Login page bugs

[redimp]

Version: 2.8.0 (v2.8.0-0-g19167e4)

• I set the Read Access to "Register," but when someone accesses the website without being logged in, it shows "Access Denied" and doesn't automatically redirect to the login page.

[redimp]

Hey @towerstreet, thanks for reporting this. I can not reproduce this, my log shows

127.0.0.1 - - [19/Jan/2025 19:31:02] "GET /Home HTTP/1.1" 302 -
127.0.0.1 - - [19/Jan/2025 19:31:02] "GET /-/login HTTP/1.1" 200 -

in the code there is a forward in case a user has no read permissions:

otterwiki/otterwiki/wiki.py

Lines 522 to 535 in 85b69ea

	if not has_permission("READ"):
	if current_user.is_authenticated and not current_user.is_approved:
	toast(
	"You lack the permissions to access this wiki. Please wait for approval."
	)
	elif current_user.is_authenticated and current_user.is_approved:
	toast(
	"You are logged in but lack READ permissions. Please wait for an administrator to grant access."
	)
	else:
	toast(
	"You lack the permissions to access this wiki. Please login."
	)
	return redirect(url_for("login"))

and a test that covers this:

otterwiki/tests/test_auth.py

Lines 211 to 224 in 85b69ea

	def test_page_view_permissions(app_with_permissions, test_client):
	fun = "view"
	app_with_permissions.config["READ_ACCESS"] = "ANONYMOUS"
	rv = test_client.get(url_for(fun, path="Home"))
	assert "There is no place like Home." in rv.data.decode()
	app_with_permissions.config["READ_ACCESS"] = "REGISTERED"
	rv = test_client.get(url_for(fun, path="Home"), follow_redirects=True)
	assert "There is no place like Home." not in rv.data.decode()
	# check for the toast
	assert "lack the permissions to access" in rv.data.decode()
	# check for the login form
	assert url_for("login") in rv.data.decode()
	assert 'name="password"' in rv.data.decode()
	assert rv.status_code == 200

Can you double check with e.g. an icgonito window and navigating to your site?

[towerstreet]

I add -/login to http://mydomain/,then I can get to it and login. Without it, the Forbiddon page always shown.

[redimp]

Hmm, I need more insight. Can you please run a

curl -s -v https://mydomain.com -o /dev/null 2>&1 | grep -e "^[<>]"

and post the output? e.g. curl -s -v https://dev.otterwiki.com -o /dev/null 2>&1 | grep -e "^[<>]"

> GET / HTTP/2
> Host: dev.otterwiki.com
> User-Agent: curl/8.7.1
> Accept: */*
>
< HTTP/2 302
< date: Sun, 19 Jan 2025 22:44:31 GMT
< content-type: text/html; charset=utf-8
< content-length: 203
< location: /-/login
< vary: Cookie
< set-cookie: session=.eJwNxlEKQEAQBuCr_M0zDuAUXiVp2oadDKudlSR35-n7HppmY4_i1A4PofwQm-RSH1k3zjdV1KcTxmFFiYJD8qbumnZHSeAQxP9FdVy6aoPOhF1gadG9ofEd3w8DoCO4.Z42ATw.wQRqvcQnJa7fKOhbTJgymQdOSC4; HttpOnly; Path=/
< strict-transport-security: max-age=15724800; includeSubDomains

[towerstreet]

> GET / HTTP/1.1
> Host: 192.168.31.150:8888
> User-Agent: curl/8.5.0
> Accept: /
>
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.22.1
< Date: Mon, 20 Jan 2025 02:40:49 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 213
< Connection: keep-alive
< Vary: Cookie
<

[redimp]

Yes, this confirms what you observe: The nginx throws the 403 directly.

1. Which version of An Otter Wiki are you running? (on the last line of https://mydomain.com/-/about) the replying nginx is 1.22.1 ... and the latest otterwiki nginx is 1.25.3 .. is this the reverse proxy sending the 403? Sorry, my mistake. My local build is running nginx 1.25.3.
2. Can you check the logs of the pod when you run into the 403? e.g. via curl -s -L -v https://hostname/ -o /dev/null 2>&1 | grep -e "^[<>]"

Looks like this to me:

172.17.0.1 - - [20/Jan/2025:16:28:39 +0000] "GET / HTTP/1.1" 302 204 "-" "curl/8.7.1" "-"
172.17.0.1 - - [20/Jan/2025:16:28:45 +0000] "GET / HTTP/1.1" 302 204 "-" "curl/8.7.1" "-"
172.17.0.1 - - [20/Jan/2025:16:28:45 +0000] "GET /-/login HTTP/1.1" 200 5369 "-" "curl/8.7.1" "-"

[towerstreet]

curl -s -L -v https://192.168.31.150:8843 -o /dev/null 2>&1 | grep -e "^[<>]"
Nothing to show.

[redimp]

Hmm, if nothing shows up .. hard so say if the requests reaches the actual nginx/uwsgi and who throws the 403 🤔

192.168.31.150:8843 is the otterwiki pod or the reverse proxy?

When you run just a one shot instance via docker run --rm 8082:80 redimp/otterwiki:2 on 192.168.31.150, can you reach http://192.168.31.150:8082 ?

[towerstreet]

curl -s -L -v https://192.168.31.150:8843 -o /dev/null 2>&1 | grep -e "^[<>]"
Show nothing.

curl -s -L -v http://192.168.31.150:8888 -o /dev/null 2>&1 | grep -e "^[<>]"
Shows:

> GET / HTTP/1.1
> Host: 192.168.31.150:8888
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 403 FORBIDDEN
< Server: nginx/1.22.1
< Date: Tue, 21 Jan 2025 08:42:23 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 213
< Connection: keep-alive
< Vary: Cookie
< 

Nginx access.log:

192.168.31.15 - - [21/Jan/2025:16:59:53 +0800] "GET / HTTP/1.1" 403 185 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"
192.168.31.15 - - [21/Jan/2025:16:59:53 +0800] "GET /favicon.ico HTTP/1.1" 499 0 "https://192.168.31.150:8843/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0"

---

• My docker-compose.yml

services:
  otterwiki:
    image: redimp/otterwiki:latest
    container_name: wiki
    restart: unless-stopped
    ports:
    - 8888:80
    volumes:
    - /home/towerstreet/Storage/Docker/Otterwiki/Data:/app-data
    environment:
      SITE_NAME: Wiki

• My nginx reverse proxy conf

server {
    listen 8843 ssl;
    server_name Otterwiki;

    ssl_certificate /home/towerstreet/Storage/Cert/cert.pem;
    ssl_certificate_key /home/towerstreet/Storage/Cert/key.pem;

    location / {
        proxy_pass http://localhost:8888;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

[towerstreet]

Hmm, if nothing shows up .. hard so say if the requests reaches the actual nginx/uwsgi and who throws the 403 🤔

192.168.31.150:8843 is the otterwiki pod or the reverse proxy?

• reverse proxy

When you run just a one shot instance via docker run --rm 8082:80 redimp/otterwiki:2 on 192.168.31.150, can you reach http://192.168.31.150:8082 ?

• Can reach.

[redimp]

Can you check if you can reach the non one shot otterwiki directly? The question is: Does it work if you bypass the reverse proxy?

[towerstreet]

Can you check if you can reach the non one shot otterwiki directly? The question is: Does it work if you bypass the reverse proxy?

• docker run --rm -p 8082:80 redimp/otterwiki:2,everything's OK.
• http://192.168.31.150:8888 and https://192.168.31.150:8843 both show the Forbidden when I set the "register" Read Access and logout.
• If set the "anonymous" Read Access and logout,everything's OK like the non one shot otterwiki.

[redimp]

Thanks for the effort .. I'm currently out of ideas what is going wrong.

I configured https://dev.otterwiki.com/ to require registered access and it forwards me as it should to /-/login.

I have to set up a test environment where I replicate the set-up with your nginx config as reverse proxy.

[towerstreet]

Thanks for all your efforts.👍🏻