search

SymfonyCasts / verify-email-bundle

Simple, stylish Email Verification for Symfony
https://symfonycasts.com
MIT License
402 stars 32 forks source link

Verifying mail signature failed on prod #149

Open fschasse opened 9 months ago

fschasse commented 9 months ago

Hey,

Thanks your for verify-email-bundle. I've a problem with the mail signature online.

I've use this tutorial for use the bundle : https://symfonycasts.com/screencast/symfony-security/verify-email

All is right on local (127.0.0.1). The mail link is valid. When I try to use in prod (online) I've a message : The link is invalid.

This is a link example on prod : https://www.chasseprecision.com/user/verify/email?expires=1700923576&id=37&signature=KooiveHUhpnzAPZN4VciLsoPeiKswPJuA2rly3gBNAQ%3D&token=qFp07VBkjvF0gkKZ%2B%2F30yCTaw8rSxjPjyMcSs0Txe2E%3D

There is a special config for prod ? How can I verifying the right signature ? (with log for compare the link send in mail)

Thank you

Vastuney commented 6 months ago

It's the same with me, on the local dev and prod work flawlessly while on the target domain (prod) pops up a message that the link is invalid.

jrushlow commented 4 months ago

Howdy, I'm working out tests related to this now over in maker-bundle. But, I'm not able to reproduce the error. VerifyEmailBundle should just work regardless of the environment.

The only thing that I can think of is http vs https - e.g. if verify-email signs http://example.com but the user is redirected to https://example.com - validation will fail because the resulting hmac will be different from those 2 strings. I'm not sure this is the actual problem but I have a feeling it's something to do with the domain / url thats generated vs what the user is actually "clicking" in the email + redirects.

An app the reproduces this error between the different environments would help.

Ciolfire commented 2 months ago

Hello @jrushlow ,

I think I have found the origin of this "bug".

Here is what I had in local:

+query: [Symfony\Component\HttpFoundation\InputBag](file:///var/www/darkness/vendor/symfony/http-foundation/InputBag.php#L22) {#15 ▼
    #parameters: array:4 [▼
      "expires" => "1719306424"
[...]
+server: [Symfony\Component\HttpFoundation\ServerBag](file:///var/www/darkness/vendor/symfony/http-foundation/ServerBag.php#L21) {#21 ▼
    #parameters: array:63 [▼
"QUERY_STRING" =>"expires=1719306424&id=20&signature=pLXcJULHxNVDW1oFbk0tGPcD0x4aIp1lSxhokvaZUSs%3D&token=Ak35INUSPMafNHDsb7hopf5ydU63wEFSOOb3O%2F4kKoU%3D%20%E2%97%80"

And in prod:

 +query: Symfony\Component\HttpFoundation\InputBag {#13 ▼
    #parameters: array:4 [▼
      "?expires" => "1719307683"
[...]
+server: Symfony\Component\HttpFoundation\ServerBag {#19 ▼
    #parameters: array:48 [▼
      "QUERY_STRING" => "?expires=1719307683&id=114&signature=RrIAKR1ksZDfdw5xkxRzsaXt6ysR0X%2BRMF90PlLiQ6I%3D&token=ouC9VsTjJeZ5NO03TK%2BO9nm28nrZiiWE1nugVy%2FXzgE%3D"

Notice that the question mark is parsed as being a part of the query string. I had a guess that the server was not configured correctly, so I checked the conf file and found the following:

try_files $uri /index.php$is_args?$args;

Removing the question mark fixed the issue.

Cheers !

wlcdesigns commented 1 month ago

This isn't working for me in production either. I'm on Symfony 7.1.2 using "symfonycasts/verify-email-bundle": "^1.17.0".