Open Eschguy opened 7 months ago
kirmanak
commented
6 months ago @Eschguy Thanks to your report I am now also running Authentik :-D But I still wasn't able to reproduce the issue. Are you still able to sign-in with username and password via Mealie UI? I'm asking because the log you attached mentions a 500 response status from Mealie which means a server error.
Eschguy
commented
6 months ago No I force Authentik use when logging into my services, so going to my mealie.domain redirects to my auth.domain to log in before redirecting back.
kirmanak
commented
6 months ago @Eschguy Can you please elaborate on how you force the Authentik use? Are you using a reverse proxy like Traefik to achieve this?
Eschguy
commented
6 months ago I set the OIDC_AUTO_REDIRECT variable to true, as documented here: https://docs.mealie.io/documentation/getting-started/installation/backend-config/#openid-connect-oidc
kirmanak
commented
6 months ago As far as I understand, this approach doesn't really block you from logging in with username and password, it just automatically redirects you from the login page when opened in browser. I have that variable set to true, but I am still able to sign in through the app.
The blocker in your case seems to be the 500 response from Mealie. Could you please set the log level of Mealie to debug, and attempt the sign-in again? If it fails again, please check Mealie logs as described here https://docs.mealie.io/documentation/getting-started/installation/logs/. Once you found the error, please post here the relevant part of the log and Mealie version.
Eschguy
commented
6 months ago [INFO|httptools_impl|L481] 2024-05-09T08:28:19: 207.153.2.74:0 - "GET /api/groups/mealplans/today HTTP/1.1" 200
[DEBUG|AppriseLocale|L140] 2024-05-09T08:28:19: Language set to en
[INFO|httptools_impl|L481] 2024-05-09T08:28:19: 207.153.2.74:0 - "GET /api/groups/mealplans/today HTTP/1.1" 200
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_start with no data
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_name with data[0:8]
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_data with data[9:16]
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_end with no data
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_start with no data
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_name with data[17:25]
[DEBUG|multipart|L623] 2024-05-09T08:28:25: Calling on_field_data with data[26:36]
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_field_end with no data
[DEBUG|multipart|L626] 2024-05-09T08:28:25: Calling on_end with no data
[INFO|httptools_impl|L481] 2024-05-09T08:28:25: 207.153.2.74:0 - "POST /api/auth/token HTTP/1.1" 500
[ERROR|httptools_impl|L416] 2024-05-09T08:28:25: Exception in ASGI application
Traceback (most recent call last):
File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/protocols/http/httptools_impl.py", line 411, in run_asgi
result = await app( # type: ignore[func-returns-value]
File "/opt/pysetup/.venv/lib/python3.10/site-packages/uvicorn/middleware/proxy_headers.py", line 69, in __call__
return await self.app(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/applications.py", line 1054, in __call__
await super().__call__(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/applications.py", line 123, in __call__
await self.middleware_stack(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 186, in __call__
raise exc
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/errors.py", line 164, in __call__
await self.app(scope, receive, _send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 24, in __call__
await responder(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/gzip.py", line 44, in __call__
await self.app(scope, receive, self.send_with_gzip)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/middleware/exceptions.py", line 65, in __call__
await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
raise exc
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
await app(scope, receive, sender)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 756, in __call__
await self.middleware_stack(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 776, in app
await route.handle(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 297, in handle
await self.app(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 77, in app
await wrap_app_handling_exceptions(app, request)(scope, receive, send)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
raise exc
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
await app(scope, receive, sender)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/starlette/routing.py", line 72, in app
response = await func(request)
File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 278, in app
raw_response = await run_endpoint_function(
File "/opt/pysetup/.venv/lib/python3.10/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
return await dependant.call(**values)
File "/app/mealie/routes/auth/auth.py", line 50, in get_token
auth = await auth_provider.authenticate()
File "/app/mealie/core/security/providers/credentials_provider.py", line 40, in authenticate
if not CredentialsProvider.verify_password(self.data.password, user.password):
File "/app/mealie/core/security/providers/credentials_provider.py", line 57, in verify_password
return get_hasher().verify(plain_password, hashed_password)
File "/app/mealie/core/security/hasher.py", line 32, in verify
return bcrypt.checkpw(password_bytes, hashed_bytes)
ValueError: Invalid saltInvalid salt sounds like a Mealie configuration issue. I don't see what I can change in the app to fix this, can you please open an issue in Mealie repository instead?
Eschguy
commented
6 months ago Sure, I can do more digging to see if I did something wrong. Since I have no issues on the web (desktop or mobile) I had assumed it was an issue with the app not supporting OIDC with 2FA.
ericvenneker
commented
6 months ago I am able to reproduce the issue. It indeed appears that mealie does not take the login method of the user into account and simply tries to login anyway which will fail because an oidc (or ldap) user does not have a password or salt. That said, maybe the app is able (when requested by the user) to redirect to the configured OIDC.
@Eschguy were you able to create an issue on the mealie repo? I was not able to find a relevant issue.
Eschguy
commented
6 months ago @ericvenneker
No I never did, was going to try something first but it didn't work.
tecbeat
commented
5 months ago Same Authentik issue for me. The loginmask from mealie does not allow oidc users only nativ mealie users. So maybe we need the same redirect for the app login.
0xC0ncord
commented
3 months ago For what it's worth I tried working around this by creating an access token in Mealie for my user backed by OIDC login and then using that token as my password in Mealient, but I get the same error.
danbracey
commented
2 months ago I was also facing the same error, and managed to resolve this by finding my user account in 'Admin User Management' and generating a Password Reset Link. I can now login with both my new password and OIDC, and can now login into Mealient without issue, using the local password for Mealie and my normal Authentik password when using OIDC
I use OIDC (Authentik)and am unable to log in.
Error message: