Attempting to log in only shows the CAS option, resulting in a loop

[csolisr]

Describe the bug

After the latest update of Element / Synapse, the web client only shows the option to log in using CAS, which results in an infinite loop. See also the corresponding bug in the element_ynh repository: https://github.com/YunoHost-Apps/element_ynh/issues/122

Context

• Hardware: Dedicated home server (x86)
• YunoHost version: 11.2.4
• I have access to my server: Through SSH, webadmin, direct access
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: yes
  • If yes, please explain: Using a VPS to bridge my home server with the open internet via Wireguard.
• Using, or trying to install package version/branch: 1.92.3

Steps to reproduce

1. Open a web browser and go to the frontend page, e.g. https://chat.example.net
2. If the website requests your YunoHost user name and password, enter them here.
3. Attempt to log in. If the home server is not selected by default, do so.
4. Notice that there is no option to log in using the user name and password, only through the "Continue with CAS" button. Click it.
5. Notice that you have been redirected to the YunoHost dashboard instead, and that a banner appears that reads "Please log in to access to this content". Your account will remain logged in, however.
6. Click on the "Element" panel. Notice that this will return you to the step 4, turning into an infinite loop.

Expected behavior

The browser should be able to correctly redirect the user to the CAS login mechanism.

Logs

From the console log (URL redacted to example.net):

Initialised rageshake. bundle.js:2:3220791
To fix line numbers in Chrome: Meatball menu → Settings → Ignore list → Add /rageshake\.ts & /logger\.ts$ bundle.js:2:3220791
Using Web platform bundle.js:2:3220791
XHRGET
https://chat.example.net/config.chat.example.net.json?cachebuster=1695311184195
[HTTP/1.1 404 Not Found 1539ms]

wasm streaming compile failed: TypeError: WebAssembly: Response has unsupported MIME type 'application/octet-stream' expected 'application/wasm' bundle.js:2:3220791
falling back to ArrayBuffer instantiation bundle.js:2:3220791
Using WebAssembly Olm bundle.js:2:3220791
No bug report endpoint set - logs will not be persisted bundle.js:2:3220791
set language to en-us bundle.js:2:3220791
Application is running in production mode bundle.js:2:3220791
Vector starting at https://chat.example.net/ bundle.js:2:3220791
startUpdater, current version is 1.11.42 bundle.js:2:3220791
Verifying homeserver configuration bundle.js:2:3220791
Config uses a default_server_config - validating object bundle.js:2:3220791
No update available, already on 1.11.42 bundle.js:2:3220791
Using homeserver config: 
Object { hsUrl: "https://example.net", hsName: "example.net", hsNameIsDifferent: false, isUrl: "https://vector.im", isDefault: true, warning: null, isNameResolvable: true, delegatedAuthentication: undefined }
bundle.js:2:3220791
Updating SdkConfig with validated discovery information bundle.js:2:3220791
getSessionLock[8ac0c96e-051b-4202-8ddf-94955c06c7ff] No other session has the lock: proceeding with startup bundle.js:2:3220791
No previous session found. bundle.js:2:3220791
Doing guest login on https://example.net bundle.js:2:3220791
FetchHttpApi: --> POST https://example.net/_matrix/client/v3/register?kind=xxx bundle.js:2:3220791
Resource map error: Error: NetworkError when attempting to fetch resource.
URL of resource: https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js 
URL of resource map: bundle.js.map

XHRPOST
https://example.net/_matrix/client/v3/register?kind=guest
[HTTP/1.1 403 Forbidden 1156ms]

FetchHttpApi: <-- POST https://example.net/_matrix/client/v3/register?kind=xxx [2843ms 403] bundle.js:2:3220791
Failed to register as guest M_UNKNOWN: MatrixError: [403] Guest access is disabled (https://example.net/_matrix/client/v3/register?kind=guest)
    o https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    a https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    c https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    requestOtherUrl https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    request https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    registerRequest https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    registerGuest https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    ie https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    ie https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    loadSession https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    promise callback*loadSession https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    initSession https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    Xe https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    Xe https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js:2
    vo https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    qa https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    Ws https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    Dl https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    Rl https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    Fl https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    vl https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    ml https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    Jl https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    oc https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    El https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    oc https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    render https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    se https://chat.example.net/bundles/d8be154297a8d0221afb/init.js:1
    async* https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    async* https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    l https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    n https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    <anonymous> https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
    <anonymous> https://chat.example.net/bundles/d8be154297a8d0221afb/bundle.js:2
bundle.js:2:3220791
newscreen login 2 bundle.js:2:3220791
Resource map error: Error: NetworkError when attempting to fetch resource.
URL of resource: https://chat.example.net/bundles/d8be154297a8d0221afb/vendors~element-web-app.js 
URL of resource map: vendors~element-web-app.js.map

FetchHttpApi: --> GET https://example.net/_matrix/client/v3/login bundle.js:2:3220791
Resource map error: Error: NetworkError when attempting to fetch resource.
URL of resource: https://chat.example.net/bundles/d8be154297a8d0221afb/init.js 
URL of resource map: init.js.map

FetchHttpApi: <-- GET https://example.net/_matrix/client/v3/login [1152ms 200] bundle.js:2:3220791
Skipping flow 
Object { type: "m.login.token" }
 due to unsupported login type m.login.token bundle.js:2:3220791
Skipping flow 
Object { type: "m.login.application_service" }
 due to unsupported login type m.login.application_service

Also of notice is the fact that the current configuration for CAS in nginx includes the following line:

        # Use the specific path for the php file. It's more secure than global php path
        location /_matrix/cas_server.php {

Which means that the URL that Synapse is expecting would be in the form of https://example.net/_matrix/cas_server.php. However, the newest version of Element expects the CAS to be in the form of https://example.net/_matrix/client/v3/login/sso/redirect/cas - can this be safely edited in nginx?

[Thatoo]

I face the same issue

[tantic]

Same here too I tried to edit my synapse.conf to change the url but it didn't work I apply the setting https://forum.yunohost.org/t/synapse-sign-in-webside-doesnt-work/26472/10 and at least now i can login with username/password

[JoViatrix]

same problem

[zamentur]

Hi, i discovered this package implement the new mechanism for PHP conf:

https://github.com/YunoHost-Apps/synapse_ynh/commit/a83c3438a5587badadb6584a33ade428e87a5ef7

I was able to fix the CAS login by changing /etc/php/7.4/fpm/pool.d/synapse.conf with:

[synapse]

user = matrix-synapse
group = matrix-synapse

chdir = /var/www/synapse

listen = /var/run/php/php7.4-fpm-synapse.sock
listen.owner = www-data
listen.group = www-data

pm = ondemand
pm.max_children = 16
pm.max_requests = 500
request_terminate_timeout = 1d

pm.process_idle_timeout = 10s

; Additional php.ini defines, specific to this pool of workers.

php_admin_value[upload_max_filesize] = 100M
php_admin_value[post_max_size] = 100M

I don't know exactly how to fix that in the package with the new helper...

@ericgaspar

[Thatoo]

it didn't work for me.

[zamentur]

In more you need to change the nginx conf file with /var/run/php/php7.4-fpm-synapse.sock instead of /run/php/php7.4-fpm-synapse.sock

[lapineige]

In more you need to change the nginx conf file with /var/run/php/php7.4-fpm-synapse.sock instead of /run/php/php7.4-fpm-synapse.sock

That's already the case for me, but I have the issue… edit: no, I've mistaken it with the php conf.

[lapineige]

Also my /etc/php/7.4/fpm/pool.d/synapse.conf file is quite different, with different user and chdir used…

[Thatoo]

Thank you @zamentur , with changing /etc/php/7.4/fpm/pool.d/synapse.conf with:

[synapse]

user = matrix-synapse
group = matrix-synapse

chdir = /var/www/synapse

listen = /var/run/php/php7.4-fpm-synapse.sock
listen.owner = www-data
listen.group = www-data

pm = ondemand
pm.max_children = 16
pm.max_requests = 500
request_terminate_timeout = 1d

pm.process_idle_timeout = 10s

; Additional php.ini defines, specific to this pool of workers.

php_admin_value[upload_max_filesize] = 100M
php_admin_value[post_max_size] = 100M

and changing the nginx conf file with /var/run/php/php7.4-fpm-synapse.sock instead of /run/php7.4-fpm-synapse.sock, it works!

[Thatoo]

Changing the nginx file, I could make a PR but for changing the /etc/php/7.4/fpm/pool.d/synapse.conf file, I guess it is related to this command line in the install and upgrade script but I don't know how to modify it : ynh_add_fpm_config --usage=low --footprint=low @Josue-T any idea?

[zamentur]

@Thatoo

About the user

It could be possible to rework this package to rename the system user synapse instead of matrix-synapse . I think matrix-synapse is a legacy name and now it's normalize, the user should be the same than the app id... I don't see specific reasons to keep this old unormalized name.

About the chdir path

The install_dir in this package is the install_dir of synapse (/opt/yunohost/synapse) not the one of the php file to manage CAS (/var/www/synapse) . SO the auto generated php conf doesn't work well. https://github.com/YunoHost/yunohost/blob/465f6da5cd4d716bbcb802dfd742114083034235/helpers/php#L190

Solution 1 : tweek the install dir

SO i suggest this:

old_install_dir=$install_dir
install_dir=/var/www/$app
ynh_add_fpm_config --usage=low --footprint=low
install_dir=$old_install_dir

Solution 2: PR on the core

An other solution could be to suggest a PR on ynh_add_fpm_config to add an install_dir params ynh_add_fpm_config --install_dir=/var/www/$app.

Solution 3: Use the deprecated conf/php-fpm.conf

https://yunohost.org/en/packaging_apps_helpers#ynh-add-fpm-config

But how long this deprecated behaviour will be conserved ?

Personally, i think we should implement the solution 1 or the solution 2 (if synapse package is not the only package with php as a second technology...).

[Bugsbane]

[EDIT] This was fixed by correcting a typo, as outlined in the next comment by Thatoo.

I'm still getting this. I've:

• Updated my synapse.conf
• ...and Synapse's nginx conf
• Commented out the three lines in homeserver.yaml (bind_dn, bind_password, filter)
• Checked that visitors have "Synapse (server access for client apps)" and users "Synapse" permissions.
• Restarted the server

...but I'm still ubable to log in (web or Android app).

I'm quite desperate to fix this quickly, so if there is any info I can provide, or testing I can do to help to get to the bottom of this, I would really appreciate any ideas!

Context

• Hardware: VPS w 8gig ram
• YunoHost version: 11.2.5
• I have access to my server: Through SSH, webadmin
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: No
• Using, or trying to install package version/branch: 1.92.3~ynh1

[Thatoo]

@Bugsbane you have a mistake in your nginx file. You wrote fastcgi_pass unix:/var/run/php7.4-fpm-synapse.sock; instead of fastcgi_pass unix:/var/run/php/php7.4-fpm-synapse.sock; You missed a /php/

[Bugsbane]

@Thatoo You are totally correct! After fixing that IT WORKS! Thank you (and everyone who worked on this) so very, very much!

[lapineige]

So this should be pushed in a PR to fix the issue, right ?

[lapineige]

In more you need to change the nginx conf file with /var/run/php/php7.4-fpm-synapse.sock instead of /run/php/php7.4-fpm-synapse.sock

Can you specify which file and line should be changed ? I can't find out.

And after that, matrix + nginx + php service reloads ?

[lapineige]

@Bugsbane you have a mistake in your nginx file. You wrote fastcgi_pass unix:/var/run/php7.4-fpm-synapse.sock; instead of fastcgi_pass unix:/var/run/php/php7.4-fpm-synapse.sock; You missed a /php/

Ok then same typo here… but now I have "File not found" when connecting to CAS… :(

…

Wait, I need to reload php too. It works !

[supermamie]

Just a tip if someone needs it : the synapse.conf crash php if you try to add comments in it (I tried with # and it failed).

And just to simplify even more (without pasting the content of the files, already here), here are the paths and commands to run to restart :

vim /etc/php/7.4/fpm/pool.d/synapse.conf
vim /etc/nginx/conf.d/YOURSERVER.LTD.d/synapse.conf
yunohost restart nginx
yunohost restart matrix-synapse
yunohost restart php7.4-fpm
yunohost status nginx
yunohost status matrix-synapse
yunohost status php7.4-fpm

[Thatoo]

To comment on this file, it is not with # but with ;

Waiting for yunohost's devs to comment on https://github.com/YunoHost/issues/issues/2267, the solution 2, I'll make a PR with the other solution, the solution 1.

[nicofrand]

And just to simplify even more (without pasting the content of the files, already here), here are the paths and commands to run to restart :

I think you meant:

vim /etc/php/7.4/fpm/pool.d/synapse.conf
vim /etc/nginx/conf.d/YOURSERVER.LTD.d/synapse.conf
yunohost service restart nginx matrix-synapse php7.4-fpm
yunohost service status nginx matrix-synapse php7.4-fpm

[nicofrand]

Could anyone tell me if homeserver.yml still needs to be edited to enable password login with the modifications above? Somehow I though we did not but the login still fails after editing /etc/php/7.4/fpm/pool.d/synapse.conf and /etc/nginx/conf.d/YOURSERVER.LTD.d/synapse.conf…

[orhtej2]

IMO password logins were broken by #356 (disallowing registrations disables password logins). WDYT @Gredin67 ?

[nicofrand]

IMO password logins were broken by #356 (disallowing registrations disables password logins). WDYT @Gredin67 ?

At least the config script does not edit anything regarding the password logins, even though the config_panel.toml defines it…

[Bugsbane]

This problem just came back with a recent update. I went back in and re-edited /etc/php/7.4/fpm/pool.d/synapse.conf to match exactly what's listed in comment https://github.com/YunoHost-Apps/synapse_ynh/issues/412#issuecomment-1752042499 (and checked with diff). I completely restarted the server, but the same issue continues. Has something changed recently, like which version of php is being used for synapse_ynh?

For the record, I do have registrations disallowed, so I'm wondering if it could also be related to the potential bug mentioned above by @orhtej2 ( https://github.com/YunoHost-Apps/synapse_ynh/pull/356 - disallowing registrations also disallows password login).

[croulibri]

I am facing the same issue (and I also have registrations disallowed) and so I can't connect new client to my Synapse server 🙁 I am available to make some testing of new solutions (without breaking my server of course...)

Thanks in advance for the dev' for their advices 🤗

[Thatoo]

The solution is on the way : https://github.com/YunoHost-Apps/synapse_ynh/pull/426 Please let's give some time to Josue-T to finish his PR and merge it into testing. Then, anyone who will want to give it a try will be welcome before it comes into normal updates.

[croulibri]

Thanks for your feedback @Thatoo I know the huge work of @Josue-T to propose the Synapse packaging for Yunohost and to maintain it so well since 2018 (I am among the ones that benefit from it from the beginning).

I understand know the issue is being worked on, I'll be patient :wink:

[Bugsbane]

After an update a while ago, this issue seems to have been fixed for me. Does this issue still need to be open, or is anyone else still getting this after updating and restarting their server?

[OniriCorpe]

yes, I still have this bug on v1.98.0~ynh1, maybe as https://github.com/YunoHost-Apps/synapse_ynh/issues/412#issuecomment-1793741544 (I never fixed it manually, btw)

[OniriCorpe]

poke @Josue-T

[eauchat]

I'm having a similar issue, wondering if it's related. When I try to log in, I have to go through CAS/SSO but then in the process I'm redirected towards: https://synapsedomain.tld/_matrix/cas_server.php/login?service=https%3A%2F%2Fsynapsedomain.tld%2F_matrix%2Fclient%2Fr0%2Flogin%2Fcas%2Fticket%3FredirectUrl%3Dhttps%253A%252F%252Felementdomain.tld%252F which shows me a white File not found page. The same happen if I try to connect through an app like synapseadmin. This happens since I upgraded synapse, before I used to have the same sign-in loop that others described in this thread.

[OniriCorpe]

a temporary workaround can be to activate the password connection: yunohost app config set synapse main.welcome.password_enabled -v true

[csolisr]

In related news - is there a reason why this package is still stuck with PHP 7 instead of bumping it up to 8? From what I see, the only dependency is cas_server.php and I would like to know if there's any incompatibility on the file that prevents this package from being upgraded.

[croulibri]

a temporary workaround can be to activate the password connection: yunohost app config set synapse main.welcome.password_enabled -v true

I had to reinstall my server recently, including Synapse ( 1.98.0~ynh1) When I try to connect with element, it is still impossible even with the command above :-(

[professornope]

I am also getting this on a recently updated server as well to version 1.98.0~ynh1. I would normally be able to change this, but none of the fixes mentioned seem to work anymore.

The command to enable password logins does not do anything and same with the UI button in the applications settings.

I get this when trying the command listed above.

root@login:/home/admin# yunohost app config set synapse main.welcome.password_enabled -v false
Info: [+++++...............] > Reading config panel description and current configuration...
Info: [#####+++++..........] > Checking what changed in the new configuration...
Info: Nothing has changed
Info: Reloading services...
Success! The service 'matrix-synapse' was reloaded or restarted
Success! Config updated as expected
root@login:/home/admin# yunohost app config set synapse main.welcome.password_enabled -v true
Info: [+++++...............] > Reading config panel description and current configuration...
Info: [#####+++++..........] > Checking what changed in the new configuration...
Info: Nothing has changed
Info: Reloading services...
Success! The service 'matrix-synapse' was reloaded or restarted
Success! Config updated as expected

[Josue-T]

Fixed by #426

[Thatoo]

@Josue-T your merged #426 in testing the 08/03/2024 and testing into master the 16/04/2024 so I was expecting not to face this issue after updating synapse to v 1.104.0~ynh1 yesterday evening. Unfortunatly, I face exactly the same thing. And I found the same "error" as before :

sudo cat  /etc/php/7.4/fpm/pool.d/synapse.conf

[synapse]

user = synapse
group = synapse

chdir = /var/www/synapse

listen = /var/run/php/php7.4-fpm-synapse.sock
listen.owner = www-data
listen.group = www-data

pm = ondemand
pm.max_children = 12
pm.max_requests = 500
request_terminate_timeout = 1d

pm.process_idle_timeout = 10s

; Additional php.ini defines, specific to this pool of workers.

php_admin_value[upload_max_filesize] = 100M
php_admin_value[post_max_size] = 100M

and

sudo cat /etc/nginx/conf.d/matrix.hamdel.in.d/synapse.conf
rewrite ^$ /;
location ~ ^/$ {
  default_type text/plain;
  return 200 "This is where Synapse is installed.";
}

location /_matrix/ {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        client_max_body_size 10M;
}

# Use the specific path for the php file. It's more secure than global php path
location /_matrix/cas_server.php/ {
        alias /var/www/synapse/;
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        fastcgi_pass unix:/run/php/php7.4-fpm-synapse.sock;
        include fastcgi_params;
        fastcgi_param REMOTE_USER $remote_user;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME cas_server.php;
}

location /_synapse/ {
        proxy_pass http://localhost:8008;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        client_max_body_size 10M;
}

Should I try the same solution as before https://github.com/YunoHost-Apps/synapse_ynh/issues/412#issuecomment-1757355451 ?

[Thatoo]

Well changing

user = synapse
group = synapse

to

user = matrix-synapse
group = matrix-synapse

in /etc/php/7.4/fpm/pool.d/synapse.conf isn't a good idea anymore, it makes fpm not working.

Changing fastcgi_pass unix:/run/php/php7.4-fpm-synapse.sock; to fastcgi_pass unix:/var/run/php/php7.4-fpm-synapse.sock;

doesn't help neither.

[Thatoo]

Well it actually works for old account. The problem comes only when a new account wants to connect for the first time. It looks more related to registration issue. I open a new issue then.

[Josue-T]

Well there was many modification since this issue was created. So the solution won't probably be the same solution than what it was suggested here. Thanks to create a new specific issue here: https://github.com/YunoHost-Apps/synapse_ynh/issues/453