if webauth login cookie is missing, and forwarding was configured, hint that reverse proxy may be stripping path

the cookies are set with a specific path, because the webadmin, webaccount and
webmail cookies can be on the same domain (this is the default). if the reverse
proxy strips the path while forwarding, the browser won't set the cookie and
the login attempt will fail.

based on github issue #151 from naturalethic
This commit is contained in:
Mechiel Lukkien 2024-04-16 16:06:31 +02:00
parent daa88480cb
commit afc47c8108
No known key found for this signature in database

View file

@ -227,7 +227,11 @@ func LoginPrep(ctx context.Context, log mlog.Log, kind, cookiePath string, isFor
func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, cookiePath string, isForwarded bool, w http.ResponseWriter, r *http.Request, loginToken, username, password string) (store.CSRFToken, error) { func Login(ctx context.Context, log mlog.Log, sessionAuth SessionAuth, kind, cookiePath string, isForwarded bool, w http.ResponseWriter, r *http.Request, loginToken, username, password string) (store.CSRFToken, error) {
loginCookie, _ := r.Cookie(kind + "login") loginCookie, _ := r.Cookie(kind + "login")
if loginCookie == nil || loginCookie.Value != loginToken { if loginCookie == nil || loginCookie.Value != loginToken {
return "", &sherpa.Error{Code: "user:error", Message: "missing login token"} msg := "missing login token cookie"
if isForwarded && loginCookie == nil {
msg += " (hint: reverse proxy must keep path, for login cookie)"
}
return "", &sherpa.Error{Code: "user:error", Message: msg}
} }
ip := RemoteIP(log, isForwarded, r) ip := RemoteIP(log, isForwarded, r)