if webauth login cookie is missing, and forwarding was configured, hint that reverse proxy may be stripping path

the cookies are set with a specific path, because the webadmin, webaccount and webmail cookies can be on the same domain (this is the default). if the reverse proxy strips the path while forwarding, the browser won't set the cookie and the login attempt will fail. based on github issue #151 from naturalethic
2024-12-26 08:23:48 +03:00 · 2024-04-16 16:06:31 +02:00 · 2024-04-16 16:06:31 +02:00 · afc47c8108
commit afc47c8108
parent daa88480cb
1 changed files with 5 additions and 1 deletions
--- a/webauth/webauth.go
+++ b/webauth/webauth.go
@ -227,7 +227,11 @@ func LoginPrep(ctx context.Context, log mlog.Log, kind, cookiePath string, isFor
 func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, cookiePath string, isForwarded bool, w http.ResponseWriter, r *http.Request, loginToken, username, password string) (store.CSRFToken, error) {
 	loginCookie, _ := r.Cookie(kind + "login")
 	if loginCookie == nil || loginCookie.Value != loginToken {
-		return "", &sherpa.Error{Code: "user:error", Message: "missing login token"}
+		msg := "missing login token cookie"
+		if isForwarded && loginCookie == nil {
+			msg += " (hint: reverse proxy must keep path, for login cookie)"
+		}
+		return "", &sherpa.Error{Code: "user:error", Message: msg}
 	}

 	ip := RemoteIP(log, isForwarded, r)