search

standardnotes / server

Server ecosystem for Standard Notes; fully self-hostable.
https://standardnotes.com/help/self-hosting/docker
GNU General Public License v3.0
249 stars 60 forks source link

Fresh Install Error: Could not pass the request to http://localhost:3103/auth/pkce_params #476

Closed PeterXQChen closed 1 year ago

PeterXQChen commented 1 year ago

Migrated everything from the previous version to this new version, everything was working well but when I restarted the docker containers and then tried to log again, I get the following error:

{"level":"error","message":"Could not pass the request to http://localhost:3103/auth/pkce_params on underlying service: {\"error\":{\"message\":\"Unfortunately, we couldn't handle your request. Please try again or contact our support if the error persists.\"}}"}

This seems to only happen if 2FA is enabled for the account. If 2FA is disabled, everything still works.

PeterXQChen commented 1 year ago

Heres the full error in the logs:

{"level":"error","message":"Error: Unsupported state or unable to authenticate data\n    at Decipheriv.final (node:internal/crypto/cipher:199:29)\n    at CryptoNode.aes256GcmDecrypt (/opt/bundled/auth/packages/sncrypto-node/dist/src/CryptoNode.js:23:103)\n    at CrypterNode.decryptUserServerKey (/opt/bundled/auth/packages/auth/dist/src/Domain/Encryption/CrypterNode.js:71:32)\n    at CrypterNode.decryptForUser (/opt/bundled/auth/packages/auth/dist/src/Domain/Encryption/CrypterNode.js:53:51)\n    at SettingDecrypter.decryptSettingValue (/opt/bundled/auth/packages/auth/dist/src/Domain/Setting/SettingDecrypter.js:32:33)\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)\n    at async SettingService.findSettingWithDecryptedValue (/opt/bundled/auth/packages/auth/dist/src/Domain/Setting/SettingService.js:65:25)\n    at async VerifyMFA.execute (/opt/bundled/auth/packages/auth/dist/src/Domain/UseCase/VerifyMFA.js:91:31)\n    at async InversifyExpressAuthController.pkceParams (/opt/bundled/auth/packages/auth/dist/src/Infra/InversifyExpressUtils/InversifyExpressAuthController.js:149:35)"}
tuxnet commented 1 year ago

I receive the same error message

==> logs/api-gateway.log <==
{"level":"error","message":"Could not pass the request to http://localhost:3103/auth/pkce_params on underlying service: {\"error\":{\"message\":\"Unfortunately, we couldn't handle your request. Please try again or contact our support if the error persists.\"}}"
karolsojko commented 1 year ago

Could not replicate on latest server version. Can you try docker compose down && docker compose pull && docker compose up -d and let me know if this still occurres?

PeterXQChen commented 1 year ago

Yep same error. Something to do with the Cipher.

karolsojko commented 1 year ago

Hm the odd part is that we don't see this on prod and I can't replicate this on my local environment. So has to be something specific either to the env or data.

If you register a new user does it happen as well?

Also could you supply what OS are you running and did you run everything as in the self hosting docs or did you do anything custom to your setup?

karolsojko commented 1 year ago

Hmm one other suspicion might be the following.

Could you set in your .env file the value of AUTH_SERVER_ENCRYPTION_SERVER_KEY to the same value you had in your legacy setup at docker/auth.env for ENCRYPTION_SERVER_KEY.

then do docker compose down && docker compose pull && docker compose up -d and see if that helps?

PeterXQChen commented 1 year ago

Im running Ubuntu 22.04 LTS, its a new setup with only Docker installed.

Standard Notes installation follows the self hosting doc exactly with no changes. See below for my docker compose file:

services:
  server:
    image: standardnotes/server
    container_name: sn-server
    env_file: .env
    ports:
      - 3000:3000
      - 3125:3104
    volumes:
      - ./logs:/var/lib/server/logs
      - ./uploads:/opt/bundled/files/packages/files/dist/uploads
    networks:
      - standardnotes

  localstack:
    image: localstack/localstack:1.3
    container_name: sn-localstack
    expose:
      - 4566
    restart: unless-stopped
    environment:
      - SERVICES=sns,sqs
      - HOSTNAME_EXTERNAL=localstack
      - LS_LOG=warn
    volumes:
      - ./localstack_bootstrap.sh:/etc/localstack/init/ready.d/localstack_bootstrap.sh
    networks:
      - standardnotes

  db:
    image: mysql:8
    container_name: sn-db
    environment:
      - MYSQL_DATABASE=standard_notes_db
      - MYSQL_USER=std_notes_user
      - MYSQL_ROOT_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxx
      - MYSQL_PASSWORD=xxxxxxxxxxxxxxxxxxxxxxxxxx
    expose:
      - 3306
    restart: unless-stopped
    command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8mb4 --collation-server=utf8mb4_general_ci
    volumes:
      - ./data/mysql:/var/lib/mysql
      - ./data/import:/docker-entrypoint-initdb.d
    networks:
      - standardnotes

  cache:
    image: redis:6.0-alpine
    container_name: sn-cache
    volumes:
      - ./data/redis/:/data
    expose:
      - 6379
    restart: unless-stopped
    networks:
      - standardnotes

networks:
  standardnotes:
    name: standardnotes

This is my .env:

######
# DB #
######

DB_HOST=db
DB_PORT=3306
DB_USERNAME=std_notes_user
DB_PASSWORD=xxxxxxxxxxxxxxxxxx
DB_DATABASE=standard_notes_db
DB_DEBUG_LEVEL=all

#########
# CACHE #
#########

REDIS_PORT=6379
REDIS_HOST=cache

This issue only appears when you enable 2FA for said user. Everything works fine when 2FA is off.

PeterXQChen commented 1 year ago

Hmm one other suspicion might be the following.

Could you set in your .env file the value of AUTH_SERVER_ENCRYPTION_SERVER_KEY to the same value you had in your legacy setup at docker/auth.env for ENCRYPTION_SERVER_KEY.

then do docker compose down && docker compose pull && docker compose up -d and see if that helps?

This is a brand new install so I dont have any legacy values or setups.

tuxnet commented 1 year ago

Could not replicate on latest server version. Can you try docker compose down && docker compose pull && docker compose up -d and let me know if this still occurres?

To Reproduse:

  1. Follow the instructions at https://standardnotes.com/help/self-hosting/docker
  2. create a new user and enable 2FA.
  3. docker compose down && docker compose pull && docker compose up -d
  4. try to log in with the user

However adding AUTH_SERVER_ENCRYPTION_SERVER_KEY seems to help...

How is it with the other variables in docker-entrypoint.sh which are generated with openssl rand? Which ones need to be set in addition to DB_PASSWORD?

karolsojko commented 1 year ago

Should be fixed by https://github.com/standardnotes/server/pull/481

I've updated the docs on what env vars should be set in the .env file