Authenticate user before displaying an iFrame

Question

I am preparing to work on a project where I need to display a dashboard from an online application. Unfortunately, the use of an API is currently not possible. The dashboard can be embedded in an iFrame. However, when it is displayed it will prompt the user viewing the dashboard to login to an account.

I have one paid account to this service. Are there any rails gems to login to the service before the iFrame is processed?

Or would a proxy within my rails app be a better route to go?

Any pointers are appreciated!

Answer 1

Neither a Rails gems nor a proxy within your rails will work and they same have the same limitation.

They are both running on the back-end, server side.

The authentication you need is client side.

Unless you mean proxy the ENTIRE thing, the auth request and all subsequent requests and user interactions with this dashboard. That should work but (see below)

The way authentication works (pretty much universally) is: once you log in to any system, it stores a cookie on your browser and then the browser sends that cookie for every subsequent request.

If you authenticate on the backend, that cookie will be sent to your rails code and will die there, and the users browser will never know about it.

Also - it is not possible to do the auth server side and capture the cookie and then have the user browse the site with their browser directly, for two reasons:

1. Sometimes auth cookies use information about the browser or HTTP client to encrypt the cookie, so sending the same cookie from a different client wont work
2. You can not tell a browser to send a cookie to a domain different than your own.

So your options are, off the top of my head right now:

1. If there is a login page that accepts form submissions from other domains, you could try to simulate a form submission directly to that sites "after login" page. (The page the user gets directed to once they fill up the login form). Any modern web framework as XSRF protection (Cross Site Request Forgery protection) and will disallow this approach for security reasons.
2. See if the auth this site uses has any kind of OAUTH, Single Sign On (SSO) or similar type of authentication integration that you can do. (Similar to an API, so you may have already explored this option)
3. Proxy all requests to this site through your server. You will have to rewrite the entire HTML so that all images, CSS, stylesheets, and all other assets are also routed through the proxy or else the URLs are rewritten in the HTML to not be relative. You might hit various walls if a site wasn't designed for this use case. From things like the site using relative URL's for assets that you aren't proxying, the site referencing non-relative URL's causing cross-domain errors, etc. Note its really hard to re-write every single last assets reference, its not only the HTML you're worried about, Javascript can have URL's in it too, and CSS can as well.
4. You could write a bookmarklet or a browser extension that logs the user into the site.
5. Have everyone install Lastpass
6. Have everyone install the TamperMonkey browser extension (and others like it for other browser), and write a small User Script to run custom javascript automatically to log the user in on that site
7. Scrape that site for the info you need and serve it on your own site.

OK I'm out of ideas. :)