´ and added an extra console.log just to be sure, and booth where printed to the console.

[cgjgh]

@arturv2000 For additional context, could you insert breakpoints into the code within the try block? This would help identify the specific line of code that gets executed when an error occurs.

@colinl I suspect you might be having the same issue and getting the above error as well.

@cstns I realize your previous concern of a reload loop occurring by not specifying the errors that would trigger a reload. However, if the errors are too diverse, specificity might not be practical.
Considering the inconvenience caused by the blank screens, which can be fixed with a full reload, it seems our primary objective should be to address this issue (by triggering reload with any error) before focusing on preventing potential reload loops.

Also, the original, pre-PWA error handling, which console logged “auth error”, suggests errors were mostly occurring with authentication- (@joepavitt Can you weigh in on this?).
This would imply that a reload would be applicable and beneficial in these cases.

[colinl]

Yes, I am seeing issues two. I have looked in a bit more detail at what is going on, with the dashboard installed as an App in Edge. I have worked out how to revoke the Google token when using it with Cloudflare Zero Trust, so I can now trigger the problem at will.
The first thing I note is that if I have the dashboard open and then revoke the token then initially the dashboard carries on responding as normal. If I attempt to refresh the page then it goes blank and in the console I see

 An error occurred: 
SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
```

[colinl]

Adding the reload as suggested by @arturv2000 fixes it. I will try and track down where it is failing.

[colinl]

The exception is coming from
const setup = await response.json()

I can't work out how to log the full response text, my attempts keep generating an exception.

[arturv2000]

@cgjgh From what I can understand, the error is generated at this section:

	console.log(2)
        // get the setup JSON from the server
        const setup = await response.json()
        setup.basePath = basePath
	console.log(3)

At least it only prints up to console.log(2). Wasn't able to put breakpoints, as long I go to the developer tools and open the source the login box show up.

This was the best I Could do

[colinl]

I see what is happening. When the token has expired and the code does a fetch from https://my.domain/dashboard/_setup it gets redirected to the cloudflare login page, which is

<!DOCTYPE html>
<html>
  <head>
    <title>Sign in ・ Cloudflare Access</title>
    <meta charset="utf-8" />
   ...

which raises an exception in await response.json() as it is not valid json. I guess a similar thing is happening for @arturv2000 except that the text he is getting back starts with Unauthorized ... which similarly is not valid JSON.

[joepavitt]

@cstns can you take a look at this, this week please, whilst I'm away?

[colinl]

I have found another problem, which is possibly a completely different issue. Once the token has expired the dashboard continues to run ok. Presumably because existing connections continue to function. However, if one is using a non-core widget, then when one switches to the page containing the widget the console shows

Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html". Strict MIME type checking is enforced for module scripts per HTML spec.
mydomain.org.uk:1 Failed to load module script: Expected a JavaScript module script but the server responded with a MIME type of "text/html". Strict MIME type checking is enforced for module scripts per HTML spec.

TypeError: Failed to fetch dynamically imported module: https://mydomain.org.uk/resources/@flowfuse/node-red-dashboard-2-ui-led/ui-led.umd.js

I guess that those also get redirected to the login page

Does it fetch those modules every time I switch to the page?

[colinl]

Does it fetch those modules every time I switch to the page?

To answer my own question, the answer is no, it fetches them the first time a page that needs them is opened, which makes sense.

[cstns]

From what I can tell, the app is trying to boot up with data it receives after being redirected (due to various reasons) which in most cases are not valid json responses.

I feel like we're just treating symptoms and not the root cause.

My thought on this matter is, do we need to follow through with the ws connection and Vue app mount if the response we receive from the _setup call is not from our Node Red instance (assuming we got redirected to external auth providers) or we could safely force a redirect to window.location.origin/dashboard?... from the get go in an early return?

Inputs are more than welcomed, I'll try to sort this out this week

[colinl]

@cstns if you want to post suggested code to try I will happily give it a go.

[cstns]

I created #944.

I'm not completely sure if stopping the _setup process is enough, it may require a forcePageReload as well. I left a comment with todo to try both scenarios.

[arturv2000]

@cstns Ok, I will give a try to check if with my current setup it solves the problem

[arturv2000]

@cstns Don't know if supposed to answer here, or in the PR.

With the changes in the PR, the problem continues:

It enters in the same "if" has indicated before. I added a console.log to the

.then(async (response) => {
        if (...

And it does not enter there.

[cgjgh]

@arturv2000 Seems like you're using NodeRed auth which will not redirect and therefore not meet the conditions below and execute return or force reload...

 if (
       response.url &&
       typeof response.url === 'string' &&
       !response.url.includes( new URL(window.location).origin)) {

       // todo not sure if we should force redirect or just stop the setup process entirely
       // forcePageReload('origins do not match')

       return;
   }

Perhaps add a 401 status to conditions?

else if (response.status === 401) {
       console.log('Unauthorized, reloading dashboard')

       // todo not sure if we should force redirect or just stop the setup process entirely
       // forcePageReload('origins do not match')

       return;
   }

@cstns

I'm not completely sure if stopping the _setup process is enough, it may require a forcePageReload as well. I left a comment with todo to try both scenarios.

Pretty sure you need to force reload otherwise it will react in same way as if not handling in catch.

Would Response.redirected be helpful here in detecting if not from origin URL?

// Check if the response was redirected
if (response.redirected) {
    console.log('Response was redirected to auth')

    // handle reload
    window.location.replace(window.location.origin + '/dashboard' + '?' + 'reloadTime=' + Date.now().toString() + Math.random())
    return
} else {
    console.log('Response came from NodeRed')
}

[cstns]

My assumption was completely wrong. Based on your previous print screen I managed to figure out what's happening.

This fetch API will be the end of me. Apparently a 404/401/403 http response code is not considered a failed request (which I was wrongly expecting it to be). More on this here.

I made some changes so the redirect is triggered on 401 HTTP responses. Does anyone think we should force a refresh for other HTTP response codes as well? (ex 403)

[arturv2000]

@cstns Seems like your latest changes (commit b384d1d) are working. At least in Linux Chrome and Android Chrome I am not being able to reproduce the issue. Not able to test at the moment in Windows Edge.

It requests the login information and loads the page correctly.

[cstns]

That's great news! I think we may have gotten to the bottom of it!

We could leave the force redirect enabled only for 401 HTTP codes for the time being and update it if needed for other situations if they arise.

I'll make some final touch-ups to the PR and submit it for review, I think we'll be able to merge it by EOD tomorrow if not surely this week. Release wise we'll have to wait for @joepavitt to return.

Thank you all!

[arturv2000]

Would wait for feedback from colinl since he has a different setup than mine regarding authentication.

[cstns]

Yes, good point.

Does anyone think we should force a refresh for other HTTP response codes as well? (ex 403)

Is still open for debate

[cstns]

I created #944. You can pull the 937-prevent-setup-on-origin-missmatch branch and do a build locally

[colinl]

Still failing with invalid json error. The console is showing a redirect to google login page as before.
I will PM the console log details if that is ok as I don't want to promulgate my domain details all over the internet.

[colinl]

I will PM the console log details

Or at least I would, but I can't work out how to do that, here it is with domain hidden.

{origin: URL, response: Response}origin: URLhash: ""host: "nodered.mydomain.org.uk"hostname: "nodered.mydomain.org.uk"href: "https://nodered.mydomain.org.uk/dashboard/"origin: "https://nodered.mydomain.org.uk"password: ""pathname: "/dashboard/"port: ""protocol: "https:"search: ""searchParams: URLSearchParams {size: 0}username: ""[[Prototype]]: URLresponse: Responsebody: (...)bodyUsed: trueheaders: Headers {}[[Prototype]]: Headersok: trueredirected: truestatus: 200statusText: ""type: "cors"url: "https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/nodered.mydomain.org.uk?kid=9df892976242106878f0a65fd2c4543695b45472395325aba3f8277a33c5e44c&redirect_url=%2Fdashboard%2F_setup&meta=eyJraWQiOiIyZmE3OTM1NWY2YzdlYjRmNTdhYTBmNGQxOTZkZWMyY2I4MjE5ZmRkYzI0YzFjMTRiNTg0YTNlZjA4ZjkxZDQwIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzZXJ2aWNlX3Rva2VuX3N0YXR1cyI6ZmFsc2UsImlhdCI6MTcxNzQ5MTM1Niwic2VydmljZV90b2tlbl9pZCI6IiIsImF1ZCI6IjlkZjg5Mjk3NjI0MjEwNjg3OGYwYTY1ZmQyYzQ1NDM2OTViNDU0NzIzOTUzMjVhYmEzZjgyNzdhMzNjNWU0NGMiLCJob3N0bmFtZSI6Im5vZGVyZWQuY2xhbmxhdy5vcmcudWsiLCJhcHBfc2Vzc2lvbl9oYXNoIjoiMTBhN2YyYTMzN2VjN2M0OGViNDdjODg5ZTc1YjZmNDBiZjExMmJlODEzMzBkYmM0NDQ3NTJiMWVlNGQxZjIzOSIsIm5iZiI6MTcxNzQ5MTM1NiwiaXNfd2FycCI6ZmFsc2UsImlzX2dhdGV3YXkiOmZhbHNlLCJ0eXBlIjoibWV0YSIsInJlZGlyZWN0X3VybCI6IlwvZGFzaGJvYXJkXC9fc2V0dXAiLCJtdGxzX2F1dGgiOnsiY2VydF9pc3N1ZXJfc2tpIjoiIiwiY2VydF9wcmVzZW50ZWQiOmZhbHNlLCJjZXJ0X3NlcmlhbCI6IiIsImNlcnRfaXNzdWVyX2RuIjoiIiwiYXV0aF9zdGF0dXMiOiJOT05FIn0sImF1dGhfc3RhdHVzIjoiTk9ORSJ9.Bsv-hq-BVSUWLw7FwsVeRsirQQLJSKVchrBpHINDXQo0NUkNw3ATeaysG8XOD7GxTAaHtczYcQzWRvyxqCJYloCRsLAW45KjItBUB4oZ84fPPrIxTbA8Cf9SUUhw1lSICB3iLIabI_I1AlG-fcDrJCJb4p2B40ewWWWz4pjWASPFXxQT3m4EhVqbrDPzWjZYuqhKf4exgHCbKPu56If0qVYKNhk6rvsUukcUZt6a6HXEE5o2W2DW-A1ZMjhi5lTuMzDi8HApTBBFIK9xXxL_plp-k-evhXOueTwJpk-QPFIkszuO03FENXcfJsKVACiWita9sD18qTNnogPv0vfdEw"[[Prototype]]: Response[[Prototype]]: Object

index-B6B5ipL-.js:239  An error occurred: SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
(anonymous) @ index-B6B5ipL-.js:239
Promise.catch (async)
(anonymous) @ index-B6B5ipL-.js:239

[cstns]

There's not much there because the response is truncated

If you can confirm that the origin.origin and response.url are different, the values of response.redirected, response.status and response.statusText would be enough to go on.

The question that would need to be sorted is if we should forcePageReload to the dashboard or the oauth provider page where the redirect was made. I hope we'll get an idea based on the response.status code

[cstns]

I assume response.ok was true, otherwise it should have logged Failed to fetch setup data: + response

[colinl]

The origin is the dashboard url and response.url is the google auth page. redirected is true.
status is 200, statusText is ""

By replacing
const setup = await response.json()
with

        const responseText = await response.text()
        console.log(`responseText: ${responseText}`)
        const setup = JSON.parse(responseText)

I can see that it has successfully retrieved the google auth page.

[cstns]

Replacing the response.json() would only treat the symptom but not the cause.

I added a new case which will currently force a full page redirect to the redirected origin when host and response origins mismatch:

case host.origin !== new URL(response.url).origin:
            console.log('Following redirect:', response.url)
            window.location.replace(response.url)
            // forcePageReload('Redirected to different origin')
            return

Please give this setup a go, I think the full page redirect to the redirected origin and preventing any further app setup steps it will resolve the problem gracefully. If the redirect to the response.url is not the way to go we can leave the default forcePageReload to redirect to the dashboard.

[colinl]

Replacing the response.json() would only treat the symptom but not the cause.

That was just so that I could log the text. The JSON.parse() still generated the exception as expected.

It looks like you may have cracked it with the latest mod. Looking good so far :)

[cstns]

Happy to hear! I'll mark the PR as ready to review!

[colinl]

I have noticed one thing, but I don't know whether it is a PWA issue or something else. I updated a third party ui node (@colinl/node-red-dashboard-2-gauge-classic) to a new version, restarted node red, and adjusted the flows. The dashboard I had open on an Android device automatically picked up the modified flows but has not picked up the new version of the gauge node. Swiping down to make it refresh (which it does) does not pick it up, nor does closing the app and reopening it. Again, it may be relevant that this is a fairly old version of Android.
Opening the app on a device that did not have it open, and which is a current version of Android, has picked up the new version though.
As noted earlier, third party ui nodes are dynamically loaded when needed. It would have been already loaded on the old device.

[cstns]

It might be a PWA caching issue. Were you prompted in the dashboard at any time after updating (any) nodes to reload?
#920 might address this. Or we might treat 3rd party nodes slightly different.

Please open another issue for it and we can take a closer look.

[colinl]

I wasn't prompted, but when I went to look at it a few minutes after updating it had automatically picked up the new flows. I will open an issue after doing a few more experiments to gain information.

[colinl]

One aspect of the current behaviour that is not ideal is that if I have the dashboard open and the token expires then it keeps running for while, which is ok, but at some time later it pops up the Connection Lost notification and just sits there forever, presumably trying to reconnect and failing. It doesn't take me to the login screen at that point. To get going again I have to force a refresh, which then brings up the login screen.

[colinl]

I have managed to catch some more information on this. Running on a laptop using Edge, some time after the token expires then there are a number of

index-Dj_SStcD.js:239 
 SIO connect error: 
Error: server error
    at lt.onPacket (index-Dj_SStcD.js:231:36803)
    at Emitter.emit (index-Dj_SStcD.js:231:20587)
    at Polling.onPacket (index-Dj_SStcD.js:231:22781)
    at r (index-Dj_SStcD.js:231:24971)
    at Array.forEach (<anonymous>)
    at Polling.onData (index-Dj_SStcD.js:231:25024)
    at Emitter.emit (index-Dj_SStcD.js:231:20587)
    at Request.onLoad (index-Dj_SStcD.js:231:27661)
    at a.onreadystatechange (index-Dj_SStcD.js:231:27088)
 undefined

Then

index-Dj_SStcD.js:43 
 
 GET https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/nodered.mydomain.o…q1bDmYT9tIKb6qn5DYIPdNQNHKJKmcmpCIcMNQX7xJiCJMh_vNqsoSfLyicrX7kKnJNgyq_IJA net::ERR_FAILED
index-Dj_SStcD.js:43 
 
 
 Uncaught (in promise) 
TypeError: Failed to fetch
    at index-Dj_SStcD.js:43:20650
/dashboard/:1 
 Access to fetch at 'https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/mydomain.clanlaw.o…PyK0VRTyra2szIggbR3bAjPpS9Ryq-1WWQUaxt4DgY64ABJGYo-tRAbM37j81SzxT2c93OKc_w' (redirected from 'https://nodered.mydomain.org.uk/dashboard/sw.js') from origin 'https://nodered.mydomain.org.uk' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
index-Dj_SStcD.js:43 
 
 GET https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/nodered.mydomain.o…PyK0VRTyra2szIggbR3bAjPpS9Ryq-1WWQUaxt4DgY64ABJGYo-tRAbM37j81SzxT2c93OKc_w net::ERR_FAILED
index-Dj_SStcD.js:43 
 
 
 Uncaught (in promise) 
TypeError: Failed to fetch
    at index-Dj_SStcD.js:43:20650

and it sits there showing the Connection Lost popup until I refresh the page.

[cgjgh]

It might be a PWA caching issue. Were you prompted in the dashboard at any time after updating (any) nodes to reload? #920 might address this. Or we might treat 3rd party nodes slightly different.

Please open another issue for it and we can take a closer look.

PWA only caches files that exist in the dist folder at Vite build time, 3rd party nodes I believe are not located there.

[cstns]

PWA only caches files that exist in the dist folder at Vite build time, 3rd party nodes I believe are not located there.

Yes, that was a bad assumption.

@colinl does the same happen with a more generic catch all that would forcibly redirect to the dashboard? Please give it a test by leaving only the forcePageReload method in the setup catch block without any conditionals.

I assume this behavior is caused by something else because the _setup call is only called once when the application initially boots. Another thing that points in this direction would be the fact that you haven't included any text that would by caught by the setup catch block ('An error occurred:' or 'auth error:')

[colinl]

Yes, it is odd, I don't know what is triggering the get that generates the CORS error. I have run it again, on Brave and this time the CORS error occurred before the connect failures. I wonder whether there is another, asynchronous, GET going on, completely unrelated to this code.

[colinl]

redirected from 'https://nodered.mydomain.org.uk/dashboard/sw.js'

Does that tell you anything? That appears to be ui/src/sw.js

[colinl]

It is the hourly PWA check for updates in ui/src/components/PWABadge.vue.

 methods: {
        registerPeriodicSync (swUrl, r) {
            if (this.period <= 0) return

            setInterval(async () => {
                if ('onLine' in navigator && !navigator.onLine) { return }

                const resp = await fetch(swUrl, {   <------ this line is generating the CORS error
                    cache: 'no-store',
                    headers: {
                        cache: 'no-store',
                        'cache-control': 'no-cache'
                    }
                })

                if (resp?.status === 200) { await r.update() }
            }, this.period)
        },

As such I suspect it can probably be ignored.
The real problem is how to recover from the fact that socket cannot reconnect. I wonder whether it is possible to distinguish this situation from the network or server down.

[cstns]

That was my initial thought as well but I agree with @cgjgh, although the error might suggest that it's triggered by the worker, it's highly unlikely to be caused by it because it's just running the mounted vue app.

I would turn my attention to the ws connection and socket.io in particular.

As far as I can tell we don't have that many listeners for socket.io, and these errors you're experiencing would not get caught by the _setup call catch block. We could set up listeners for reconnect_attempt, reconnect_error, reconnect_failed, connect_timeout or the more generic error and see which one gets triggered by what you're experiencing.

This would be out of scope for the task at hand, we should continue in another task for traceability.

[colinl]

I have looked at the err object in the connect error fn
socket.on('connect_error', (err) => {
and in the case we have here it contains {"code": "parser error} which may well be diagnostic. I will open a new issue for this. If someone can suggest what the best way to recover is (reloading possibly, in order to get to the logon page) then I will have a go at generating a PR. It is about time I got myself added to the list of contributors.

[cstns]

The implementation would depend on what data the error we receive contains. If there's nothing relevant like in the case of fetch (response.ok, response.redirected or response.url) that we could use to deduce what went wrong, I'd say that using the existing forcePageReload would me more than enough.

I'll be more than happy to assist along the way!

[colinl]

I have posted issue #945 to cover the problem with third party ui nodes not reloading after update, and #946 to cover the whole area of recovery after a socket failure

@arturv2000 could you post on #946 what symptom you see if you see if you have the dashboard open and then the token expires (if that situation does apply in your case). Perhaps your token never expires so it is not relevant.

[colinl]

@cstns, looking at the code in forcePageReload() it has the dashboard component of the url hard coded. Is that ideal? I know that at the moment it is not configurable, but is not the name available from the ui-base so that when it does become variable this code will not have to change?

[cstns]

It's not ideal in any way, I agree. When the time will come to implement custom paths for dashboards we'll need to address this.

As we stand, we don't have a way of knowing what path the dashboard will be on so we just went with hardcoding it because we know it is static. One way of future proofing it would be to add it as a parameter in the forcePageReload() because I assume we'll receive it within the _setup response

[colinl]

I was forgetting that, of course, the client cannot access the ui-base.

[colinl]

@arturv2000 are you still seeing a problem with this after the recent commits (to main, not released yet)?

[arturv2000]

@colinl Hadn't tried since one of the last commits in the PR.

Actually I thought that the issue was already closed with the merge of the PR #944 .

Synced the dashboard code folder with the main branch, build it and install in the test instance. Everything seems OK.