search

ViewTube / viewtube

▶️ ViewTube: The open source, privacy-conscious way to enjoy your favorite YouTube content. Docs: https://viewtube.wiki, Status: https://uptime.viewtube.io
https://viewtube.io
GNU Affero General Public License v3.0
1.31k stars 75 forks source link

401 on 50% of requests (first occurred with import on multiple) #1492

Closed blackandcold closed 2 years ago

blackandcold commented 2 years ago

Describe the Bug

After setup with docker and FQDN import of OPML does not work for /multiple endpoint (401 - unauth) Importing a single one, then adding the rest in bulk works

Steps to Reproduce the Bug

  1. Install 0.9 fresh with docker, FQDN, cookie and token
  2. create account
  3. Try to import OPML xml with subs (in my case 72)
  4. See the error 401 (network console) and endless loading screen

Expected Behaviour

Import works after first login for OPML

Screenshot/Screen recording

none

Device Info

Additional Context

Vivaldi | 5.3.2679.70 (Stable channel) (x86_64) macOS Version 11.6.8 (Build 20G730) JavaScript | V8 10.2.154.15 User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.167 Safari/537.36

Server: Manjaro Linux latest 5.8.2022, Docker compose setup of ViewTube

No log output produced (docker logs ID) on ViewTube container

blackandcold commented 2 years ago

Endpoint in question: https://github.com/ViewTube/viewtube-vue/blob/development/server/src/user/subscriptions/subscriptions.controller.ts#L99

AuthGuard JWT - if I saw that earlier I could have looked if the token was set in the Auth header How does the guard work? Where do I find the protected route definitions?

I could help with this, despite being backend pro ;D

blackandcold commented 2 years ago

New discovery: login is not persisting.

So new guess is that it has something to do with the Apache reverse proxy not passing some values

blackandcold commented 2 years ago

Ok proxy seems fine since it works every 2-3 tries. Popular page is empty, user is "logged out" despite passing the JWT

Sample failed RQ:

Request Method: GET
Status Code: 401 Unauthorized
Remote Address: xxx:443
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-credentials: true
access-control-allow-origin: /^viewtube\.io|\.viewtube\.io$/
Connection: Keep-Alive
content-length: 43
Content-Security-Policy: default-src 'self' blob: https://sponsor.ajay.app https://*.googlevideo.com;script-src 'self' blob: https: 'unsafe-eval' https: 'unsafe-inline';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
content-type: application/json; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Tue, 09 Aug 2022 15:57:18 GMT
Expect-CT: max-age=0
Keep-Alive: timeout=5, max=92
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Server: Apache/2.4.54 (Unix) OpenSSL/1.1.1q PHP/7.4.30
Strict-Transport-Security: max-age=15552000; includeSubDomains
vary: Origin
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
x-ratelimit-limit: 1000
x-ratelimit-remaining: 999
x-ratelimit-reset: 0
X-XSS-Protection: 0
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: Authentication=xx.xxx.xx
Host: viewtube.xxx.xxx
Referer: https://viewtube.xxx.xxx/
sec-ch-ua: "Chromium";v="102", " Not A;Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/

Serverside Apache log not saying any problem

192.168.50.1 - - [09/Aug/2022:17:57:16 +0200] "GET /icon-192.png HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:16 +0200] "GET /icon-192.png HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:16 +0200] "GET /favicon.ico HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /sw.js HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /notifications-sw.js HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /icon-192.png HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "POST /api/user/history/1xtFCq9aVP4 HTTP/1.1" 401 43
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /api/user/subscriptions/videos?limit=4 HTTP/1.1" 401 43
192.168.50.1 - - [09/Aug/2022:17:57:30 +0200] "GET /api/homepage/popular HTTP/1.1" 200 30
192.168.50.1 - - [09/Aug/2022:17:58:00 +0200] "GET /api/homepage/popular HTTP/1.1" 200 30
blackandcold commented 2 years ago

two reloads work, then two don't work, then two again work.

Is it possible that some workers do now know the session or security context?

blackandcold commented 2 years ago

nevermind, only in 0.9 - dev tag seems to not mirror this problem!

blackandcold commented 2 years ago

still occurring, just not that much on main view

blackandcold commented 2 years ago

can't replay the behavior today... broken cookies? Will look out for it and debug if I can recreate it.

Svenito commented 2 years ago

I am seeing this with a fresh 0.9.1 install as well. Often times I will be logged out on a page load and refresh logs me back in. Also see 401 errors in the console at times. Using a FQDN, Caddy proxy, docker compse setup.

I am using a YT cookie but not the ID.

blackandcold commented 2 years ago

I did not find out why but it seems to me that there are multiple workers who are not aware of the same session.