X-XSRF-TOKEN as well as API issues

[jonathanfinley]

So everything works fine just using NZbhydra using ip:5076

But when I try to access using my reverse proxy domain.com/nzbhydra2 I get a Access denied to IP [WAN]: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.

I also cannot seem to connect sonarr/radarr using http://127.0.0.1:5076/nzbhydra

[jonathanfinley]

API notification: HTTP Error - Res: [GET] http://127.0.0.1:5076/nzbhydra/api?t=movie&cat=2000,2010,2020,2030,2035,2040,2045,2050,2060&extended=1&apikey=(removed)&offset=0&limit=100: 404.NotFound

and Unable to connect to indexer. Page size must not be less than one! *EDIT

[theotherp]

Did you configure it as described in the wiki?

Am 11.01.2018 3:24 vorm. schrieb "jonfinley" notifications@github.com:

API notification: HTTP Error - Res: [GET] http://127.0.0.1:5076/ nzbhydra/api?t=movie&cat=2000,2010,2020,2030,2035,2040,2045, 2050,2060&extended=1&apikey=(removed)&offset=0&limit=100: 404.NotFound

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/theotherp/nzbhydra2/issues/54#issuecomment-356804287, or mute the thread https://github.com/notifications/unsubscribe-auth/ANtAea1TcFavWl2HkLGbXzUO2Jh53PZIks5tJXDcgaJpZM4RaOiH .

[jonathanfinley]

yep!! So I also been reading some of the other issues, could this be related to the migration???

[theotherp]

No.

I'll need to do some tests.

Please create a new issue for the API error and follow the issue template, especially the note regarding debug infos.

[theotherp]

Please do as follows:

In your browser (either Firefox or Chrome) open a new tab, press F12 to open the developer tools, go to the network tab. Enter your local address for NZBHydra. In the network tab it will show all HTTP requests. Select the first one, press right (or open the context menu however necessary), select "Copy -> Copy request headers". Paste the content of your clipboard. Do the same for "Copy -> Copy response headers".

Remove any sensitive information from the text, e.g. your domain.

Example:

[jonathanfinley]

EDIT

• DOMAIN.com/nzbhydra :authority:DOMAIN.COM :method:GET :path:/nzbhydra2/ :scheme:https accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 authorization:Basic ZmlubGV5YWRtaW46SWdhdmVoZXIyLUZpbmxleQ== cookie:organizrLanguage=en; PHPSESSID=qeo01a5694gp5gd0ple0rllek7; organizrToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImp0aSI6IjRmMWcyM2ExMmFhIn0.eyJpc3MiOiJPcmdhbml6ciIsImF1ZCI6Ik9yZ2FuaXpyIiwianRpIjoiNGYxZzIzYTEyYWEiLCJpYXQiOjE1MTU2MDU5NTksImV4cCI6MTUxNTY5MjM1OSwidXNlcm5hbWUiOiJmaW5sZXlhZG1pbiIsImdyb3VwIjoiQWRtaW4iLCJncm91cElEIjowLCJlbWFpbCI6InNlcnZlckBmaW5sZXkuZXN0YXRlIiwiaW1hZ2UiOiJodHRwczpcL1wvd3d3LmdyYXZhdGFyLmNvbVwvYXZhdGFyXC8xZmU5ZmYxNDQzNjgzMmMxZWVmNGJkYjAwYjBjZWU4Nz9zPTEwMCZkPW1tIn0.2YgRleeqZu-6yIg0Km_ioOzQ0swebarHtkYiemyQ054; _pk_id.1.4f7a=15bd727c908928cd.1515635149.2.1515642534.1515638412.; remember-me=aUZpREk5V2diVVV1eWhpdUFRbFJyQT09Ok5EN0QwM2tXeTdVaW1VVjhIY2NYc0E9PQ; XSRF-TOKEN=f5296d25-0e2f-4adc-aa0f-0459fc503547; JSESSIONID=981FA7F888B3ED207EF2285366D711AB upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

• ip:5076/nzbhydra2 GET /nzbhydra2/ HTTP/1.1 Host: 173.208.201.178:5076 Connection: keep-alive Cache-Control: max-age=0 Authorization: Basic ZmlubGV5YWRtaW46SWdhdmVoZXIyLUZpbmxleQ== User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: remember-me=Y3RJSWFHc3I0QThaK2tkenM0U0VTUT09OjI0b3I5RjcvaXJDUFRoaG1OTDhydXc9PQ; JSESSIONID=1B03CE8693FB2BB601B922942C886E13; XSRF-TOKEN=4e4f950e-ae4f-41db-a86d-5017b326def0

[theotherp]

See other issue, you call the wrong path.

[jonathanfinley]

I just corrected that. it's still not working correctly.

[theotherp]

Turns out I'm half smart and added a switch to hopefully fix this but forgot to add it to the UI...

Shutdown Hydra, open your nzbhydra.yml, use for useCsrf and set it to false. Start Hydra again. See if it works now.

[jonathanfinley]

That worked there. Can now access via domain.com/nzbhydra2 without errors

[theotherp]

Glad to hear. I'll add it to the UI in the next version. You're welcome.

[1activegeek]

So coming to pile onto this. I have likely a very similar setup to jon. Running nginx with Hydra2 as a RP entry. I was able to get Sonarr/Radarr connected, but adding the /hydra to the end of the URL. The problem I'm finding now though, is that when I try to connect to Hydra through my RP, I keep seeing a popup message as seen below. I'm also seeing lines similar below. I'm incapable of browsing to the history/stats tab either. That message just keeps popping up when I attempt to browse to it.

I've adjusted the CSRF option as you indicated and it works. The odd thing is that I was able to remove the extra /hydra from my RP entry, but it is still required for Sonarr/Radarr. I guess I'm just confused why that extra base URL is needed in V2 and not in V1? But also, why the CSRF issue was only appearing on the history/stats page?

2018-03-20 22:41:23.266  WARN --- [0.0-5076-exec-1] o.n.auth.AuthAndAccessEventHandler  : Access denied to IP null: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.
2018-03-20 22:41:23.267  WARN --- [0.0-5076-exec-1] o.n.auth.LoginAndAccessAttemptService  : Unable to log failed login by empty IP