BUG: Unauthorized POST for invalidateCache when embedding Retool in iFrame

Lars_Fredholm · January 29, 2025, 2:57pm

I have embedded my Retool app (in an iFrame) and when testing the app I found that invalidateCache-calls don't work. They do however work when I run the same app, with the same user, in non-embedded mode.

The error message I get (when checking Console in Inspect [Edge]) is this:
POST https://retool.abc.com/api/pages/uuids/xyz/invalidateCache 401 (Unauthorized)

And if I check that Network response I see:
{
"success": false,
"message": "Authentication failure. Missing access token",
"triggerOauth2SSOLoginAutomatically": false,
"triggerSamlLoginAutomatically": false
}

Can anyone help me out?

Jack_T · February 7, 2025, 6:37pm

Hi @Lars_Fredholm,

It sounds like the app in the iframe is missing the token needed from SSO. Are you prompted to login via SSO in the iframe and doing so successfully?

Lars_Fredholm · February 12, 2025, 4:20pm

Hi @Jack_T! We are not using Retool's SSO, instead we are using "Custom authentication with Retool API" (Embed web apps | Retool Docs)

Note that everything with the parent and the app itself works great, except invalidateCache-calls. Those are the only ones where we get the issue I described.

Jack_T · February 12, 2025, 6:57pm

Ah ok thanks for letting me know.

Good to hear that everything else in the parent and app are working fine. So you are making other calls to the Retool backend API that are also Auth protected and those are working.

If so, this sounds like a route specific bug for the /invalidateCache endpoint, which I can report to our engineer team.

Lars_Fredholm · February 13, 2025, 8:28am

Thanks @Jack_T , I’d very much appreciate if you could report this!
How can I track the issue, so we know when to try to enable caching again?

Jack_T · February 14, 2025, 11:14pm

Hi @Lars_Fredholm,

No worries. The tickets are tracked internally so as soon as the engineers update the status or post any comments on the ticket I will see this and be able to update you in this thread!

It looks like they are discussing how recent consolidations of our auth middleware should now be working for embedded auth. So this may be a bug that snuck through and needs some work to patch

Will let you know if I hear more!