Content Security Policy violation after logging in with AD

[rberends]

Hey there,

After logging in with a local LDAP server, which is successful - I can browse scoold while being logged in, however I don't get redirected automatically. Instead I get an exception in my developer tools for my browser:

Refused to send form data to 'http://xxx/ldap_auth' because it violates the following Content Security Policy directive: "form-action 'self' http://xxx/signout".

Despite this being shown in my developer tools, I don't get an error graphically reported on the Scoold page itself, something that does happen with incorrect log details.

Would there be a way to make this work without letting users manually having to navigate away - not knowing whether the logging in worked initially or not?

[albogdano]

This is strange behavior and I can't actually reproduce it. The thing is that form data is not sent to http://xxx/ldap_auth at all - it is sent to http://xxx/signin

Can you share your configuration, omitting any secrets of course?

[rberends]

Hey! Certainly, here's the full config file - I've anonymised some details.

scoold.env = "production"
scoold.app_name = "xxx"
scoold.para_access_key = "app:xxx-test"
scoold.para_secret_key = "_secret"
scoold.para_endpoint = "https://paraio.com"
scoold.port = 80
# add your email here
scoold.admins = "r.berends@yyy.com"
# (optional) require authentication for viewing content
scoold.is_default_space_public = true

#Default spaces, maar 1 mogelijk in gratis versie.
scoold.auto_assign_spaces = "default,Presentation,Mobile"

#yyy emails only
scoold.approved_domains_for_signups = "yyy.com"

# Chipflow custom
#logo
scoold.logo_url = "http://xxx/xxx.png"
scoold.logo_width = 160
#url voor xxx
scoold.host_url = "http://xxx/"
scoold.welcome_message = "xxx: <b>Go with the Flow!</b> Lees hier meer <a href=""http://xxx:80/about"">over</a> xxx."
scoold.welcome_message_onlogin = "xxx: Go with the Flow! Welkom terug {{user.name}}!"

#favicon
scoold.favicon_url = "http://xxx/xxx-favicon.ico"

scoold.navbar_link1_url = "https://cs.yyy.com/nieuws/pages/csnews.aspx"
scoold.navbar_link1_text = "Intranet"
scoold.navbar_link1_target = "_blank"

#externe avatars uit
scoold.gravatars_enabled = false

#statische locale folder
spring.web.resources.static-locations = "classpath:/static/, file:/home/scoold/static/"

#email-settings
scoold.support_email = "rberends@yyy.nl"

scoold.mail.host = "smtp.yyy.com"
scoold.mail.port = 25
scoold.mail.tls = false
scoold.mail.username = ""
scoold.mail.password = ""
scoold.mail.ssl = false

# enable SMTP debug logging
scoold.mail.debug = true
scoold.user_autocomplete_details_enabled = true

#LDAP/AP
scoold.password_auth_enabled = false

scoold.security.ldap.user_search_filter = "(&(objectClass=user)(proxyAddresses=smtp:{0}))"
scoold.security.ldap.base_dn = "ou=users,ou=yyy,dc=yyy,dc=com"
scoold.security.ldap.server_url = "ldap://ldap.yyy.com:389"
scoold.security.ldap.active_directory_domain = "yyy.com" 
scoold.security.ldap.provider = "met @yyy.com"
scoold.security.ldap.is_local = true
# required for passwordless authentication with Para
scoold.app_secret_key = "__secret"

Some extra information: We are running this from the .jar, and will be running Para and Scoold in house on our secure internal network, currently on HTTP as opposed to HTTPS.

As this is a prototype, I am for now connecting to paraio. Soon we will be switching to the local para installation.

[albogdano]

I see the problem - scoold.security.ldap.is_local = true this should be false if you are hosting both Para and Scoold. The idea behind that property is to make Scoold authenticate with an internal LDAP server that is not exposed to the Internet while using the cloud-based Para service (paraio.com). But that error indicates a bug which I will fix soon.

[rberends]

Hey there!

After switching to a locally hosted Para installation, and setting scoold.security.ldap.is_local = false, it redirects users without any problems. It seems to have resolved all issues so far.

Thank you!

[albogdano]

Fixed in Scoold Pro.