search

astubenbord / paperless-mobile

An (almost) fully fledged mobile paperless client.
GNU General Public License v3.0
685 stars 36 forks source link

App login error 302 #240

Open czwama opened 1 year ago

czwama commented 1 year ago

I am using paperless in combination with authelia. When logging into the app I am getting error 302, as it does not seem to support the redirect. Are there plans to include this ?

JigSawFr commented 1 year ago

You must exclude the API endpoint from you proxy.

czwama commented 1 year ago

Thanks for your suggestion, the URL I use does not include /api, however there is a redirect required to authelia to authenticate and this seems to be the issue. I see there is an issue 229, for which you are planning to release changes, perhaps this will also fix my issue.

JigSawFr commented 1 year ago

In fact I exclude /api endpoint of paperless in traefik, so when app call /api, itโ€™s working as expected. Even if you use authelia, api is still protected with login ;)

pedrom34 commented 1 year ago

Hey,

I'm facing the same "issue" I guess. I protect paperless with authelia, so I cannot use paperless mobile without deactivating authelia.

And I want to thank @JigSawFr ๐Ÿ‘ , here's my new (working) nginx rp conf:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name paperless.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    #GeoBlock
    if ($geo-blacklist = no) { return 404; }

    #Authelia
    include /config/nginx/authelia-server.conf;

    location / {
        #Authelia
        include /config/nginx/authelia-location.conf;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.0.11;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

    location /api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.0.11;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
  }
}
czwama commented 1 year ago

Thanks all for your inputs. I excluded the api now and now I can use the mobile app. However, this means that now the normal user login is protected by 2FA, but one can still get to the data using the api backdoor that is not protected by 2fa. So this is not really a solution for me.

For now I will take it out of Authelia and use the mobile app only locally, or over VPN.

The app is great by the way ! Love it very much.

astubenbord commented 1 year ago

Since Authelia seems to be used to be frequently used in combination with paperless/self hosted applications, I'd like to support it out of the box. Could someone setup a demo instance I can connect to to debug the issue? Feel free to mail me the server address and credentials (of a test user for instance) to paperless-mobile@protonmail.com

Thanks :)

pedrom34 commented 1 year ago

That would be so great ๐ŸŽ‰ I cannot set up that at the moment. I hope someone will give you a demo instance quickly. If not, I'll try to do it.

czwama commented 1 year ago

Hi Anton,

I setup a test environment and sent you the details in the mail

Regards,

Cees

astubenbord commented 1 year ago

Hi @czwama, thanks for providing a sandbox! I did some testing but couldn't find a way to "connect" the redirects from Authelia to the app.

As far as I understood it, the workflow looks as follows:

  1. Issue POST request to https://paperless.mydomain.com/api/token/
  2. Proxy redirects to GET https://authelia.mydomain.com/?rd=https%3A%2F%2Fpaperless.mydomain.com%2Fapi%2Ftoken%2F
  3. Authelia checks "authelia" cookie, which is not set
  4. Proxy redirects to Authelia's authentication form (webview)
  5. User logs in
  6. Authelia sets cookie "authelia=some_session_id"
  7. Authelia redirects to original url https://paperless.mydomain.com/api/token/
  8. Client has cookie set, request again redirected to authelia, but now valid request, therefore again redirected to original url.

I'm not entirely sure about the last steps: What configuration is necessary for paperless? Does paperless behind Authelia always use HTTP_REMOTE_USER? Maybe someone with more insight into Authelia could help me figure out how this could be achieved, because I currently don't see a way to add this natively unfortunately. There seems to be no way for me to get the cookie from within the app, therefore you may have to disable authelia for the /api endpoints as suggested by @JigSawFr.

If anyone might know how this could be achieved, I'd be more than happy to implement this.

Cheers

czwama commented 1 year ago

Hi Anton, thanks for looking into this, I think what is needed is for the app to follow the redirect and get the api token, but I am not an expert in this area. I was not comfortable leaving the api bypassed as it would allow people to access the data without 2fa authentication.ย  Perhaps someone with more expertise in this area could help here.

thake commented 1 year ago

It would also be great to support other authentication providers like Cloudflare zero trust. Cloudflare kind of works similarly to Authelia.

Cloudflare checks the cookies that are sent with the request. If no authentication cookie exists, a redirect to the login page will be made. After a successful login, the client receives the authentication cookie. The client can now use the authentication cookie in every request to the paperless API. Cloudflare will verify the authentication cookie and transparently forward the requests with a valid cookie.

@astubenbord, if it helps you, I can provide you with a paperless demo installation that is secured with Cloudflare zero trust.

TehNomad commented 9 months ago

Here's my config to bypass Authelia for the Paperless API in Caddy:

        @paperless host paperless.example.com
        handle @paperless {
                handle /api/* {
                        reverse_proxy {{Paperless IP}}:{{Paperless port}}
                }
                handle * {
                        forward_auth {{Authelia IP}}:{{Authelia port}} {
                                uri /api/verify?rd=https://auth.example.com/
                                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                                import trusted_proxy_list
                        }
                        reverse_proxy {{Paperless IP}}:{{Paperless port}} {
                                import trusted_proxy_list
                        }
                        encode zstd gzip
                        request_body {
                                max_size 10MB
                        }
                }
        }
Slyke commented 5 months ago

@astubenbord The guy who wrote Authelia is actually very helpful. He help me set it up for the first time a few years back over Discord. Could also create a discussion/issue on their github requesting some API token implementation to bypass 2fa and get a long life, revokable JWT or something. Authelia by default logs you out after a week (but this can be changed). Ideally the long lived JWT would just be for Paperless. Another alternative would be Oauth2, which they are actively working on (The Paperless app would essentially open a browser, have you login to Authelia with your usual stuff, then get the oauth2 tokens that the Paperless app would use).

I also just tried to setup Paperless Mobile with Authelia, but it failed due to having 2FA enabled, searched around and found this thread.

Slyke commented 5 months ago

Actually in the intermit, would it be possible to put a custom cookie or header in the app for all API calls somewhere? Nginx could be configured to allow the requests through if the cookie or header is set, essentially acting as a pre-shared secret.

Tom2Evolve commented 1 month ago

May I ask if there is an update on login with 2FA from authelia? - Thank you!!

janwidmer commented 1 week ago

I would also be interested if there is any update with this..?