BUG: Unauthorized POST for invalidateCache when embedding Retool in iFrame

I have embedded my Retool app (in an iFrame) and when testing the app I found that invalidateCache-calls don't work. They do however work when I run the same app, with the same user, in non-embedded mode.

The error message I get (when checking Console in Inspect [Edge]) is this:
POST https://retool.abc.com/api/pages/uuids/xyz/invalidateCache 401 (Unauthorized)

And if I check that Network response I see:
{
"success": false,
"message": "Authentication failure. Missing access token",
"triggerOauth2SSOLoginAutomatically": false,
"triggerSamlLoginAutomatically": false
}

Can anyone help me out?

Hi @Lars_Fredholm,

It sounds like the app in the iframe is missing the token needed from SSO. Are you prompted to login via SSO in the iframe and doing so successfully?

Hi @Jack_T! We are not using Retool's SSO, instead we are using "Custom authentication with Retool API" (Embed web apps | Retool Docs)

Note that everything with the parent and the app itself works great, except invalidateCache-calls. Those are the only ones where we get the issue I described.

Ah ok thanks for letting me know.

Good to hear that everything else in the parent and app are working fine. So you are making other calls to the Retool backend API that are also Auth protected and those are working.

If so, this sounds like a route specific bug for the /invalidateCache endpoint, which I can report to our engineer team.

Thanks @Jack_T , I’d very much appreciate if you could report this!
How can I track the issue, so we know when to try to enable caching again?

Hi @Lars_Fredholm,

No worries. The tickets are tracked internally so as soon as the engineers update the status or post any comments on the ticket I will see this and be able to update you in this thread!

It looks like they are discussing how recent consolidations of our auth middleware should now be working for embedded auth. So this may be a bug that snuck through and needs some work to patch :sweat_smile:

Will let you know if I hear more!

Any news with this issue?
I'm experiencing it too.
Invalidation works in editor but not in an iframe.
AFAIU the user is recognized since I'm able to show his attributes.

Thanks

Hi @alexsroussi,

Thanks for your +1. I see that you chatted with my teammate internally as well. We've had trouble reproducing this, so we haven't been able to move forward on a fix. Any further details you can share about your set up may help us narrow this down :crossed_fingers: