#[2.0.0-rc.0] htttp:default permission problems

I have problem with the http plugin in v2 :
http.fetch not allowed. Permissions associated with this command: http:allow-fetch, http:default
With this mobile config file :

// mobile.json
{
  "$schema": "../gen/schemas/mobile-schema.json",
  "identifier": "mobile-capability",
  "description": "Capability for mobile",
  "webviews": [
    "main"
  ],
  "windows": [
    "main"
  ],
  "platforms": [
    "android",
    "iOS"
  ],
  "permissions": [
    {
      "identifier": "http:default",
      "allow": [{ "url": "https://*.tauri.app" }],
      "deny": [{ "url": "https://private.tauri.app" }]
    }
  ],
  "capabilities": [
  ]
}

i follow the documentation explanation but with default rights i can't use fetch in android https://v2.tauri.app/plugin/http-client/

@hardy scroll I meant whether you could show your json after what I asked you to modify

{
  "$schema": "../gen/schemas/mobile-schema.json",
  "identifier": "mobile-capability",
  "description": "Capability for mobile",
  "windows": [
    "main"
  ],
  "platforms": [
    "android",
    "iOS"
  ],
  "permissions": [
    "core:app:default",
    "shell:allow-open",
    "deep-link:default",
    "http:default",
    "http:allow-fetch"
  ],
  "capabilities": [
  ]
}

looks like whatever i change in my config file the tauri app don't care

remove the http:default

have only the allow-fetch

@hardy scroll

change nothing

could you show where you call the fetch

i'm calling it in vue app, and pointing http://10.0.2.2:8080/*

could you show it

async get() {
    const urlPath = this.url + this.path;
    console.debug("[HTTPAxios.ts][GET] " + urlPath)
    return await fetch(urlPath, {
      method: "GET",
      headers: HTTPAxios.header
    });
  }

i don't see the problem of the code here. It worked on all other platforms and not the android app

this is a config problem

but this is a frontend fetch, no? I've been using those the entire time without any limitations

yep frontend

hm

import {fetch} from "@tauri-apps/plugin-http";

ok what if you don't import fetch there

and just use native javascript fetch

fuck it work...

?

it worked

wtf

why did we need http plugin for tauri so ?

I'm not sure lol

well the websockets are not working but i will look into this now

If you're hitting cors issues etc with native fetch

haaa yes i remember now, so well it's not a solution to remove the import

Can you try to reproduce it in a new create-tauri-app and if it still happens, open a github issue?

okay let me few minuts

First bug : if you edit a json capabilities file the auto reload will re-boot infinitly (edit the file -> save -> reboot by it self -> again -> again...)
Second behaviour : the fetch work event without the http:default permissions
The fetch work everytimes

@cedar yew

• i start from a fresh new tauri - vue - vite project
• Add http plugin
• in my app.vue :

<script setup lang="ts">
import Greet from "./components/Greet.vue";
import {onMounted, ref} from "vue";

const response = ref<string>("")

onMounted(() => {
  fetch("http://10.0.2.2:8080/ping", {method: 'GET'}).then(async (r: Response) => {
    response.value = await r.text();
  })
})
</script>

{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "default",
  "description": "Capability for the main window",
  "windows": [
    "main"
  ],
  "permissions": [
    "core:default",
    "shell:allow-open"
  ]
}

I removed the permissions, recompil and the fetch go through without any problems

i d'ont understand the behaviour

but in your main project it doesn't work without all those permissions, correct?

it doesn't work wathever permission you put

but the difference i have two capabilities file :

//desktop.json
{
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "desktop-capability",
  "description": "Capability for desktop",
  "webviews": [
    "main"
  ],
  "windows": [
    "main"
  ],
  "platforms": [
    "linux",
    "macOS",
    "windows"
  ],
  "permissions": [
    "event:allow-emit",
    "event:allow-emit-to",
    "event:allow-listen",
    "event:allow-unlisten"
  ]
}

//mobile.json
{
  "$schema": "../gen/schemas/mobile-schema.json",
  "identifier": "mobile-capability",
  "description": "Capability for mobile",
  "windows": [
    "main"
  ],
  "platforms": [
    "android",
    "iOS"
  ],
  "permissions": [
    "core:app:default",
    "shell:allow-open",
    "deep-link:default",
    "http:allow-fetch"
  ],
  "capabilities": [
  ]
}

what device are you testing on

mobile

android

just as a sanity check, what if you give all the jsons http:allow-fetch

don't work with the permissions copy in both file

have you tried to and delete the gen or target folder and re-run pnpm tauri android init to ensure it is not something from a pre-rc build?

huuu interesting i'm tryng

if you have modified the android code somewhere make sure to save it before though

the init will re-generate the gen folder containing the mobile projects

Also do you have a repro repo to share or is it closed source/a local project?

still have the problem

i send you the link, let me commit my latest try just before

did it btw work in the emulator or are you testing in the emulator?

all tries are done in the emulator

https://github.com/zelytra/OnePool/pull/63

@hollow pivot

your cli is still the beta version btw, not sure if this is related but just wanted to mention

i just see this too, i will upgrade it

also some of your capabilities seem not upgraded to rc

found several core permissions without the core: prefix

i was in the latest beta when i init the tauri project, and i try to upgrade it to RC

your default.json could cause some issues

i removed it, it went back when i've done the tauri android init

if there is no platform specified it will apply to all platforms afaik and it seems pre-rc

ah so caused by the outdated cli

so i update the cli and then do again the init

i guess

yep and then we figure out more 😁

Alright the project is now well generated, but still have the problem

(i commit the update)

hmh desktop is still not using core prefix but that should not be the problem

can you add core:default to your permissions just to confirm they are neither needed nor change the issue?

change nothing, i added it in both file

i maybe need to use the default file and not trying to use different conf depending the device (for now)

also do you have this configured?

{
      "identifier": "http:allow-fetch",
      "allow": [{ "url": "http://10.0.2.2:24904/auth" }]
}

or http://* should also work

hmh you could also remove the default file and just work with specific configs but this shouldn't impact the fetch permission

i'm trying, btw this url is for my auth platform:

• I redirect the user to this url
• The user autenticate
• Then redirect back to my tauri app
• Then using the token to contact my backend

"permissions": [
    "event:allow-emit",
    "event:allow-emit-to",
    "event:allow-listen",
    "event:allow-unlisten",
    {
      "identifier": "http:allow-fetch",
      "allow": [{ "url": "http://*" }]
    }
  ],

nothing change

core:event

it should fail on compile though

so I am wondering why it works with event: instead of core:event

"permissions": [
    "core:event",
    {
      "identifier": "http:allow-fetch",
      "allow": [{ "url": "http://*" }]
    }
  ]

Like this ?
And yes no problem of compilations

can you remove the webviews key btw

And yes no problem of compilations
I am confused

//mobile.js
{
  "$schema": "../gen/schemas/mobile-schema.json",
  "identifier": "mobile-capability",
  "description": "Capability for mobile",
  "windows": [
    "main"
  ],
  "platforms": [
    "android",
    "iOS"
  ],
  "permissions": [
    "core:event",
    {
      "identifier": "http:allow-fetch",
      "allow": [{ "url": "http://*" }]
    }
  ],
  "capabilities": [
  ]
}

here's now the file and it compile and still the problem

i'm certain i'm missing something somewhere completly stupid but what is it...

no i don't think you're missing anything. I think there's a bug in the capabilities handling. I don't think you're the only one with issues like this one.
Today or Yesterday i saw another issue where it looked like "windows": [ "main" ], "platforms": [ "android", "iOS" ], just didn't work. (can't find it rn)

did it work without any platform specifier or just not at all?

can't remember, trying to find it

Well if another one have the problem, the goal is to reproduce it in a clean environement. But when i've try they were no problem and even more, without the permission i could do the fetch !

without the permission and without the tauri import or still with the import?

What do you mean by tauri import ?

import {fetch} from "@tauri-apps/plugin-http";

So yes with the tauri import and without the permission

here's the test

there is no import in the test

huuu

so it uses the built-in fetch of the webview which has nothing to do with our http plugin fetch

well let me retry i guess i say some bullshit

this one should be a p1 issue if reproducible

Its late for me here and will go for bed but will retry your pr tomorrow morning on my dev setup

Have a good night ! I'm trying to create a repro on my side to simplify you the job

I really hope it wasn't this issue i wasn't able to remember because i literally wrote a comment on it 2 minutes before my message here ffs
https://github.com/tauri-apps/plugins-workspace/issues/1156

After some tests, the only difference between my clean install and my app is the auth redirecting part

cf this message

i'm trying to remove this part to let the user always at the same app base url

Yesterday i try to reproduce it in a clean env with and without auth it change nothing. The clean environement works everytimes i don't understand. I even recreate again the tauri project in my proect without success

i cannot help furhter... i will wait for a fix or a solution

if you need me dont hesitate to ping me, and if you have news about this issue let me know !

I REPRODUCE THE PROBLEM !!

Let me do a simple schema just before

Network point of view :

• Vite server : http://localhost:1420 (PC)
• Keycloak server : http://localhost:24904/auth (PC)
• Android network bridge : 10.0.2.2 (Emulator)

My gess is : when redirecting to "app" Tauri think i'm not on the app anymore but on external url

I use 10.0.2.2 to permit the android emulator acces my servers (https://stackoverflow.com/questions/5528850/how-do-you-connect-localhost-in-the-android-emulator)

@cedar yew @hollow pivot

Now i guess the problem came from me and my workflow solutions. Is it my fault and i need to handle the redirect back in another way or is this a tauri problem ?

The question now is : Who to redirect the user to the app ?

when i try to set the redirect url to window.location.origin i get this error on android (but this work on computers device)

I guess this is not the url. I try to just from the tauri app pushing the user to the window.location.origin + random url it work and didn't get the connection refued

so it can come from from external source maybe ? ...

I also think I have an alternative suggestion in case the permission is blocking:
Since your are using a Tauri API on the 10.0.2.2 host you could allow the origin in your permissions and add another capability file for this purpose

{
  "identifier": "mobile-capability",
  "description": "Capability for mobile oauth via redirect",
  "windows": [
    "main"
  ],
  "remote": {
    "urls": ["http://10.0.2.2"]
  }
  "platforms": [
    "android",
    "iOS"
  ],
  "permissions": [
    {
      "identifier": "http:allow-fetch",
      "allow": [{ "url": "http://*" }]
    }
  ]
}

This will not solve the problem only for dev mode and not production mode ? (didn't test yet in production)

And it didn't solve the problem. Same behaviour, when redirecting to http://tauri.localhost throw the connection refused and when redirecting to 10.0.2.2 the fetch is still forbidden

i'm surprised i'm the only one uncountering this problem, i'm just trying to implement classic auth system on android version of tauri...

am i the first ? (i'm sure no)

ccing @tall magnet

i can't reproduce.. (running on android)
do you have an example i can use? maybe a repo?

Hello ! Here is my test : https://github.com/zelytra/tauri-andoid-oauth

can't you keep using localhost on the UI, but connect to 10.0.0.2.2 when making requests? and configure CORS on your server?

ok i'll check it out

i have an external Keycloak server as i decribed before and a backend to request the ping

is that in that repo too?

nop only the webapp under tauri, the real repo where i uncounter the problem is this one : https://github.com/zelytra/OnePool

ok what do i need to do to reproduce it? just run it?

The repo for my test i gave you is my most recent tests for this issue, this pr is not most recent test but my tauri integration under android using my project : https://github.com/zelytra/OnePool/pull/63

Mock a fake backend server responding on http://10.0.2.2:8080/ping by something

ok so i guess i should test your branch feature/tauri-integration

i wanna get to the bottom of it

And a Auth server like Keylcoak to simulate the auth server redirection

keycloak-js is used to handle to auto redirect and user fetching informations

i can generate a small docker compose on the testing repo to make sure to reproduce well the problem

and a Mockoon file to simulate the backend

https://github.com/zelytra/tauri-andoid-oauth i updated the repo you can check the docker compose for the keycloak service and the mockoon file for the backend

so just to confirm, is the fetch() error happening after you redirect to http://10.0.2.2:5173?

Yes, not before, just after

and i tried to redirect to http://tauri.localhost as i do on all my Tauri computer app but here its not working

i get connection refused :

right right android is a little different

I maybe don't understand a network part on Android integration that lock my self from the solution

The path /onepool/psql-data/app is not shared from the host and is not known to Docker.
do i need to create this? i guess i could just point it to another dir?

yes point whatever you want, you can even delete it it's for perstance between the down

ok i guess it's working now, let's see

what is http://localhost:8080/ping supposed to return? is that even reachable now that it's being docker?

(trying to reach it from the browser, not even tauri yet)

i see i get a resource not found page if i change localhost with my local network address

the /ping is for me a Quarkus backend, but i gave you a mockoon file to simulate the backend on your side

it just return a string "Pong"

The docker don't contain the backend

hmm ok

so i guess i dont even need the docker 😂

for the keycloak

ok so first of all, you need to replace:

"remote": {
    "urls": [
      "http://10.0.2.2"
    ]
  },

with:

"remote": {
    "urls": [
      "http://10.0.2.2:24904"
    ]
  },

then the api call will work
watch and learn @hollow pivot

note that you're only allowing fetch to /ping on this example, so for instance i'm getting this error:
Uncaught (in promise) url not allowed on the configured scope: http://10.0.2.2:24904/auth/realms/OnePool/protocol/openid-connect/x

the fetch of /ping work for you ?

with this change ?

Tauri/Console: File: http://10.0.2.2:1420/ - Line 0 - Msg: Uncaught (in promise) http.fetch not allowed on window main, webview main, allowed windows: , allowed webviews: , referenced by

yeah, i'm not using 10.0.2.2:1420 though, i'm redirecting back to window.location.href (i'm still checking how to fix the redirect)

to make requests on http://10.0.2.2:1420 you need this:

"remote": {
"urls": [
"http://10.0.2.2:24904",
"http://10.0.2.2:1420"
]
},

but in produciton mode those things don't work

the redirection still need to be done to the tauri app

wich not work with m tries

yeah, that's what i'm investigating now

but you misconfigured the remote (missing port) so that's why the permission was failing

i confirm now in dev mode it work

somehow the redirect to http://tauri.localhost/#state=ab3d05af-9f33-4f04-bf7a-cb4a67083da8&session_state=8f57a12d-1a82-4270-b340-180c32c40a7d&iss=http%3A%2F%2F10.0.2.2%3A24904%2Fauth%2Frealms%2FOnePool&code=480a4aa8-50fd-488e-8566-6115 isn't triggering https://developer.android.com/reference/android/webkit/WebViewClient#shouldInterceptRequest(android.webkit.WebView, android.webkit.WebResourceRequest)
so that's why you see that 404 page

how are you making that redirect?

to redirect back the user to the app

the /#state is added by keycloak

i don't use it

wait a sec i did get the request now(?) let me investigate more

nvm i only get the request when i open the inspector.. i assume the redirect is done by keycloak instead of your frontend right?

exactly

ok i have a workaround

since the http://tauri.localhost request is a redirect and Android does not let us know about that one, you'll need to start a separate server on the android phone, which will return this html:

<html>

<body>
  <script>
    window.location.href = `http://tauri.localhost/${location.hash}`
  </script>
</body>

</html>

then you'll use that server as redirect url: keycloakStore.init("http://localhost:port");

this server will need to be started by your app rust code

let me see if i can draft it

that's fell not a good practice this solution

not much we can do here.. since android does not let us know about the redirect

for dev we can get away with this by using the dev URL directly, but for production... no way

https://github.com/zelytra/tauri-andoid-oauth/pull/1

@hollow pivot please forgive me and also give my blessing 😂

Am'i the only one trying to implementing auth in a tauri andoird app ??

we are okay that i'm just trying to implement a absoluth normal auth solution

i'm suprised to need to do this workaround to solve the problem

oauth with an in-app redirect? probably

otherwise more people would've reported this 😐

unfortunately that's a limitation of the android platform, so unless there's another way for us to catch network requests.. no other alternative

So any 302 redirect will end up in an ERR_CONNECTION_REFUSED? Seems a pretty serious thing.
@tall magnet, but how comes that the middleware server you create to redirect can intercept the 302 redirect, but the main app view not?

the main app view uses an android api to intercept the redirect and forward the request to tauri itself so tauri can return your bundled asset

the localhost server does not need that api

i’ll try an alternative

ok i think i can fix this on the tauri side

will open a pr in a bit

https://github.com/tauri-apps/wry/pull/1340
@queen linden in case you need more context, it's this thread 😂

@tall magnet , thanks a lot. Did not try yet the fix, but thanks a lot for helping

This will fix the initial problem ?

will fix the redirect failing to load

then you just need to adapt your code to add the port on the capability

and redirect to location.href instead of 10.0.2.2 etc

we’ll publish later today

so the server to catch the redirect is no more needed ?

nope

Thank you all for your help and your time !

And sorry for making you suffer from my poor level of English

nah nah you’re alright

On wich release the patch as been pushed, or will be pushed ?

Wry patch was released two days ago https://github.com/tauri-apps/wry/pull/1302 and tauri release happened on the same day https://github.com/tauri-apps/tauri/pull/10561. Should be in rc3.

This a beta rc, i was thiniking it was a simple rc

thanks

It work !!

FYI we're still fixing a couple issues https://github.com/tauri-apps/wry/pull/1354

one of them affect your demo app, idk why we didn't catch it before

Hello ! Thanks for the feed back, i didn't push further my demo app due to holidays i will check this later thanks you !

@hardy scroll what is you ended up using? using keycloak, should we separate the auth to another frontend process outside tauri?

Hello, i don't realy understand what you mean by using another frontend for the aut. If you mean by using the trick to create a fake frontend turning in back to handle the auth, nop this is not required. You only need to redirect the user to your auth page and the fallback work since the patch mentionned in few message upper this one

But i found some limitation using this system and didn't go furhter to the test

And i don't know what is the current state of the art concerning the Authentification process using Tauri, if their is good practice documentation about or anythings else.

As i supposed to be since the first launch of the framwork Tauri is made to be a transparant web app compiler so all classic web solutions about auth should work

i guess

yeah I mean the classic auth.. Like docker desktop, when you click sign in, you'll go to another login page (usually open up your browser) on separate frontend server. so you login there, and then you just get the auth result back to tauri's backend. Something like that.

This thread is about android auth system with Tauri

Bu i uses tauri on a Windows use case and i achieve to redirect the user to the auth page without leaving the app. You can look at this project : https://betterfleet.fr

I know, I mean is it treated the same?

Normaly yes, but since the patch mentionned above i didn't go further in the test

But the fallback and redirect works

login using socials like gmail/github? do you mind to share the solution?

It depend on your auth system, here i use Keycloak you only need to setup the IDP