supporter onboarding iframing of gateway #3293
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 25 commits
November 25, 2025 11:26
amend signin controller encrypted cookie signinOrRegister state based on where the journey started
…r flow for people going through the registration journey in order for them to set consents and newsletter consents
…ggling them calls a new authenticated api endpoint instead of submitting the pages form.
…istering) when they reach the /welcome/complete-account page. Wait for them to make a choice. Remove the client side js that set users consents in real time as the user clicked on the toggles.
… supporter onboarding pages of support.theguardian.com Use fetch instead of form submit to POST to the /passcode endpoint, and then post message back to parent page with user auth status
Minor style amends to make the iframed sign in and register pages look more like the designs (WIP)
remove comments and unused eslint ignore rule run prettier fix
… of using route path array as the CI jest tests fail otherwise
…-frontend doesn't support theming as of the time of writing this commit, so forcing it to match the design of the only parent page thats using the iframed journey for now.
…ide any scrollbars
…gister pages style amends to the iframed pages to make them more like the supporter onboarding designs (more like support-frontend style which is currently the only consumer of the iframed routes)
…ut component when used inside an iframe to reflect the different spacing in the designs
…mitted via the onSubmit clientside handler. fix some padding issues use postMessage to send link click info to the parent page when recaptcha privacy policy or terms linked are clicked (only if the site is being iframed)
… page has added content to itself
rBangay
force-pushed
the
rb-al/supporter-onboarding-iframe
branch
from
cf41994 to
fb47fb1
Compare
| // if it exists | ||
| const email = decryptedEmail || signInEmail || readEmailCookie(req); | ||
|
|
||
| const getPath = req.originalUrl as RoutePaths; |
Contributor
There was a problem hiding this comment.
is this /signin or iframe/signin?
Contributor
Author
There was a problem hiding this comment.
Hey, it should handle both /signin and /iframed/signin
… iframed sync handler
| ): UserStateChangeStatus => { | ||
| const responseUrl = new URL(urlString); | ||
| const reponseUrlPath = responseUrl.pathname; | ||
| if (reponseUrlPath.startsWith('/welcome')) { |
Contributor
There was a problem hiding this comment.
We might be removing this /welcome/exisiting soon but we can potentially resolve this after.
akinsola-guardian
previously approved these changes
Nov 26, 2025
akinsola-guardian
approved these changes
Nov 26, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
This pr allows gateway to be iframed into support.theguardian.com.
For the first use case gateway is iframed into the supporter onboarding page (the thank you page after making an All-access digital purchase).
The iframed gateway pages need to handle both signin and register flows.
Note
In order to maintain dynamic height resizing of the iframe and communication between the iframe and it's parent page (specifically around reporting the signed in/ register success/failure state and whether a user has click on an anchor link within the iframe) there is a dependancy on client side javascript, and in particular the postMessage method (https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).
Another note
There was some preparatory work done here (#3270) where we set the frameAncestors CSP directive (https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors) which controls which parent domains we consider worthy of the honour of iframing gateway 👑
There was a separate pr in support-frontend (#3270) where we updated the CSP default-src directive to allow gateway to be iframed into support-frontend.
Images