Closed blackandcold closed 2 years ago
Endpoint in question: https://github.com/ViewTube/viewtube-vue/blob/development/server/src/user/subscriptions/subscriptions.controller.ts#L99
AuthGuard JWT - if I saw that earlier I could have looked if the token was set in the Auth header How does the guard work? Where do I find the protected route definitions?
I could help with this, despite being backend pro ;D
New discovery: login is not persisting.
So new guess is that it has something to do with the Apache reverse proxy not passing some values
Ok proxy seems fine since it works every 2-3 tries. Popular page is empty, user is "logged out" despite passing the JWT
Sample failed RQ:
Request Method: GET
Status Code: 401 Unauthorized
Remote Address: xxx:443
Referrer Policy: strict-origin-when-cross-origin
access-control-allow-credentials: true
access-control-allow-origin: /^viewtube\.io|\.viewtube\.io$/
Connection: Keep-Alive
content-length: 43
Content-Security-Policy: default-src 'self' blob: https://sponsor.ajay.app https://*.googlevideo.com;script-src 'self' blob: https: 'unsafe-eval' https: 'unsafe-inline';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
content-type: application/json; charset=utf-8
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Date: Tue, 09 Aug 2022 15:57:18 GMT
Expect-CT: max-age=0
Keep-Alive: timeout=5, max=92
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Server: Apache/2.4.54 (Unix) OpenSSL/1.1.1q PHP/7.4.30
Strict-Transport-Security: max-age=15552000; includeSubDomains
vary: Origin
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
x-ratelimit-limit: 1000
x-ratelimit-remaining: 999
x-ratelimit-reset: 0
X-XSS-Protection: 0
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Cookie: Authentication=xx.xxx.xx
Host: viewtube.xxx.xxx
Referer: https://viewtube.xxx.xxx/
sec-ch-ua: "Chromium";v="102", " Not A;Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/
Serverside Apache log not saying any problem
192.168.50.1 - - [09/Aug/2022:17:57:16 +0200] "GET /icon-192.png HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:16 +0200] "GET /icon-192.png HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:16 +0200] "GET /favicon.ico HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /sw.js HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /notifications-sw.js HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /icon-192.png HTTP/1.1" 304 -
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "POST /api/user/history/1xtFCq9aVP4 HTTP/1.1" 401 43
192.168.50.1 - - [09/Aug/2022:17:57:18 +0200] "GET /api/user/subscriptions/videos?limit=4 HTTP/1.1" 401 43
192.168.50.1 - - [09/Aug/2022:17:57:30 +0200] "GET /api/homepage/popular HTTP/1.1" 200 30
192.168.50.1 - - [09/Aug/2022:17:58:00 +0200] "GET /api/homepage/popular HTTP/1.1" 200 30
two reloads work, then two don't work, then two again work.
Is it possible that some workers do now know the session or security context?
nevermind, only in 0.9 - dev tag seems to not mirror this problem!
still occurring, just not that much on main view
can't replay the behavior today... broken cookies? Will look out for it and debug if I can recreate it.
I am seeing this with a fresh 0.9.1 install as well. Often times I will be logged out on a page load and refresh logs me back in. Also see 401 errors in the console at times. Using a FQDN, Caddy proxy, docker compse setup.
I am using a YT cookie but not the ID.
I did not find out why but it seems to me that there are multiple workers who are not aware of the same session.
Describe the Bug
After setup with docker and FQDN import of OPML does not work for /multiple endpoint (401 - unauth) Importing a single one, then adding the rest in bulk works
Steps to Reproduce the Bug
Expected Behaviour
Import works after first login for OPML
Screenshot/Screen recording
none
Device Info
Additional Context
Vivaldi | 5.3.2679.70 (Stable channel) (x86_64) macOS Version 11.6.8 (Build 20G730) JavaScript | V8 10.2.154.15 User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.167 Safari/537.36
Server: Manjaro Linux latest 5.8.2022, Docker compose setup of ViewTube
No log output produced (docker logs ID) on ViewTube container