search

thenick775 / gbajs3

Gbajs3 is a full Game Boy Advance emulator online in the browser supporting the mGBA WASM core. It is freely licensed and works in any modern browser.
Other
41 stars 26 forks source link

Unable to Access Login Admin Page #108

Closed papaya09 closed 5 months ago

papaya09 commented 6 months ago

I recently installed a project on my hosting server and configured Let's Encrypt for SSL/TLS encryption. However, I'm encountering an issue where I am unable to access the admin page. Whenever I try to log in, the page refreshes without any error message or indication of successful login. Anyway to solve this ?

thenick775 commented 6 months ago

Do you have a video of what you are seeing?

Is there anything in your browser console logs or network tab?

papaya09 commented 6 months ago

https://github.com/thenick775/gbajs3/assets/72320174/cdea5c5e-01ac-4513-a232-0ca4f73dc998

Is there something wrong ?

thenick775 commented 6 months ago

Could you repeat your video above with "preserve log" checked in the network/console tabs?

I'm curious what happens before your redirected.

I'll look further into this later today

papaya09 commented 6 months ago

https://github.com/thenick775/gbajs3/assets/72320174/1ecd8a4a-1e6e-464e-90bd-be3404747d69

I see that there is an API error appearing

thenick775 commented 6 months ago

Could you show me the payload and response tabs of the failed admin login requests?

The errors your seeing with fonts should be inconsequential, probably an issue in goadmin

thenick775 commented 6 months ago

Just a bit of info as I try to reproduce:

This is for gba accounts (you set these up in the admin):

Screenshot 2024-05-14 at 4 43 21 PM

Admin accounts won't work when logging into the form above.

This is the correct admin login, currently I am attempting to debug and reproduce your scenario, but this is where you would log in and create gba users:

Screenshot 2024-05-14 at 4 44 39 PM
thenick775 commented 6 months ago

Alright, I've found your installation, and I can see something in the cookie headers that leads me to believe it may be your .env config.

The response here from your signin request contains the following cookie:

Set-Cookie:
go_admin_session=e9e2da00-79a2-4d9a-ada8-4633ee0da81c; Path=/; Domain=localhost; Expires=Wed, 15 May 2024 01:56:15 GMT; Max-Age=7200; HttpOnly

Notice that the domain is localhost.

What is the contents of your .env file CLIENT_HOST in your hosted installation?

It should be set to https://patroldex.com or https://patroldex.com:7443 instead of https://localhost

This is most likely the cause of your issues. The default docker compose setup is geared towards everything being behind 1 domain/host (CLIENT_HOST in ./docker/.env), this should be the address of your website as shown above.

Edit: confirmed this is your issue, your GBA user login requests are also pointing to localhost

thenick775 commented 6 months ago

For completeness, here is the whole ordeal explained:

When you boot the services, some of them need to know what the host or domain of the client (the frontend, this being the gameboy in the browser).

In this case, the frontend, the auth service, and the admin service, all use this for different reasons, since we are assumed to be on the same domain:

This makes things more secure, and allows these services in the way they are built here to know what a user on the web will be visiting from ahead of time.

For example here is how I set the CLIENT_HOST value on my hosted installation:

...
CLIENT_HOST=https://gba.nicholas-vancise.dev
...

Since that is the domain users will be visiting to play the gameboy.

In your case, you left the CLIENT_HOST as:

...
CLIENT_HOST=https://localhost
...

in your .env file.

This is causing all requests to point to localhost between the services.

That is why your gba service is trying to log in making requests to localhost.

The same is true for your admin.

The signin request is returning 200, as the default username/password works.

But when it returns the set cookie header shown above for the admin signin, its for localhost not patroldex.

This causes you to redirect to the login screen for the admin, because it is correctly rejecting your cookies/session used for authentication.

Solution

Set your CLIENT_HOST to either https://patroldex.com or https://patroldex.com:7334.

I do not know how non-standard ports (7443) will play with all the interconnections or api requests yet, since I haven't needed to use one. If this causes you additional problems after trying out both of the CLIENT_HOST values above, I'll make some changes to assist in supporting that.

Hope this helps, and I'll let you close this issue if it does 😎

Feel free to keep commenting here for assistance if needed, and thanks for those videos!

papaya09 commented 5 months ago

image

https://github.com/thenick775/gbajs3/assets/72320174/c451e48f-f7b6-4b6f-8884-647b479e6655

After successfully logging in, the page appears blank, is it something blocking it ? My Web

`.env` ``` CLIENT_HOST=https://patroldex.com ``` `docker-compose.yaml` ``` version: '2.1' services: webserver: image: nginx logging: options: max-size: '20m' max-file: '3' driver: json-file build: context: .. dockerfile: ./docker/server/nginx/Dockerfile args: CLIENT_HOST: ${CLIENT_HOST} ports: - "443:443" - "80:80" depends_on: - gba-auth-server - gba-admin-server environment: - CLIENT_HOST=${CLIENT_HOST} cap_add: - NET_ADMIN - NET_RAW volumes: - ${CERT_LOC}:/certs/fullchain.pem - ${KEY_LOC}:/certs/privkey.pem gba-admin-server: image: gba-admin-server logging: options: max-size: '20m' max-file: '3' driver: json-file build: context: . dockerfile: ./server/admin/Dockerfile depends_on: gba-postgres: condition: service_healthy environment: - CLIENT_HOST=${CLIENT_HOST} - APP_ID=${ADMIN_APP_ID} - PG_DB_HOST=${PG_DB_HOST} - PG_DB_USER=${PG_DB_USER} - PG_DB_PASSWORD=${PG_DB_PASSWORD} - GBAJS_DB_NAME=${GBAJS_DB_NAME} - ADMIN_DB_NAME=${ADMIN_DB_NAME} - PG_DB_PORT=${PG_DB_PORT} - PG_SSL_MODE=${PG_SSL_MODE} volumes: - ${CERT_LOC}:/app/certs/fullchain.pem - ${KEY_LOC}:/app/certs/privkey.pem gba-auth-server: image: gba-auth-server logging: options: max-size: '20m' max-file: '3' driver: json-file build: context: . dockerfile: ./server/auth/Dockerfile depends_on: gba-postgres: condition: service_healthy environment: - CLIENT_HOST=${CLIENT_HOST} - PG_DB_HOST=${PG_DB_HOST} - PG_DB_USER=${PG_DB_USER} - PG_DB_PASSWORD=${PG_DB_PASSWORD} - PG_DB_NAME=${GBAJS_DB_NAME} - PG_DB_PORT=${PG_DB_PORT} - PG_SSL_MODE=${PG_SSL_MODE} volumes: - ${ROM_PATH}:/app/data/local_roms - ${SAVE_PATH}:/app/data/local_saves - ${CERT_LOC}:/app/certs/fullchain.pem - ${KEY_LOC}:/app/certs/privkey.pem gba-postgres: image: gba-postgres logging: options: max-size: '20m' max-file: '3' driver: json-file build: context: . dockerfile: ./server/postgres/Dockerfile args: PG_DB_USER: ${PG_DB_USER} environment: POSTGRES_USER: ${PG_DB_USER} POSTGRES_PASSWORD: ${PG_DB_PASSWORD} POSTGRES_DB: ${ADMIN_DB_NAME} command: postgres healthcheck: test: ["CMD-SHELL", "pg_isready -q -U ${PG_DB_USER} -d ${ADMIN_DB_NAME} -h ${PG_DB_HOST}"] interval: 10s timeout: 5s retries: 12 volumes: - ${PG_DATA_LOCATION}:/var/lib/postgresql/data ``` `nginx.conf.template` ``` log_format custom '$remote_addr - $remote_user [$time_local]' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; upstream docker-auth { server gba-auth-server:443; } upstream docker-admin { server gba-admin-server:443; } server { listen 80; listen [::]:80; return 301 ${CLIENT_HOST}$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name patroldex.com; ssl_certificate /certs/fullchain.pem; ssl_certificate_key /certs/privkey.pem; client_max_body_size 50M; # Enable Gzip gzip on; gzip_http_version 1.0; gzip_comp_level 2; gzip_min_length 1100; gzip_buffers 4 8k; gzip_proxied any; gzip_types application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/wasm application/x-gba-rom application/octet-stream application/xml font/opentype font/truetype image/svg+xml multipart/form-data text/css # text/html is always compressed by HttpGzipModule text/javascript text/plain text/x-component text/xml; gzip_static on; gzip_proxied expired no-cache no-store private auth; gzip_disable "MSIE [1-6]\."; gzip_vary on; access_log /var/log/nginx/access_log.log custom; error_log /var/log/nginx/error_log.log warn; location / { root /var/www; index index.html index.htm; } location /api/ { proxy_pass https://docker-auth; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } location ~* ^/api/documentation/* { proxy_pass https://docker-auth; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } location ~* ^/admin/* { proxy_pass https://docker-admin; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } # Cache control location ~* \.(?:js|css|png|jpe?g|gif|avif|svg|ico|woff|woff2|ttf|ico|wasm)$ { expires 365d; add_header Vary Accept-Encoding; access_log off; root /var/www; index index.html index.htm; } } ```
thenick775 commented 5 months ago

Your docker image has the environment variable cached i think.

I'm still seeing your admin pointing to localhost.

The white screen is most likely you failing 5+ requests, and fail2ban will ban you for ~5 minutes the first time.

I would delete your docker images, and rebuild with the adjusted CLIENT_HOST you have set above, should be as simple as docker compose down && docker system prune && docker compose up --build

papaya09 commented 5 months ago

Thank you for your help. I used docker system prune and reinstalled the entire project. It's available now.