search

go-vikunja / vikunja

Mirror of vikunja from https://code.vikunja.io/api
GNU Affero General Public License v3.0
930 stars 63 forks source link

Can no longer log in #111

Closed ozuzo closed 8 months ago

ozuzo commented 8 months ago

Description

Updated our 0.22 version to 0.22.1, to check out the fix for the subprojects not always being correctly displayed in the menu on the left. After updating I no longer seem to be able to login using (previously working) credentials stored in the browser. On the network tab, I see

{"code":1011,"message":"Wrong username or password."} as response.

Side note: running Vikunja on a shared host which does not expose user-defined ports to the internet, so I've added a proxy rule to the .htaccess file of the frontend:

RewriteEngine On
RewriteRule .* - [e=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteRule ^\/?(index\.html|favicon\.ico|assets|audio|fonts|images|manifest\.webmanifest|robots\.txt|sw\.js|workbox-.*|dav|\.well-known) - [L]
RewriteRule ^api/(.*[^/])/?$ http://localhost:3456/api/$1 [P,L]
RewriteRule ^(.*)$ index.html [QSA,L]

-- this worked fine until this morning.

One other note (don't ask ;-) -- passwords are not set via Vikunja itself, but are synced with another tool we're using (Bookstack), so users only have one set of logins to worry about. This also has also worked before (the password hashes are all of the 2$... form)

So two questions: any changes to the login flow, or the way passwords are checked, before I need to start debugging what I might've broken during the update?

Vikunja Frontend Version

0.22.1

Vikunja API Version

0.22.1

Browser and version

Both up-to-date Edge and Firefox

Can you reproduce the bug on the Vikunja demo site?

No

Screenshots

No response

kolaente commented 8 months ago

passwords are not set via Vikunja itself, but are synced with another tool we're using (Bookstack), so users only have one set of logins to worry about. This also has also worked before (the password hashes are all of the 2$... form)

You really should use openid for that.

To debug this, you could enable database logging to see if the queries work and if the password hash is the problem here.

any changes to the login flow, or the way passwords are checked, before I need to start debugging what I might've broken during the update?

There have not been any explicit changes to that. However, we don't implement the password hashing ourselves but use the Go standard library for that, which may have been updated in a way that it no longer works with the Hashes from Bookstack.

Unfortunately, it does not look like this is a problem Vikunja should solve, because what you're doing is not really intended and there are better alternatives available.

ozuzo commented 8 months ago

Fully understand. Given the limitations on the shared host this was the easiest solution, it is only for a very small group of users.

Where there any database migration steps for .22 -> .22.1? So I know if I should restore a backup if I want to rollback to .22

ozuzo commented 8 months ago

Please ignore my stupidity :-) During the upgrade I managed to remove the config.yml file, so that Vikunja was now using a sqlite database instead of the MySQL one....