403 error on /auth/email/login on site with dash in ID

[markmonroy]

Hi, I've set up remark42 on my Hugo blog without a subdomain, following the docs here. I currently have 3 forms of authentication (Anonymous, Google, and Github) that are working properly. However, email authentication is giving me a 403 Forbidden error on this URL:

https://blog.example.com/remark42/auth/email/login?site=this-site&address=example%40user.com&user=example

I CAN use email login if I go directly to

https://blog.example.com/remark42/web/iframe.html

I'd love to get email working in favor of anonymous login. Thanks for any assistance you may be able to provide.

Browsers tried with the same result:

macOS 12.5

• Safari 15.6
• Chrome 105.0.5195.102

Windows 10 Pro 21H2 (on a different network than the Mac)

• Microsoft Edge 105.0.1343.33

Logs from remark42 docker:

(I think it may be only the last line that's relevant here, but included the other lines that happened within the same minute that I clicked "Submit")

2022/09/10 15:32:38.199 [INFO]  {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /api/v1/config?site=this-site - blog.example.com - ae4a281c94f3 - 200 (528) - 118.915µs
2022/09/10 15:32:38.213 [DEBUG] {middleware/auth.go:75 middleware.(*Authenticator).auth.func1} auth failed, can't get token: token cookie was not presented: http: named cookie not present
2022/09/10 15:32:38.218 [DEBUG] {api/rest_public.go:74 api.(*public).findCommentsCtrl} get comments for {SiteID:this-site URL:https://blog.example.com/this_post/}, sort -active, format tree, since 0001-01-01 00:00:00 +0000 UTC



2022/09/10 15:32:38.218 [INFO]  {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /api/v1/find?site=this-site&url=https://blog.example.com/this_post/&sort=-active&format=tree - blog.example.com - ae4a281c94f3 - 200 (1860) - 180.241µs
2022/09/10 15:32:47.754 [INFO]  {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /auth/email/login?site=this-site&address=test@test.com&user=test - blog.example.com - ae4a281c94f3 - 403 (14) - 88.851µs

NGINX conf:

  location /remark42/ {
  rewrite /remark42/(.*) /$1 break;
  proxy_pass http://remark42:8080/; 
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  } 

Docker compose:

services:
    remark42:
        image: umputun/remark42:latest
        container_name: "remark42"
        restart: always
        environment:
            - REMARK_URL=https://blog.example.com/remark42/
            - SECRET=xxxx
            - STORE_BOLT_PATH=/srv/var/db
            - BACKUP_PATH=/srv/var/backup
            - DEBUG=true
            - SITE=this-site
            - AUTH_ANON=true
            - ADMIN_SHARED_ID=github_xxxx
            - ADMIN_SHARED_EMAIL=myemail@domain.com
            - TIME_ZONE=America/New_York
            - AUTH_GOOGLE_CID=xxxx.apps.googleusercontent.com
            - AUTH_GOOGLE_CSEC=xxxx
            - AUTH_GITHUB_CID=xxxx
            - AUTH_GITHUB_CSEC=xxxx
            - SMTP_HOST=smtp.sendgrid.net
            - SMTP_PORT=465
            - SMTP_TLS=true
            - SMTP_USERNAME=apikey
            - SMTP_PASSWORD=xxxx
            - NOTIFY_EMAIL_FROM=myemail@domain.com    
            - NOTIFY_EMAIL_ADMIN=true
            - NOTIFY_TYPE=email
            - AUTH_EMAIL_FROM=myemail@domain.com
            - AUTH_EMAIL_ENABLE=true
            - AUTH_EMAIL_FROM=myemail@domain.com          
        volumes:
            - ./remark42/var:/srv/var

Frontend:

As generated by Hugo with theme Hugo-theme-stack

<div id="remark42"></div>
<script>
    var remark_config = {
        host: "https://blog.example.com/remark42",
        site_id: 'this-site',
        components: ['embed'],
        url: "https:\/\/blog.example.com\/this_post\/",
        max_shown_comments:  15 ,
        theme: document.documentElement.dataset.scheme,
        page_title: 'Test',
        locale: 'en',
        show_email_subscription:  true 
    };

    (function (c) {
        for (var i = 0; i < c.length; i++) {
            var d = document, s = d.createElement('script');
            s.src = remark_config.host + '/web/' + c[i] + '.js';
            s.defer = true;
            (d.head || d.body).appendChild(s);
        }
    })(remark_config.components || ['embed']);

    window.addEventListener('onColorSchemeChange', (e) => {
        window.REMARK42.changeTheme(e.detail);
    })
</script>

[paskal]

Thanks for the bug report! Could you please replace the image from umputun/remark42:latest with umputun/remark42:master and do docker compose pull and then start the container again (docker compose up -d remark42)?

[markmonroy]

Done. Same result unfortunately.

[paskal]

Can you please also open the site in the browser's private mode so that we are sure the frontend is running the newest code as well? If that won't work as well, I propose, if possible, to try running it on a separate domain and checking if email auth would work in such a case, just in case.

In the meantime, I'll try to reproduce locally.

[paskal]

Also, a minor correction, REMARK_URL=https://blog.example.com/remark42/ shouldn't have a trailing (last) slash.

[markmonroy]

Yes, I've been emptying the cache and using private mode every time I make any config changes. I will try to switch it to a subdomain for more testing later. Thanks for looking into this.

Trailing slash corrected.

[paskal]

And actually, I should ask for it first: can you please check the body of the response to https://blog.example.com/remark42/auth/email/login?site=this-site&address=example%40user.com&user=example for an error message and post it here?

The only place in code this error could come from seems to be this one: https://github.com/go-pkgz/auth/blob/06e7278/provider/verify.go#L160-L164

[markmonroy]

<html><head><style type="text/css"></style></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body></html>
<head><style type="text/css"></style></head>
<style type="text/css"></style>
<head><style type="text/css"></style></head>
<body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body>
<pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre>
<body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body>
<html><head><style type="text/css"></style></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body></html>

[paskal]

I see that error is indeed not shown to the user. I reproduced another problem: the site param with a dash guaranteed to produce an error. cc @umputun: We have some restrictions around the site ID, but they don't seem to be documented.

remark42-dev | 2022/09/10 16:26:28.508 [WARN]  {api/rest.go:683 api.validEmailAuth.func1.1} suspicious site rejected: this-site

[markmonroy]

Oh, interesting. My non-obfuscated site param also has a dash. And that seems to be the only significant difference from the URL that works (site=remark) and the one that doesn't (site=this-site). Will try changing and report if that fixes my issue.

[markmonroy]

Sure enough, removing the dash solved it. From what I can tell this removed/hid all existing comments, but luckily I'm still in the dev stage and it was just my own test comments plus those imported from Wordpress. Will be easy to get everything back in place.

Thanks for your extremely speedy response!

[paskal]

That bug will be fixed in the master and following release. Thanks a lot for the high-quality bug report!

[paskal]

Also, to be sure, I've verified that auth module correctly logs its errors.

# request made with intentionally broken auth code
curl 'http://127.0.0.1:8080/auth/email/login?site=this_site&address=test@example.org&user=example'
{"error":"failed to make login token"}

That request results in these two log entries

remark42-dev | 2022/09/10 16:54:13.042 [INFO]  {rest/httperrors.go:39 rest.SendErrorJSON} failed to make login token - secret reader not defined - 403 - 172.20.0.1 - /auth/email/login?site=this_site&address=test@example.org&user=example [caused by auth/provider/verify.go:163 provider.VerifyHandler.sendConfirmation]
remark42-dev | 2022/09/10 16:54:13.043 [INFO]  {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /auth/email/login?site=this_site&address=test@example.org&user=example - 127.0.0.1 - 0c10a2713542 - 403 (39) - 4.633375ms

So that I presume you grepped the logs as otherwise suspicious site rejected log entry should be somewhere just before returning 403 on the following line:

2022/09/10 15:32:47.754 [INFO]  {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /auth/email/login?site=this-site&address=test@test.com&user=test - blog.example.com - ae4a281c94f3 - 403 (14) - 88.851µs

[markmonroy]

Yes, seeing that now if I plug in a dash. I hadn't grepped before though, but it looks like that message was added recently. My original log was from remark42:latest.

[soda-pop-ice-cream]

Hi there! Just wanted to ask, why dots not allowed in site ID? Because in my opionion, only logical "site ID" are "example.org". When person gets email with token, title is: "Confirmation for Username on site example", it's quite confusing, "Confirmation for Username on site example.org" sounds much better.

[paskal]

It's not a problem to add a dot to the list of allowed symbols, and I'll do it in master shortly.