search

magento / magento2

Prior to making any Submission(s), you must sign an Adobe Contributor License Agreement, available here at: https://opensource.adobe.com/cla.html. All Submissions you make to Adobe Inc. and its affiliates, assigns and subsidiaries (collectively “Adobe”) are subject to the terms of the Adobe Contributor License Agreement.
http://www.magento.com
Open Software License 3.0
11.57k stars 9.32k forks source link

Magento admin URL routing wrong detection and CORS errors #37663

Open zapotocnylubos opened 1 year ago

zapotocnylubos commented 1 year ago

Preconditions and environment

Steps to reproduce

Expected result

Actual result

The Magento routing mechanism for detecting whether the current page is part of the administration panel seems to have a flaw. Instead of checking if "m2.domain.local" is equal to "admin.m2.domain.local," it checks if "admin.m2.domain.local" contains "m2.domain.local" as a substring. This condition evaluates to true, allowing access to the administration panel via the frontend URL. However, it leads to CORS errors when loading static files due to the different domains used.

Additional information

https://github.com/magento/magento2/blob/35e8e434be0b21072382b3f91c71678efc0242c1/app/code/Magento/Backend/App/Area/FrontNameResolver.php#L138

Release note

No response

Triage and priority

m2-assistant[bot] commented 1 year ago

Hi @zapotocnylubos. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

m2-assistant[bot] commented 1 year ago

Hi @engcom-Bravo. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

Amelia792 commented 1 year ago

Check your Magento configuration settings for the admin URL. Ensure that it is correctly set in the app/etc/env.php file or through the Magento Admin Panel. Verify that the web server's rewrite rules are properly configured to handle the Magento admin URL. Clear your Magento cache and browser cache to ensure that any previous routing configurations are not causing conflicts. If the issue persists, consult Magento's official documentation for Ehsaas Kafalat program or reach out to their support for specific guidance. CORS Errors:

Cross-Origin Resource Sharing (CORS) errors occur when a web page makes a request to a resource from a different domain, protocol, or port. These errors are typically related to security restrictions imposed by the browser. Ensure that your server is correctly configured to allow cross-origin requests. This may involve setting appropriate response headers, such as Access-Control-Allow-Origin, on the server-side.

zapotocnylubos commented 1 year ago

I have debugged the problem, this is not helping @Amelia792

zapotocnylubos commented 1 year ago

The solution for me was to create a composer patch (for magento/module-backend) like this

diff --git a/App/Area/FrontNameResolver.php b/App/Area/FrontNameResolver.php
--- a/App/Area/FrontNameResolver.php
+++ b/App/Area/FrontNameResolver.php
@@ -135,7 +135,7 @@
         $host = (string) $this->request->getServer('HTTP_HOST', '');
         $hostWithPort = $this->getHostWithPort($backendUrl);

-        return !($hostWithPort === null || $host === '') && stripos($hostWithPort, $host) !== false;
+        return !($hostWithPort === null || $host === '') && stripos($hostWithPort, $host) === 0;
     }

     /**

because I want (and this should be a correct solution) that current domain (host) and admin domain (host) should match from the start of the string, not somewhere in the middle

engcom-Bravo commented 1 year ago

Hi @zapotocnylubos,

Thank you for reporting and collaboration.

Verified the issue on Magento 2.4-develop instance and the issue is reproducible.Kindly refer the screenshots.

Steps to reproduce

Install Magento and make sure it is working URL should be m2.domain.local

issue :-

The Magento routing mechanism for detecting whether the current page is part of the administration panel seems to have a flaw. Instead of checking if "m2.domain.local" is equal to "admin.m2.domain.local," it checks if "admin.m2.domain.local" contains "m2.domain.local" as a substring. This condition evaluates to true, allowing access to the administration panel via the frontend URL. However, it leads to CORS errors when loading static files due to the different domains used.

admin url is different

Screenshot 2023-07-17 at 6 21 24 PM

frontend is different

Screenshot 2023-07-17 at 6 21 02 PM

Hence Confirming the issue.

Thanks.

github-jira-sync-bot commented 1 year ago

:white_check_mark: Jira issue https://jira.corp.adobe.com/browse/AC-9216 is successfully created for this GitHub issue.

m2-assistant[bot] commented 1 year ago

:white_check_mark: Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

zapotocnylubos commented 8 months ago

Hi, this is a single-line patch. Should I prepare PR with the changes mentioned in my patch?

hostep commented 7 months ago

@zapotocnylubos: that would probably speed up the delivery of the fix indeed, so go for it :)

dannymorson commented 5 months ago

Check your Magento configuration settings for the admin URL. Ensure that it is correctly set in the app/etc/env.php file or through the Magento Admin Panel. Verify that the web server's rewrite rules are properly configured to handle the Magento admin URL. Clear your Magento cache and browser cache to ensure that any previous routing configurations are not causing conflicts. If the issue persists, consult Magento's official documentation for Ehsaas Kafalat program or reach out to their support for specific guidance. CORS Errors:

Cross-Origin Resource Sharing (CORS) errors occur when a web page makes a request to a resource from a different domain, protocol, or port. These errors are typically related to security restrictions imposed by the browser. Ensure that your server is correctly configured to allow cross-origin requests. This may involve setting appropriate response headers, such as Access-Control-Allow-Origin, on the server-side.

What is this Man?

zapotocnylubos commented 5 months ago

I don't know, I thought it was some AI/bot response

okunevaeliza commented 1 month ago

The issue of Magento admin URL routing detection and CORS (Cross-Origin Resource Sharing) errors typically arises when there are misconfigurations in the setup, such as incorrect base URLs, insecure protocols (HTTP vs. HTTPS), or misaligned server configurations. Here's how these problems manifest and some potential solutions:

Common Causes:

Wrong URL Routing: Incorrect Admin URL: This happens if the base URL for the Magento admin is not configured properly. It can cause routing issues where the system is unable to direct requests to the correct admin panel. Unsecure Base URL (HTTP/HTTPS conflict): If your Magento store runs on HTTPS but your admin panel URL is still set to HTTP, or vice versa, this could cause issues with routing and resource loading. CORS Errors: Cross-Origin Requests Blocked: CORS errors occur when your Magento admin tries to load resources (like images or scripts) from a different origin (domain, subdomain, or protocol) and the server is not configured to allow this. Mixed Content: Having both HTTP and HTTPS resources can cause browsers to block content, leading to errors in loading resources from the Magento admin panel.

Steps to Resolve the Issues:

Fix Admin URL Routing:

Update the Base URLs: Ensure the correct base URL is configured in your env.php file or through the Magento backend. rust Copy code 'web' => [ 'base_url' => 'https://yourstore.com/', 'base_url_secure' => 'https://yourstore.com/', ] Enable URL Rewrites: In the Magento backend, under Stores > Configuration > Web > Search Engine Optimization, enable Use Web Server Rewrites. Resolve CORS Errors:

Update .htaccess or Nginx Configuration: Allow cross-origin requests by adding proper headers to the server configuration. csharp Copy code Header add Access-Control-Allow-Origin "*" Use the Same Protocol (HTTPS): Ensure both the Magento storefront and admin panel use the same protocol (either HTTP or HTTPS) to avoid mixed content issues. Clear Cache:

Clear Magento cache from the command line or admin panel to ensure changes take effect: bash Copy code bin/magento cache:clean bin/magento cache:flush For detailed support or to explore more tailored solutions, visiting the Knoxville Insurance Store website won't directly help with Magento issues, but for insurance services, they can be a reliable resource here.

If you're still having trouble, you might want to consult Magento documentation or reach out to a developer for further assistance.

chittima commented 1 month ago

Thank you for your contribution! The Adobe Commerce Engineering team is working on the issue which you have addressed in this PR. Team will cherry pick the commits from your PR if we found solution is applicable and may do further investigation to cover additional scenarios as needed. We will reach out to you if we need more information. For now, you can pause work on this PR. We will notify once the issue is fixed. Thank you once again!