Closed RRyankees08 closed 4 months ago
I'm getting the same issue on an existing install that got updated.
Fresh-installed from TrueCharts on TrueNAS (https://truecharts.org/charts/stable/romm/), configured IGDB Client Id and Client along with Auth Credentials (Username and Password), and I can't login using these credentials. Login request fails with 401. It seems to be sent with empty body, but it might be using headers to authenticate.
@krin-san Can you post the network request being sent, and the server container logs at the same time?
@gantoine of course, here's the romm.log and browser request:
curl 'https://romm.nas.internal/api/login' \
-X POST \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:126.0) Gecko/20100101 Firefox/126.0' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate, br, zstd' \
-H 'Referer: https://romm.nas.internal/login' \
-H 'Content-Type: application/json' \
-H 'x-csrftoken: .eJwFwdsOQzAAANB_2buEdS57rKkpJdqNTF_ExHTBWoJm-_qdc1j2Drg8cezW4jCSbVMsw-b-ZoSUyTITD0mHS1KBTIdtsATbFK5gkjIQLrFWvT3Txw1h75RnF7PusKqL2ODaL4aXo8GcKWeURLt-LFY1flMafxqoPcLG_vi-2kHCMeOyJhQ0JjemIXZyKu5yr3oeMVhTJCp67nFiIZiX-PAHfCY45g.PRHCUo27ZHIV3l4aQzYpigcA5LI' \
-H 'Authorization: Basic a3Jpbjprcmlu' \
-H 'Origin: https://romm.nas.internal' \
-H 'DNT: 1' \
-H 'Sec-GPC: 1' \
-H 'Connection: keep-alive' \
-H 'Cookie: csrftoken=.eJwFwdsOQzAAANB_2buEdS57rKkpJdqNTF_ExHTBWoJm-_qdc1j2Drg8cezW4jCSbVMsw-b-ZoSUyTITD0mHS1KBTIdtsATbFK5gkjIQLrFWvT3Txw1h75RnF7PusKqL2ODaL4aXo8GcKWeURLt-LFY1flMafxqoPcLG_vi-2kHCMeOyJhQ0JjemIXZyKu5yr3oeMVhTJCp67nFiIZiX-PAHfCY45g.PRHCUo27ZHIV3l4aQzYpigcA5LI; session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJyb21tOmF1dGgiLCJzdWIiOiIiLCJleHAiOjE3MTczNjkyMDB9.xDwTwgwQhsjov_Gr5JJkriB9tiulBCV762sRMoVQFEY' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Priority: u=1' \
-H 'Pragma: no-cache' \
-H 'Cache-Control: no-cache' \
-H 'TE: trailers' \
--data-raw '{}'
Logs are quite... stingy. Is there an option of Verbose logging or Log level environment variable I can set to see more details?
INFO: [nginx][2024-05-21 19:41:43] 172.16.1.168 - krin "POST /api/login HTTP/1.1" 401 43 "https://romm.nas.internal/login" "Mozilla/5.0 (Windows NT 10.0; rv:126.0) Gecko/20100101 Firefox/126.0" rt=0.005 uct="0.000" uht="0.006" urt="0.006"
Alright yeah it's unauthorized. So looking at the headers it is correctly sending credentials as krin:krin
. Can you post the section of your docker-compose that has ROMM_AUTH_USERNAME and ROMM_AUTH_PASSWORD?
It's not a Docker but kubernetes chart:
admin
for username and passwordMeanwhile I dug deeper into the database and app sources to understand which user is compared against the data entered on web page. I extracted MariaDP password using
$ k3s kubectl -n ix-romm get secret romm-mariadbcreds -o jsonpath='{.data}'
and used that to dump DB:
$ mariadb-dump --databases romm -u romm -p --no-create-info --skip-triggers --no-create-db --compact
Enter password:
USE `romm`;
INSERT INTO `alembic_version` VALUES
('0016_user_last_login_active');
INSERT INTO `users` VALUES
(1,'','$2b$12$VMWFAIwn8OJP.rp7ylXtk./whHyGWB/7q7tUegVQVed5WenjB4Ana',1,'ADMIN','','2024-05-20 01:00:00','2024-05-20 01:00:00');
According to https://github.com/rommapp/romm/blob/release/backend/models/user.py#L24, second column has to be username but it is empty.
I also used https://github.com/rommapp/romm/blob/release/backend/handler/auth_handler/__init__.py#L46 as a reference to check which password has been hashed... and it's not the one I used to setup the app.
$ pip3 install passlib bcrypt
$ python3
>>> from passlib.context import CryptContext
>>> pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
>>> pwd_context.hash(..., salt="VMWFAIwn8OJP.rp7ylXtk.")
I cracked the case: DB holds empty username and empty password.
bcrypt.hashpw(b'', b'$2b$12$VMWFAIwn8OJP.rp7ylXtk./whHyGWB/7q7tUegVQVed5WenjB4Ana')
b'$2b$12$VMWFAIwn8OJP.rp7ylXtk./whHyGWB/7q7tUegVQVed5WenjB4Ana'
Attempt to login with empty fields results in 200 response, loads a bunch of static files and then fails again with 403 and body {"detail":"Forbidden"}
on the following requests:
I will try to reinstall the chart, maybe this will fix it.
What a long investigation to find out that I might have been stupid enough to install an app with empty Username and Password fields 😅 I reinstalled the app and It Just Works.
@RRyankees08 did you by any chance run the Romm app at least once and then added or changed ROMM_AUTH_USERNAME
and ROMM_AUTH_PASSWORD
variables? Because https://github.com/rommapp/romm/blob/release/backend/main.py#L39 uses those variable to create and Admin user if DB has no admin users, in other cases these variables are not used.
Added an entry for this in the wiki, gonna call it good for now. One day we might have real onboarding where the admin can set credentials via the UI. https://github.com/rommapp/romm/wiki/Troubleshooting#unable-to-login-incorrect-username-or-password
RomM version Latest
Describe the bug I am trying to install for the first time, I first got a CSFR Error but now I get this. I have set a password, username, and secret key, and defined a redis path in my compose file. My logs show this:
message.txt
To Reproduce Steps to reproduce the behavior:
Expected behavior I should be able to log in.
Screenshots If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
Smartphone (please complete the following information):
Additional context Redis Logs: message (1).txt Compose fIle: