🐛 [mealie] Addon OIDC redirects no longer work in 2.2.0

[BlackHoleFox]

Description

Hiyo o/. I tried updating from 2.1.0 to 2.2.0 tonight but something changed in the addon's internal NGINX configuration that broke my OIDC setup, which was relies on a dedicated NGINX addon to route traffic. This resulted in one of two behaviors:

• If I direct traffic to http://mealie:9000 then I get a broken webpage. Something changed that causes NGINX to return the same HTML file for every request, even for the .js files, so nothing loads.
  • There are several Uncaught SyntaxError: expected expression, got '<' errors in the console and all network requests just return the same index.html.
  • This was my existing config, which I think changed to talk to the Mealie server directly instead of the addon's internal NGINX (therefore busting it).
• If I direct traffic to http://mealie:9001, the addon's new official port, then redirect URIs completely break. This looks to have been caused by the additions made in the #Improve ip handling sections that rewrite headers. From what I see, these are breaking my own header configurations. The end result is that the Mealie server sees all requests with a source of localhost:9000 instead of mealie.my.domain, so it then constructs a broken OIDC callback redirect_url that is rejected.

This is my dedicated NGINX addon header config for reference. Their purpose is to make Mealie see requests come from my domain and not any localhost.

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;

In theory a new configuration flag to turn off all of the newly added proxy header and path filtering configuration would fix the problem.

Reproduction steps

These steps are a little bit complicated, sorry. Happy to test out any beta fixes or work with you to debug this further with my setup as a result.

1. Configure an OIDC provider somewhere.
2. Configure the mealie addon 2.2.0 to use OIDC for signing in.
3. Configure an external NGINX server to be the ingress for both mealie and OIDC. The important one for Mealie should look like this:

server {
    listen 443 ssl;
    http2 on;
    server_name mealie.your.domain;

    ssl_certificate ....;
    ssl_certificate_key ....;

    client_max_body_size 0;

    location / {
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Ssl on;

        proxy_pass http://db21ed7f-mealie:9001;
    }
}

4. Start the mealie addon
5. Open mealie.your.domain and click the OIDC signin button.
6. See that it breaks with an "unknown redirect_url" error in mealie, your browser console, the OIDC provider's logs, etc. Inside the redirect URL, you'll see localhost:9000 where you expect a real domain:

   https://auth.your.domain/api/oidc/authorization?response_type=code&client_id=rand&redirect_uri=http%3A%2F%2Flocalhost%3A9000%2Flogin&scope=openid+email+profile+groups&state=

Addon Logs

No error logs appear in the addon logs because the OIDC state redirect is sent from Mealie to the browser client. Mealie generated a bad `redirect_url` but that's not an error to create.

Architecture

amd64

OS

HAos