search

Stirling-Tools / Stirling-PDF

#1 Locally hosted web application that allows you to perform various operations on PDF files
https://stirlingpdf.com
MIT License
44.04k stars 3.59k forks source link

[Bug]: Remove Image PDF Error Forbidden:Forbidden #2104

Open thiagoor-cpu opened 10 hours ago

thiagoor-cpu commented 10 hours ago

Installation Method

Docker

The Problem

I tried "Remove Image PDF" in version 0.29 Docker and worked fine, now I tried the same PDF in 0.30.1 Docker and Im getting the error after hitting submit:

Error Forbidden:Forbidden

Its weird because info.log did not log a single thing related to it, looks like it didnt arrived to StirlingPDF, others tools work fine with the same PDF, like convert to Word and Rotate PDF.

Im behind Caddy reverse proxy but since it did not changed I dont think this is the problem.

Version of Stirling-PDF

0.30.1

Last Working Version of Stirling-PDF

0.29

Page Where the Problem Occurred

remove-image-pdf

Docker Configuration

docker run -d \ 
-p XXXX:YYYY \
-v /opt/stirlingpdf/trainingdata:/usr/share/tessdata \ 
-v /opt/stirlingpdf/extraconfigs:/configs \ 
-v /opt/stirlingpdf/logs:/logs \ 
-v /opt/stirlingpdf/customFiles:/customFiles \ 
-e DOCKER_ENABLE_SECURITY=true \ 
-e INSTALL_BOOK_AND_ADVANCED_HTML_OPS=true \ 
-e LANGS=pt_BR \ 
--name stirling-pdf \ 
--restart unless-stopped \ 
frooodle/s-pdf:latest )

Relevant Log Output

No response

Additional Information

No response

Browsers Affected

No response

No Duplicate of the Issue

dosubot[bot] commented 10 hours ago

Hello @thiagoor-cpu! I'm here to help you with any bugs, questions, or contributions you have for Stirling-PDF. Let's work together to solve the issue you're facing.

The "Forbidden:Forbidden" error you're encountering when using the "Remove Image PDF" feature in Stirling-PDF version 0.30.1 could be related to changes in security configurations or access control mechanisms between versions 0.29 and 0.30.1. Since you are using Docker with DOCKER_ENABLE_SECURITY=true, it's important to ensure that your OAuth2 settings and API key configurations are correctly set up.

In version 0.30.1, Stirling-PDF uses OAuth2 for authentication and authorization when DOCKER_ENABLE_SECURITY is enabled. Make sure that your OAuth2 provider settings, such as client ID and secret, are correctly configured. Additionally, check if the API key is correctly set in the request headers, as the UserAuthenticationFilter class handles authentication by checking for an API key if no OAuth2 authentication exists [1][2].

Since you mentioned that other tools work fine and the issue seems specific to the "Remove Image PDF" feature, it might be worth checking if there are any specific permissions or configurations required for this feature in the new version. Also, consider reviewing any changes in the reverse proxy configuration, even though it hasn't changed, to ensure compatibility with the updated security settings.

To continue talking to Dosu, mention @dosu.

Frooodle commented 9 hours ago

Sorry this is AI generated and under testing, please don't take it's advice as full truth

Frooodle commented 9 hours ago

If you have edited it can you post your settings.yml

thiagoor-cpu commented 9 hours ago

If you have edited it can you post your settings.yml

In using Oauth2 from google, I removed the keys in this post..

security: enableLogin: true # set to 'true' to enable login csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production) loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1 loginResetTimeMinutes: 60 # lock account for 2 hours after x attempts loginMethod: oauth2 # 'all' (Login Username/Password and OAuth2[must be enabled and configured]), 'normal'(only Login with Username/Password) or 'oauth2'(only Login with OAuth2) initialLogin: username: '' # Initial username for the first login password: '' # Initial password for the first login oauth2: enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work) client: keycloak: issuer: '' # URL of the Keycloak realm's OpenID Connect Discovery endpoint clientId: '' # Client ID for Keycloak OAuth2 clientSecret: '' # Client Secret for Keycloak OAuth2 scopes: openid, profile, email # Scopes for Keycloak OAuth2 useAsUsername: preferred_username # Field to use as the username for Keycloak OAuth2 google: clientId: # Client ID for Google OAuth2 clientSecret: # Client Secret for Google OAuth2 scopes: https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile # Scopes for Google OAuth2 useAsUsername: email # Field to use as the username for Google OAuth2 github: clientId: '' # Client ID for GitHub OAuth2 clientSecret: '' # Client Secret for GitHub OAuth2 scopes: read:user # Scope for GitHub OAuth2 useAsUsername: login # Field to use as the username for GitHub OAuth2 issuer: '' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point clientId: '' # Client ID from your provider clientSecret: '' # Client Secret from your provider autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin useAsUsername: email # Default is 'email'; custom fields can be used as the username scopes: openid, profile, email # Specify the scopes for which the application will request permissions provider: google # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak' saml2: enabled: false # Currently in alpha, not recommended for use yet, enableAlphaFunctionality must be set to true autoCreateUser: false # set to 'true' to allow auto-creation of non-existing users blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin registrationId: stirling idpMetadataUri: https://dev-XXXXXXXX.okta.com/app/externalKey/sso/saml/metadata idpSingleLogoutUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/slo/saml idpSingleLoginUrl: https://dev-XXXXXXXX.okta.com/app/dev-XXXXXXXX_stirlingpdf_1/externalKey/sso/saml idpIssuer: http://www.okta.com/externalKey idpCert: classpath:octa.crt privateKey: classpath:saml-private-key.key spCert: classpath:saml-public-cert.crt

enterpriseEdition: enabled: false # set to 'true' to enable enterprise edition key: 00000000-0000-0000-0000-000000000000 CustomMetadata: autoUpdateMetadata: false # set to 'true' to automatically update metadata with below values author: username # Supports text such as 'John Doe' or types such as username to autopopulate with users username creator: Stirling-PDF # Supports text such as 'Company-PDF' producer: Stirling-PDF # Supports text such as 'Company-PDF'

legal: termsAndConditions: https://www.stirlingpdf.com/terms-and-conditions # URL to the terms and conditions of your application (e.g. https://example.com/terms) Empty string to disable or filename to load from local file in static folder privacyPolicy: https://www.stirlingpdf.com/privacy-policy # URL to the privacy policy of your application (e.g. https://example.com/privacy) Empty string to disable or filename to load from local file in static folder accessibilityStatement: '' # URL to the accessibility statement of your application (e.g. https://example.com/accessibility) Empty string to disable or filename to load from local file in static folder cookiePolicy: '' # URL to the cookie policy of your application (e.g. https://example.com/cookie) Empty string to disable or filename to load from local file in static folder impressum: '' # URL to the impressum of your application (e.g. https://example.com/impressum) Empty string to disable or filename to load from local file in static folder

system: defaultLocale: pt-BR # Set the default language (e.g. 'de-DE', 'fr-FR', etc) googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow enableAlphaFunctionality: false # Set to enable functionality which might need more testing before it fully goes live (This feature might make no changes) showUpdate: false # see when a new update is available showUpdateOnlyAdmin: false # Only admins can see when a new update is available, depending on showUpdate it must be set to 'true' customHTMLFiles: true # enable to have files placed in /customFiles/templates override the existing template html files tessdataDir: /usr/share/tessdata # Path to the directory containing the Tessdata files. This setting is relevant for Windows systems. For Windows users, this path should be adjusted to point to the appropriate directory where the Tessdata files are stored. enableAnalytics: false # Set to 'true' to enable analytics, set to 'false' to disable analytics, for enterprise users this is set to true

ui: appName:NAME COMPANY # Application's visible name homeDescription: NAME COMPANY # Short description or tagline shown on homepage. appNameNavbar: NAME COMPANY # Name displayed on the navigation bar

endpoints: toRemove: # List endpoints to disable (e.g. ['img-to-pdf', 'remove-pages'])

metrics: enabled: true # 'true' to enable Info APIs (/api/*) endpoints, 'false' to disable

Automatically Generated Settings (Do Not Edit Directly) AutomaticallyGenerated: key: UUID:

Frooodle commented 8 hours ago

For testing can you try csrfDisabled to true?