bug: Error on create a password behind a proxy

[joaovictorsouza]

Describe the bug

I have an issue that occurs only on the /api/interaction/profile endpoint when the application is behind a proxy. I’ve tested it with both Nginx (using the configurations from the documentation) and Traefik, but the same problem persists.

All other endpoints work as expected. If I create a user outside the proxy, I can log in normally. The problem seems to be specific to this particular endpoint.

Screenshot:

Audit Log:

{
  "key": "Interaction.Register.Profile.Update",
  "result": "Error",
  "error": {
    "message": "TypeError: fetch failed"
  },
  "ip": "XXX.XX.XX.XXX",
  "userAgent": "Mozilla/5.0 (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36",
  "method": "PATCH",
  "profile": {
    "password": "******"
  },
  "interactionStorage": {
    "event": "Register",
    "profile": {
      "email": "joaovictor.rodsouza@gmail.com"
    },
    "identifiers": [
      {
        "key": "emailVerified",
        "value": "joaovictor.rodsouza@gmail.com"
      }
    ]
  }
}

Container Log: --> PATCH /api/interaction/profile 500 556ms 36b <-- PATCH /api/interaction/profile error TypeError: fetch failed at node:internal/deps/undici/undici:12618:11 at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async PasswordPolicyChecker.hasBeenPwned (file:///etc/logto/packages/toolkit/core-kit/lib/password-policy.js:226:26) at async PasswordPolicyChecker.check (file:///etc/logto/packages/toolkit/core-kit/lib/password-policy.js:97:43) at async validatePassword (file:///etc/logto/packages/core/build/routes/interaction/utils/validate-password.js:49:20) at async file:///etc/logto/packages/core/build/routes/interaction/index.js:151:9 at async guardMiddleware (file:///etc/logto/packages/core/build/middleware/koa-guard.js:54:13) at async file:///etc/logto/packages/core/build/middleware/koa-audit-log.js:98:13 at async file:///etc/logto/packages/core/build/middleware/koa-body-etag.js:11:9 at async cors (/etc/logto/node_modules/.pnpm/@koa+cors@5.0.0/node_modules/@koa/cors/index.js:64:16) at async /etc/logto/node_modules/.pnpm/koa-mount@4.0.0/node_modules/koa-mount/index.js:58:5 at async /etc/logto/node_modules/.pnpm/koa-mount@4.0.0/node_modules/koa-mount/index.js:52:26 at async compressMiddleware (/etc/logto/node_modules/.pnpm/koa-compress@5.1.0/node_modules/koa-compress/lib/index.js:52:5) at async file:///etc/logto/packages/core/build/middleware/koa-connector-error-handler.js:10:13 at async file:///etc/logto/packages/core/build/middleware/koa-slonik-error-handler.js:8:13 at async file:///etc/logto/packages/core/build/middleware/koa-oidc-error-handler.js:68:13 { cause: AggregateError [ETIMEDOUT]: at internalConnectMultiple (node:net:1116:18) at internalConnectMultiple (node:net:1184:5) at Timeout.internalConnectMultipleTimeout (node:net:1710:5) at listOnTimeout (node:internal/timers:575:11) at process.processTimers (node:internal/timers:514:7) { code: 'ETIMEDOUT', [errors]: [ [Error], [Error], [Error], [Error] ] } } --> PATCH /api/interaction/profile 500 594ms 36b <-- GET / --> GET / 302 21ms 47b <-- GET /console --> GET /console 200 12ms 348b

Docker Compose:

version: "3.9"
services:
  app:
    image: svhd/logto:${TAG-latest}
    entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
    ports:
      - "3001:3001"
      - "3002:3002"
    environment:
      - TRUST_PROXY_HEADER=1
      - DB_URL=postgres://postgres:postgres@postgres:5432/logto
      - ENDPOINT=https://auth.my-domain.com
      - ADMIN_ENDPOINT=https://adm.my-domain.com
    networks:
      - traefik_default
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.set-https-header.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.middlewares.set-https-header.headers.customrequestheaders.Host=$${host}
      - traefik.http.routers.app-auth.middlewares=set-https-header
      - traefik.http.routers.app-auth.entrypoints=web,websecure
      - traefik.http.routers.app-auth.rule=Host('auth.my-domain.com')
      - traefik.http.routers.app-auth.service=app-auth-service
      - traefik.http.services.app-auth-service.loadbalancer.server.port=3001
      - traefik.http.routers.app-auth.tls=true
      - traefik.http.routers.app-auth.tls.certresolver=production
      - traefik.http.routers.app-adm.entrypoints=web,websecure
      - traefik.http.routers.app-adm.middlewares=set-https-header
      - traefik.http.routers.app-adm.rule=Host('adm.my-domain.com')
      - traefik.http.routers.app-adm.service=app-adm-service
      - traefik.http.services.app-adm-service.loadbalancer.server.port=3002
      - traefik.http.routers.app-adm.tls=true
      - traefik.http.routers.app-adm.tls.certresolver=production

networks:
  traefik_default:
    external: true

Expected behavior

Create a password without problem

How to reproduce?

Context

• [ ] Logto Cloud
• [X] Self-hosted, Logto version = latest
  • [X] Container (Docker image)
  • [ ] Raw Node.js

Screenshots

[simeng-li]

Hi, the error shows a failure on the password policy fetching request. By default, Logto uses https://haveibeenpwned.com/ to enhance the password policy. You could either disable the feature or dig into the proxy issue for that request.

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[wangsijie]

Closing this issue for now. If you encounter further problems, feel free to reopen it.

[yincangshiwei]

Hello， I have also encountered the same problem as you. Have you solved it yet? How did you solve it? Can you share it?

[yincangshiwei]

Hi, the error shows a failure on the password policy fetching request. By default, Logto uses https://haveibeenpwned.com/ to enhance the password policy. You could either disable the feature or dig into the proxy issue for that request.

May I ask how to disable it?

[enginewang]

I also encounter this error, how to disable this feature?