Closed markmonroy closed 2 years ago
Thanks for the bug report! Could you please replace the image from umputun/remark42:latest
with umputun/remark42:master
and do docker compose pull
and then start the container again (docker compose up -d remark42
)?
Done. Same result unfortunately.
Can you please also open the site in the browser's private mode so that we are sure the frontend is running the newest code as well? If that won't work as well, I propose, if possible, to try running it on a separate domain and checking if email auth would work in such a case, just in case.
In the meantime, I'll try to reproduce locally.
Also, a minor correction, REMARK_URL=https://blog.example.com/remark42/
shouldn't have a trailing (last) slash.
Yes, I've been emptying the cache and using private mode every time I make any config changes. I will try to switch it to a subdomain for more testing later. Thanks for looking into this.
Trailing slash corrected.
And actually, I should ask for it first: can you please check the body of the response to https://blog.example.com/remark42/auth/email/login?site=this-site&address=example%40user.com&user=example
for an error message and post it here?
The only place in code this error could come from seems to be this one: https://github.com/go-pkgz/auth/blob/06e7278/provider/verify.go#L160-L164
<html><head><style type="text/css"></style></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body></html>
<head><style type="text/css"></style></head>
<style type="text/css"></style>
<head><style type="text/css"></style></head>
<body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body>
<pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre>
<body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body>
<html><head><style type="text/css"></style></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">Access denied
</pre></body></html>
I see that error is indeed not shown to the user. I reproduced another problem: the site
param with a dash guaranteed to produce an error. cc @umputun: We have some restrictions around the site ID, but they don't seem to be documented.
remark42-dev | 2022/09/10 16:26:28.508 [WARN] {api/rest.go:683 api.validEmailAuth.func1.1} suspicious site rejected: this-site
Oh, interesting. My non-obfuscated site param also has a dash. And that seems to be the only significant difference from the URL that works (site=remark) and the one that doesn't (site=this-site). Will try changing and report if that fixes my issue.
Sure enough, removing the dash solved it. From what I can tell this removed/hid all existing comments, but luckily I'm still in the dev stage and it was just my own test comments plus those imported from Wordpress. Will be easy to get everything back in place.
Thanks for your extremely speedy response!
That bug will be fixed in the master and following release. Thanks a lot for the high-quality bug report!
Also, to be sure, I've verified that auth module correctly logs its errors.
# request made with intentionally broken auth code
curl 'http://127.0.0.1:8080/auth/email/login?site=this_site&address=test@example.org&user=example'
{"error":"failed to make login token"}
That request results in these two log entries
remark42-dev | 2022/09/10 16:54:13.042 [INFO] {rest/httperrors.go:39 rest.SendErrorJSON} failed to make login token - secret reader not defined - 403 - 172.20.0.1 - /auth/email/login?site=this_site&address=test@example.org&user=example [caused by auth/provider/verify.go:163 provider.VerifyHandler.sendConfirmation]
remark42-dev | 2022/09/10 16:54:13.043 [INFO] {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /auth/email/login?site=this_site&address=test@example.org&user=example - 127.0.0.1 - 0c10a2713542 - 403 (39) - 4.633375ms
So that I presume you grepped the logs as otherwise suspicious site rejected
log entry should be somewhere just before returning 403 on the following line:
2022/09/10 15:32:47.754 [INFO] {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /auth/email/login?site=this-site&address=test@test.com&user=test - blog.example.com - ae4a281c94f3 - 403 (14) - 88.851µs
Yes, seeing that now if I plug in a dash. I hadn't grepped before though, but it looks like that message was added recently. My original log was from remark42:latest.
Hi there! Just wanted to ask, why dots not allowed in site ID? Because in my opionion, only logical "site ID" are "example.org". When person gets email with token, title is: "Confirmation for Username on site example", it's quite confusing, "Confirmation for Username on site example.org" sounds much better.
It's not a problem to add a dot to the list of allowed symbols, and I'll do it in master shortly.
Hi, I've set up remark42 on my Hugo blog without a subdomain, following the docs here. I currently have 3 forms of authentication (Anonymous, Google, and Github) that are working properly. However, email authentication is giving me a 403 Forbidden error on this URL:
https://blog.example.com/remark42/auth/email/login?site=this-site&address=example%40user.com&user=example
I CAN use email login if I go directly to
https://blog.example.com/remark42/web/iframe.html
I'd love to get email working in favor of anonymous login. Thanks for any assistance you may be able to provide.
Browsers tried with the same result:
macOS 12.5
Windows 10 Pro 21H2 (on a different network than the Mac)
Logs from remark42 docker:
(I think it may be only the last line that's relevant here, but included the other lines that happened within the same minute that I clicked "Submit")
NGINX conf:
Docker compose:
Frontend:
As generated by Hugo with theme Hugo-theme-stack