search

pgadmin-org / pgadmin4

pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world.
https://www.pgadmin.org
Other
2.53k stars 658 forks source link

Bad URL for password recovery if behind web server (RM #3975) #2342

Closed dpage closed 2 years ago

dpage commented 5 years ago

Issue migrated from Redmine: https://redmine.postgresql.org/issues/3975 Originally created by Isaias Sanchez at 2019-02-08 08:34:05 UTC.

When we install pgadmin4 in server mode behind apache, we use an url to do that. And we keep default server as 127.0.0.1, but when an user click on "Forgotten your password?" the URL received by mail is like:

http://127.0.0.1:5050/browser/reset_password/...

And obviously this url won't work. The user MUST replace the 127.0.0.1:5050 for the correct url to modify the password.

The ideal is to have a property to use in that part of the url instead of the combination of http://DEFAULT_SERVER:DEFAULT_SERVER_PORT/... If that NEW property is empty then use the ip:port as usual.

That url also can be secure using https, but I guess that's easier to fix with a permanent redirect in apache from http to https.

Example:

Case 1: Standalone or Desktop

DEFAULT_SERVER = '127.0.0.1' DEFAULT_SERVER_PORT = '5050' DEFAULT_SERVER_NAME = ''

Produces: http://127.0.0.1:5050/browser/reset_password/...

Case 2: Server mode behind Apache

DEFAULT_SERVER = '127.0.0.1' DEFAULT_SERVER_PORT = '5050' DEFAULT_SERVER_NAME = 'pgadmin4.myserver.org'

Produces: http://pgadmin4.myserver.org/browser/reset_password/...

Another observation is to have all internal links in https, because in case we use https for pgadmin4 the web browser won't complaint about insecure content into the application.

dpage commented 5 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-1 Originally created by Khushboo Vashi at 2019-03-01 10:47:17 UTC.

Redmine ticket header update:

Name Old Value New Value
Sprint changed Ready
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-2 Originally created by Rahul Shirsat at 2021-06-04 11:50:36 UTC.

Fahar,

Could you please test this RM?

Redmine ticket header update:

Name Old Value New Value
Sprint changed Ready EDB Sprint 93
Assigned To changed Fahar Abbas
Status changed New In Testing
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-3 Originally created by Akshay Joshi at 2021-06-23 10:32:07 UTC.

Redmine ticket header update:

Name Old Value New Value
Sprint changed EDB Sprint 93 EDB Sprint 94
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-4 Originally created by Akshay Joshi at 2021-07-07 10:32:37 UTC.

Redmine ticket header update:

Name Old Value New Value
Sprint changed EDB Sprint 94 EDB Sprint 95
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-5 Originally created by Akshay Joshi at 2021-07-21 10:30:50 UTC.

Redmine ticket header update:

Name Old Value New Value
Sprint changed EDB Sprint 95 EDB Sprint 96
dpage commented 3 years ago

Image migrated from Redmine: https://redmine.postgresql.org/attachments/download/6004 Originally created by Fahar Abbas at 2021-07-27 07:04:38 UTC.

Screen_Shot_2021-07-27_at_11.42.19_AM.png

Filename: Screen_Shot_2021-07-27_at_11.42.19_AM.png

dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-7 Originally created by Fahar Abbas at 2021-07-27 07:12:28 UTC.

How I tested:

  1. rpm -i https://ftp.postgresql.org/pub/pgadmin/pgadmin4/snapshots/2021-07-26/yum/pgadmin4-redhat-repo-2-1.noarch.rpm
  2. yum install pgadmin4
  3. pgadmin4 installed through rpm
  4. /usr/pgadmin4/bin/setup-web.sh pgadmin4 configured with web based with apache
  5. systemctl stop httpd.service
  6. go into /etc/httpd/conf.d folder and edit pgadmin4.conf
  7. Add Entry ServerName test.pgadmin.com and save file
  8. systemctl start httpd.service
  9. go into /usr/pgadmin4/web create config_local.py file
  10. and Edit following content

MAIL_SERVER = '127.0.0.1' MAIL_PORT = 1025 MAIL_USE_SSL = False MAIL_USERNAME = '' MAIL_PASSWORD = '' MAIL_DEBUG = True

  1. systemctl restart httpd.service
  2. Open Browser and provide http://test.pgadmin.com/pgadmin4
  3. Click on recovery password provide valid user and Click on change password
  4. User is able to change password successfully

Please note that reset_password is displayed in user specified server i.e test.pgadmin.com

Here is the output:

'Click the link below to reset your password:' b'' b'http://test.pgadmin.com/pgadmin4/browser/reset_password/WyJiYzYxOWEzNWQzMTA0MjRmOWI2MDMyOTVmYTQ4MjMwYSIsIiQ1JHJvdW5kcz01MzUwMDAkS2xUZ0lRMlJVMVB6SnVyNyR6SWlQQm9BeXRjQ2lDUlVGTkwuRkhpZHNwYnhyOWZLMG5Gd3Izay9VTTguIl0.YP-o3g.BnRYmyc1sjoGQA0DQ2HH-uxYocE'

Hi Isaias Sanchez!

In case you are able to see any other issue, kindly create new RM with Steps to reproduce.

Redmine ticket header update:

Name Old Value New Value
Done Ratio changed 0 100
Assigned To changed Fahar Abbas Isaias Sanchez
Status changed In Testing Resolved
Attachment added Screen Shot 2021-07-27 at 11.42.19 AM.png
dpage commented 3 years ago

Comment migrated from Redmine: https://redmine.postgresql.org/issues/3975#note-8 Originally created by Fahar Abbas at 2021-07-27 10:18:20 UTC.

Actual Result:

When user edit pgadmin4.conf file and Add Entry ServerName test.pgadmin.com and save file in /etc/httpd/conf.d/ folder, Edit credentials mentioned in the step 10 create new config_local.py in /usr/pgadmin4/web and restart the apache server then email generated for password recovery and password recovered successfully using http://test.pgadmin.com/pgadmin4 server

dpage commented 2 years ago

Issue closed on Redmine.