Can't stay logged in after update

[nickian]

What set up are you using

• Self Hosted - PHP-FPM 8.2, MySQL 8.0, Nginx

Describe the bug

I just updated to 3.1.2 by copying the site files over to my server, overwriting them. After the update, I can log in, but once I click on any second page, I'm immediately logged out and taken back to the login screen.

I don't see any errors at all in my nginx log. I'm using the example nginx config. In the browser console, I just see 404 errors for widgets because I'm apparently not authenticated.

I tried running some of the commands from the CLI, clearing the cache, running update again, running scheduled tasks, db migrate, none of it resolved the issue.

Any idea what could be going on here?

[phires]

I'm having the same issues, but I'm running it as a docker container.

Downgrading to 3.1.1 fixes the issue for now.

[marcelfolaron]

Are you running Leantime behind a proxy?
We hardened our session management and part of the hash now includes HTTP_HOST and the ip address from which the request originated. If those things change you will be logged out.

Additionally the cookie sameSite parameter was set to "Strict"

Can you check if there are any errors in logs/error.log ? If there is a session mismatch (client ip + http_host) there will be entries stating: "failed ip and host check"

[nickian]

I'm not using Docker with a reverse proxy. Just PHP-FPM 8.1 and Nginx. My Nginx config looks like this:

server {
    listen 80;
    listen [::]:80;
    server_name projects.mydomain.com;
    return 301 https://$server_name$request_uri;
}

server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name projects.mydomain.com;
    set $base /path/to/projects.mydomain.com/www;
    root $base/public;

    error_log /path/to/projects.mydomain.com/log/error.log;
    access_log /path/to/projects.mydomain.com/log/access.log;

    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # index.php
    index index.php;

    location ~.php$ {
        # 404
        try_files $fastcgi_script_name =404;

        # default fastcgi_params
        include fastcgi_params;

        # fastcgi settings
        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        fastcgi_index index.php;
        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;

        # fastcgi params
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
        fastcgi_param PHP_ADMIN_VALUE	"open_basedir=$base/:/usr/lib/php/:/tmp/";
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # additional config
    # favicon.ico
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }

      # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 7d;
        access_log off;
    }

    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
        add_header Access-Control-Allow-Origin "*";
        expires 7d;
        access_log off;
    }

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

}

[nickian]

I thought maybe it was Cloudflare or my floating IP, but I've tried disabling proxying and even just putting the direct IP of the server in my local hosts file. Makes no difference.

[MNylif]

@marcelfolaron,

I have tried installing this and running this all the ways the documentation instructs even using panels like Cloudron, and other devs to help me with this. It the login bugs out and I am unable to get in. I use Cloudflare and even changing those settings didn't help.

After logging in, this is immediately what pops up. After you sign in again, it just goes back to the main login page.

[marcelfolaron]

Can you set the debug flag to 1 (in your config) and post the contents of logs/error.log within the leantime directory? Also can you try updating to 3.1.3. I added an additional check to the session manager which may address the issue.

…

On Tue, Apr 30, 2024 at 12:31 MNylif ***@***.***> wrote: @marcelfolaron <https://github.com/marcelfolaron>, I have tried installing this and running this all the ways the documentation instructs even using panels like Cloudron, and other devs to help me with this. It the login bugs out and I am unable to get in. I use Cloudflare and even changing those settings didn't help. After logging in, this is immediately what pops up. After you sign in again, it just goes back to the main login page. Screenshot.2024-04-30.at.11.29.10.AM.png (view on web) <https://github.com/Leantime/leantime/assets/133275670/b00dc48d-96d4-4eac-8678-26e7af4610dc> — Reply to this email directly, view it on GitHub <#2487 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFR7SLJTFFQGBKFPO7LY77BPLAVCNFSM6AAAAABGVKS3JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBVHA4TAMRWHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[nickian]

I reinstalled with 3.1.3 and the issue is resolved. Thanks!

[marcelfolaron]

Glad that fixed it. My guess is that HTTP_HOST is not set under some circumstances or potentially changes. Which is why it was resetting the session. I am now using SERVER_NAME is backup in case http_host is not set.

[typkrft]

@marcelfolaron What is the expected way to resolve this for docker and reverse proxies. I didn't see any new instructions for configuration. I'm tagging you because I didn't want to create a new issue.

I've got traffic coming through cloudflare and then traefik to the leantime docker container.

Attempted running latest as of today, 3.1.4, 3.1.3, 3.1.2.

Downgrading to 3.1.1 does resolve the issue for me.

[marcelfolaron]

Can you ensure that your reverse proxy forwards the remote_address of the user? That should fix it.

…

On Mon, May 6, 2024 at 09:17 Brandon ***@***.***> wrote: @marcelfolaron <https://github.com/marcelfolaron> What is the expected way to resolve this for docker and reverse proxies. I didn't see any new instructions for configuration. I'm tagging you because I didn't want to create a new issue. I've got traffic coming through cloudflare and then traefik to the leantime docker container. Attempted running latest as of today, 3.1.4, 3.1.3, 3.1.2. Downgrading to 3.1.1 does resolve the issue for me. — Reply to this email directly, view it on GitHub <#2487 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ALG4EFRTGJROV6JG5VSNDDLZA57F5AVCNFSM6AAAAABGVKS3JOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJVHE4TQNZUGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[typkrft]

Maybe this isn't what you are looking for, but after passing through Cloudflare, Traefik, and Authentik here are some ideas regarding the headers that are making there way to leantime.

notable headers

IP: Some Docker Container IP 172.x.x.x
RemoteAddr: Docker Router 172.x.x.1
Cf-Connecting-Ip: Real IP - From Cloudflare
X-Forwarded-For: 172.x.x.x Docker Client Same as X-Real-IP
X-Real-Ip: 172.x.x.x