search

rommapp / romm

A beautiful, powerful, self-hosted rom manager
https://romm.app
GNU Affero General Public License v3.0
2.37k stars 96 forks source link

[Bug] Getting 403 errors and back to login page #1267

Closed thias closed 6 days ago

thias commented 3 weeks ago

RomM version Version 3.5.1

Describe the bug When successfully logging in, I see the full RomM web interface for a fraction of a second, before being redirected to the /login page again. In the logs, 403 errors can be seen for one or more entries.

To Reproduce Steps to reproduce the behavior:

  1. Run RomM with Podman rootless on RHEL9 (podman 4.9.4) with the command below with an existing MariaDB server on the host OS.
  2. Access the http://127.0.0.1:8080/ URL
  3. Enter the new admin user details, go past the next info page, log in
  4. See the interface for a fraction of a second, then get back to the login page

Expected behavior No 403 errors and be logged in.

Screenshots N/A

Desktop

Smartphone N/A

Additional context Full Podman command line used:

podman run --name romm -e DB_HOST="10.0.2.2" -e DB_NAME="romm" -e DB_USER="romm" -e DB_PASSWD="romm" -e ROMM_AUTH_SECRET="8a628aa46ac6b51db12a3b8f5bd7b92e9bd32b544969908e659c0339b5571f0b" -e IGDB_CLIENT_ID="xxx" -e IGDB_CLIENT_SECRET="xxx" -e DISABLE_CSRF_PROTECTION=true -v /srv/vgames/romm_resources:/romm/resources:z -v /srv/vgames/romm_redis_data:/redis-data:z -v /srv/vgames/library:/romm/library:z -v /srv/vgames/assets:/romm/assets:z -v /srv/vgames/config:/romm/config:z --network slirp4netns:allow_host_loopback=true -p 8080:8080 docker.io/rommapp/romm:latest

After tracking this down, I have found a workaround, which is to lower the number of gunicorn workers from the default of 2 to only 1: GUNICORN_WORKERS=1

adamantike commented 3 weeks ago

Good catch! It seems the issue here is that you are providing a ROMM_AUTH_SECRET environment variable, instead of ROMM_AUTH_SECRET_KEY.

When RomM doesn't receive a ROMM_AUTH_SECRET_KEY value, it randomly generates an auth secret. There is a bug here, because when multiple Gunicorn workers are spawn, each of them will generate a different auth secret!

Let's keep the issue open even if changing the environment variable name fixes it for you, so we can fix the underlying randomness.

thias commented 3 weeks ago

Thanks for seeing my obvious mistake! I can confirm that using the correct ROMM_AUTH_SECRET_KEY environment variable name fixes everything :+1: