search

rommapp / romm

A beautiful, powerful, self-hosted rom manager
https://romm.app
GNU Affero General Public License v3.0
2.03k stars 88 forks source link

[Bug] Unable to login: Incorrect username or password #805

Closed RRyankees08 closed 4 months ago

RRyankees08 commented 6 months ago

RomM version Latest

Describe the bug I am trying to install for the first time, I first got a CSFR Error but now I get this. I have set a password, username, and secret key, and defined a redis path in my compose file. My logs show this:

message.txt

To Reproduce Steps to reproduce the behavior:

  1. Install RomM
  2. Setup Enviorments
  3. Fail to log in.

Expected behavior I should be able to log in.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Redis Logs: message (1).txt Compose fIle:



volumes:
  mysql_data:
  romm_resources:
  romm_redis_data:

services:
  romm:
    image: rommapp/romm:latest
    container_name: romm
    restart: unless-stopped
    environment:
      - DB_HOST=romm-db
      - DB_NAME=romm # Should match MYSQL_DATABASE in mariadb
      - DB_USER=romm-user # Should match MYSQL_USER in mariadb
      - DB_PASSWD=***** # Should match MYSQL_PASSWORD in mariadb
      - IGDB_CLIENT_ID=***** # Generate an ID and SECRET in IGDB
      - IGDB_CLIENT_SECRET=***** # https://api-docs.igdb.com/#account-creation
      - MOBYGAMES_API_KEY= # https://www.mobygames.com/info/api/
      - ROMM_AUTH_SECRET_KEY=***** # Generate a key with `openssl rand -hex 32`
      - ROMM_AUTH_USERNAME=admin
      - ROMM_AUTH_PASSWORD=***** # default: admin
      - ENABLE_RESCAN_ON_FILESYSTEM_CHANGE=false
    volumes:
      - romm_resources:/home/ryan/romm/resources # Resources fetched from IGDB (covers, screenshots, etc.)
      - romm_redis_data:/home/ryan/romm/redis-data # Cached data for background tasks
      - /path/to/library:/home/ryan/romm/library # Your game library
      - /path/to/assets:/home/ryan/romm/assets # Uploaded saves, states, etc.
      - /path/to/config:/home/ryan/romm/config # Path where config.yml is stored
    ports:
      - 90:8080
    depends_on:
      - romm-db

  romm-db:
    image: mariadb:latest
    container_name: romm-db
    restart: unless-stopped
    environment:
      - MYSQL_ROOT_PASSWORD=***** # Use a unique, secure password
      - MYSQL_DATABASE=romm
      - MYSQL_USER=romm-user
      - MYSQL_PASSWORD=*****
    volumes:
      - mysql_data:/var/lib/mysql```

new logs
[message (2).txt](https://github.com/rommapp/romm/files/14912887/message.2.txt)
dmandrone commented 6 months ago

I'm getting the same issue on an existing install that got updated.

krin-san commented 5 months ago

Fresh-installed from TrueCharts on TrueNAS (https://truecharts.org/charts/stable/romm/), configured IGDB Client Id and Client along with Auth Credentials (Username and Password), and I can't login using these credentials. Login request fails with 401. It seems to be sent with empty body, but it might be using headers to authenticate.

gantoine commented 5 months ago

@krin-san Can you post the network request being sent, and the server container logs at the same time?

krin-san commented 5 months ago

@gantoine of course, here's the romm.log and browser request:

curl 'https://romm.nas.internal/api/login' \
  -X POST \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:126.0) Gecko/20100101 Firefox/126.0' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Accept-Language: en-US,en;q=0.5' \
  -H 'Accept-Encoding: gzip, deflate, br, zstd' \
  -H 'Referer: https://romm.nas.internal/login' \
  -H 'Content-Type: application/json' \
  -H 'x-csrftoken: .eJwFwdsOQzAAANB_2buEdS57rKkpJdqNTF_ExHTBWoJm-_qdc1j2Drg8cezW4jCSbVMsw-b-ZoSUyTITD0mHS1KBTIdtsATbFK5gkjIQLrFWvT3Txw1h75RnF7PusKqL2ODaL4aXo8GcKWeURLt-LFY1flMafxqoPcLG_vi-2kHCMeOyJhQ0JjemIXZyKu5yr3oeMVhTJCp67nFiIZiX-PAHfCY45g.PRHCUo27ZHIV3l4aQzYpigcA5LI' \
  -H 'Authorization: Basic a3Jpbjprcmlu' \
  -H 'Origin: https://romm.nas.internal' \
  -H 'DNT: 1' \
  -H 'Sec-GPC: 1' \
  -H 'Connection: keep-alive' \
  -H 'Cookie: csrftoken=.eJwFwdsOQzAAANB_2buEdS57rKkpJdqNTF_ExHTBWoJm-_qdc1j2Drg8cezW4jCSbVMsw-b-ZoSUyTITD0mHS1KBTIdtsATbFK5gkjIQLrFWvT3Txw1h75RnF7PusKqL2ODaL4aXo8GcKWeURLt-LFY1flMafxqoPcLG_vi-2kHCMeOyJhQ0JjemIXZyKu5yr3oeMVhTJCp67nFiIZiX-PAHfCY45g.PRHCUo27ZHIV3l4aQzYpigcA5LI; session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJyb21tOmF1dGgiLCJzdWIiOiIiLCJleHAiOjE3MTczNjkyMDB9.xDwTwgwQhsjov_Gr5JJkriB9tiulBCV762sRMoVQFEY' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'Priority: u=1' \
  -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' \
  -H 'TE: trailers' \
  --data-raw '{}'

Logs are quite... stingy. Is there an option of Verbose logging or Log level environment variable I can set to see more details?

gantoine commented 5 months ago

INFO: [nginx][2024-05-21 19:41:43] 172.16.1.168 - krin "POST /api/login HTTP/1.1" 401 43 "https://romm.nas.internal/login" "Mozilla/5.0 (Windows NT 10.0; rv:126.0) Gecko/20100101 Firefox/126.0" rt=0.005 uct="0.000" uht="0.006" urt="0.006"

Alright yeah it's unauthorized. So looking at the headers it is correctly sending credentials as krin:krin. Can you post the section of your docker-compose that has ROMM_AUTH_USERNAME and ROMM_AUTH_PASSWORD?

krin-san commented 5 months ago

It's not a Docker but kubernetes chart:

Meanwhile I dug deeper into the database and app sources to understand which user is compared against the data entered on web page. I extracted MariaDP password using

$ k3s kubectl -n ix-romm get secret romm-mariadbcreds -o jsonpath='{.data}'

and used that to dump DB:

$ mariadb-dump --databases romm -u romm -p --no-create-info --skip-triggers --no-create-db --compact
Enter password: 

USE `romm`;
INSERT INTO `alembic_version` VALUES
('0016_user_last_login_active');
INSERT INTO `users` VALUES
(1,'','$2b$12$VMWFAIwn8OJP.rp7ylXtk./whHyGWB/7q7tUegVQVed5WenjB4Ana',1,'ADMIN','','2024-05-20 01:00:00','2024-05-20 01:00:00');

According to https://github.com/rommapp/romm/blob/release/backend/models/user.py#L24, second column has to be username but it is empty.

I also used https://github.com/rommapp/romm/blob/release/backend/handler/auth_handler/__init__.py#L46 as a reference to check which password has been hashed... and it's not the one I used to setup the app.

$ pip3 install passlib bcrypt
$ python3
>>> from passlib.context import CryptContext
>>> pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
>>> pwd_context.hash(..., salt="VMWFAIwn8OJP.rp7ylXtk.")
krin-san commented 5 months ago

I cracked the case: DB holds empty username and empty password.

bcrypt.hashpw(b'', b'$2b$12$VMWFAIwn8OJP.rp7ylXtk./whHyGWB/7q7tUegVQVed5WenjB4Ana')
b'$2b$12$VMWFAIwn8OJP.rp7ylXtk./whHyGWB/7q7tUegVQVed5WenjB4Ana'

Attempt to login with empty fields results in 200 response, loads a bunch of static files and then fails again with 403 and body {"detail":"Forbidden"} on the following requests:

I will try to reinstall the chart, maybe this will fix it.

krin-san commented 5 months ago

What a long investigation to find out that I might have been stupid enough to install an app with empty Username and Password fields 😅 I reinstalled the app and It Just Works.

@RRyankees08 did you by any chance run the Romm app at least once and then added or changed ROMM_AUTH_USERNAME and ROMM_AUTH_PASSWORD variables? Because https://github.com/rommapp/romm/blob/release/backend/main.py#L39 uses those variable to create and Admin user if DB has no admin users, in other cases these variables are not used.

gantoine commented 4 months ago

Added an entry for this in the wiki, gonna call it good for now. One day we might have real onboarding where the admin can set credentials via the UI. https://github.com/rommapp/romm/wiki/Troubleshooting#unable-to-login-incorrect-username-or-password