You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems legacy handling of the previous core.blockstack.org endpoint isn't perfect. Issue leather-io/extension#2166 shows some sites (e.g. Arkadiko) throwing errors when using previous stacks.js versions.
Inspecting Arkadiko, it looks like they are using a version of the @stacks/auth package, which still contains the old endpoint. This is causing an error to be thrown. The simple solution is for them to fix/update this issue. However, the old endpoint correctly returns a 301 redirect.
The stacks.js API caller function doesn't explicitly follow redirects. But I believe follow is often the default behavior for fetch. Not sure why this doesn't work. Will try to reproduce with a blockstack id.
I was only able to reproduce with apps that still use sign-in with blockstack (oauth-style blockstack.org sign-in), e.g. recall. Here the blockstack.org itself encounters the same issue (301 / cors).
I don't think following redirects could be seen as a security concern, as the only attack vector would involve an attacker using and old endpoint (so they would receive the same amount of data and at this point they could also just mimic the correct/expected successful responses to stay unnoticed). Let me know if I'm missing something 💡
Tip:
Running git log -S "core.blockstack.org" -p -- "*.ts" locally shows the last diffs that added/removed core.blockstack.org.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
It seems legacy handling of the previous
core.blockstack.orgendpoint isn't perfect. Issue leather-io/extension#2166 shows some sites (e.g. Arkadiko) throwing errors when using previous stacks.js versions.Inspecting Arkadiko, it looks like they are using a version of the
@stacks/authpackage, which still contains the old endpoint. This is causing an error to be thrown. The simple solution is for them to fix/update this issue. However, the old endpoint correctly returns a301redirect.corsis enabled for the API. Tested via curl.The stacks.js API caller function doesn't explicitly follow redirects. But I believe
followis often the default behavior forfetch. Not sure why this doesn't work.Will try to reproduce with a blockstack id.I was only able to reproduce with apps that still use sign-in with blockstack (oauth-style blockstack.org sign-in), e.g. recall. Here the blockstack.org itself encounters the same issue (
301/ cors).Tip:
Running
git log -S "core.blockstack.org" -p -- "*.ts"locally shows the last diffs that added/removedcore.blockstack.org.Beta Was this translation helpful? Give feedback.
All reactions