Locked out of admin when providing a custom domain

[mroskamp]

This is an unusual configuration, I'm sure, but if the Hostname Redirect feature is enabled and points to an external custom domain, the user can get locked out of the admin panel. The admin pages are ignored by default, but the login page is not. This means that if the user is not authenticated, but tries to access the admin panel, they'll get rerouted to the custom domain when prompted for login.

The admin can manually add the login page (and any variants) to the ignore list, but if they forget (or if someone unknowingly removes it) they're stuck. For my purposes, adding a basic IsLogin check in RewriteOptionsService.CheckIfIgnored is sufficient, but that may not be the best general solution, since some Orchard Core sites may have end users use the login page (not just site admins).

[peterkeating]

@mroskamp Slightly confused, when you try to login and get rerouted to the custom domain, why aren't you able to login on the custom domain?

[mroskamp]

@peterkeating, in my case the custom domain was a completely separate site. I had a development area redirecting to a test area's URL, so I got redirected to the test area's login page.

This is, admittedly, an unusual configuration, and not one that I'd do outside of a dev area. In my case I was able to restore from a backup and was good to go, but it illustrates that a misconfiguration of the feature could lock an admin out of the site.

[peterkeating]

@mroskamp My initial thoughts on an approach we could take for controlling whether the login page is included/excluded from the redirect login is to use an environment variable. That way a tweak to the environment can allow you to regain access to the admin area. I think one way you could have worked around the issue is to tweak the settings directly within the database, however an environment variable would be a more accessible solution.

Interested to hear your thoughts.