From afc47c8108f8961274ffd4260286ac627e4092d3 Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Tue, 16 Apr 2024 16:06:31 +0200
Subject: [PATCH] if webauth login cookie is missing, and forwarding was
 configured, hint that reverse proxy may be stripping path

the cookies are set with a specific path, because the webadmin, webaccount and
webmail cookies can be on the same domain (this is the default). if the reverse
proxy strips the path while forwarding, the browser won't set the cookie and
the login attempt will fail.

based on github issue #151 from naturalethic
---
 webauth/webauth.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/webauth/webauth.go b/webauth/webauth.go
index 751a4b9..6561a64 100644
--- a/webauth/webauth.go
+++ b/webauth/webauth.go
@@ -227,7 +227,11 @@ func LoginPrep(ctx context.Context, log mlog.Log, kind, cookiePath string, isFor
 func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, cookiePath string, isForwarded bool, w http.ResponseWriter, r *http.Request, loginToken, username, password string) (store.CSRFToken, error) {
 	loginCookie, _ := r.Cookie(kind + "login")
 	if loginCookie == nil || loginCookie.Value != loginToken {
-		return "", &sherpa.Error{Code: "user:error", Message: "missing login token"}
+		msg := "missing login token cookie"
+		if isForwarded && loginCookie == nil {
+			msg += " (hint: reverse proxy must keep path, for login cookie)"
+		}
+		return "", &sherpa.Error{Code: "user:error", Message: msg}
 	}
 
 	ip := RemoteIP(log, isForwarded, r)