Authentication cookies not being setted on local environment

[jnfrati]

Hm, I think this is similar to the issue I have. But I couldn't complete registration (well, it did complete) - but I cannot login. I get errors in the console about unauthenticated cookies, but there aren't any cookies at all. When I try to register again, it says the email is already taken, so my account exists.

Response of /login is 200 {"id":1,"email":"[email protected]","email_verified":false} but is instantly followed by another HTTP request to /api/users/current which gives a similar 403 {"error":"Forbidden"}.

I don't know whether I should open a separate issue, but thought I would write under this issue first, if it's maybe a dupe.
Steps were similar: Spun up a LXC container, installing the porter CLI as in the linked guide, run the same command, went to register and got these errors (the first errors were even without any user input at all, just went to :8080 and that was it).

Porter Server Log

root@porter:~# porter server start
Set the current driver as local
Set the current host as http://localhost:8080
getting release https://github.com/porter-dev/porter/releases/download/v0.11.1/portersvr_v0.11.1_Linux_x86_64.zip
getting release https://github.com/porter-dev/porter/releases/download/v0.11.1/portersvr_v0.11.1_Linux_x86_64.zip
downloaded release portersvr to file /root/.porter/portersvr_latest.zip
unzipping portersvr to /root/.porter
getting release https://github.com/porter-dev/porter/releases/download/v0.11.1/static_v0.11.1.zip
getting release https://github.com/porter-dev/porter/releases/download/v0.11.1/static_v0.11.1.zip
downloaded release static to file /root/.porter/static_latest.zip
unzipping static to /root/.porter/static
{"level":"info","time":"2021-10-27T07:17:36Z","message":"Starting server :8080"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:17:56Z"}
{"level":"info","latency":0.03751,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:17:56Z"}
{"level":"info","latency":0.01388,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:17:56Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:18:05Z"}
{"level":"info","latency":0.260272,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:18:05Z"}
{"level":"info","latency":0.00483,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:18:05Z"}
{"level":"error","time":"2021-10-27T07:19:26Z","message":"Analytics not enabled"}
{"level":"error","time":"2021-10-27T07:19:26Z","message":"Analytics not enabled"}
{"level":"info","latency":39.802457,"status":200,"method":"POST","url":"/api/users","time":"2021-10-27T07:19:26Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:19:26Z"}
{"level":"warn","internal_error":"email already taken","external_error":"email already taken","method":"POST","url":"/api/users","time":"2021-10-27T07:19:42Z"}
{"level":"info","latency":0.514923,"status":400,"method":"POST","url":"/api/users","time":"2021-10-27T07:19:42Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:19:51Z"}
{"level":"info","latency":0.02932,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:19:51Z"}
{"level":"info","latency":0.01057,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:19:51Z"}
{"level":"info","latency":18.101136,"status":200,"method":"POST","url":"/api/login","time":"2021-10-27T07:19:53Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:19:53Z"}
{"level":"info","latency":18.821011,"status":200,"method":"POST","url":"/api/login","time":"2021-10-27T07:20:02Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:20:02Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:20:20Z"}
{"level":"info","latency":0.02897,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:20:20Z"}
{"level":"info","latency":0.01091,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:20:20Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:20:23Z"}
{"level":"info","latency":0.00778,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:20:23Z"}
{"level":"info","latency":0.01076,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:20:23Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:23:25Z"}
{"level":"info","latency":0.02868,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:23:25Z"}
{"level":"info","latency":0.01465,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:23:25Z"}
{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2021-10-27T07:23:27Z"}
{"level":"info","latency":0.00877,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:23:27Z"}
{"level":"info","latency":0.01291,"status":200,"method":"GET","url":"/api/metadata","time":"2021-10-27T07:23:27Z"}
{"level":"warn","internal_error":"email already taken","external_error":"email already taken","method":"POST","url":"/api/users","time":"2021-10-27T07:23:32Z"}
{"level":"info","latency":0.389543,"status":400,"method":"POST","url":"/api/users","time":"2021-10-27T07:23:32Z"}

Originally posted by @d0x7 in https://github.com/porter-dev/porter/issues/1356#issuecomment-952627230

[oskar-gmerek]

I experiencing exactly the same.

• Fresh installation of Ubuntu 20.04.
• Porter latest version 0.13.3
• Followed step by step like in guide: https://docs.porter.run/docs/running-porter-locally

Sign up

• After the filled form and hit the continue button and API POST to api/users, without any signals in UI that the form was sent. The second hit in the continue button make a popup of info "Email is already taken"

Sign in

• trying to sign in with a previous email/password is giving success API POST to api/login (but without any results), an internal error of API GET to api/users/current "stored cookie was not authenticated"
  Nothing on the UI side.
• trying to sign in with wrong credentials is giving "Error: incorrect password" as expected

Additionally, trying to run on macOS is unsuccessful as well: https://github.com/porter-dev/porter/issues/199#issuecomment-999879253

[flobaader]

I also have the same issue with the docker setup

[Baptiste-Leterrier]

Same here with the docker setup. Also happen when setting the env variable WELCOME_FORM_WEBHOOK

{"level":"info","latency":150.374359,"status":200,"method":"POST","url":"/api/login","time":"2022-02-28T12:59:43Z"}


{"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2022-02-28T12:59:43Z"}

[lsnow99]

Hey, if anyone is still experiencing this on a local setup, try visiting the website using http://localhost:8080 or http://127.0.0.1:8080 instead of http://0.0.0.0:8080. Reason being is that the cookies are being set with the secure flag which will only work on HTTPS sites or localhost but not 0.0.0.0.

[flobaader]

I also experienced the issue when I visit the self hosted instance at https://porter.mydomain.com. I also made sure to set the domain in the config 🤔

[abelanger5]

I also experienced the issue when I visit the self hosted instance at https://porter.mydomain.com. I also made sure to set the domain in the config 🤔

Hi @flobaader, just to confirm you set the URL by setting the env variable SERVER_URL to https://porter.mydomain.com or setting the following Helm config:

server:
  url: https://porter.mydomain.com

If that's the case, could you share the config for the cookie that's being set when you visit the dashboard? Excluding the actual cookie value.

Additionally, if you could make sure the dashboard is returning the Set-Cookie response header after POST /api/login, and that the cookie is actually set in the browser store.

[flobaader]

Hey @abelanger5 yes this is my current config:

    environment:
      SERVER_URL: "https://porter.mydomain.com"
      ENCRYPTION_KEY: $PORTER_ENCRYPTION_KEY
      COOKIE_SECRETS: $PORTER_COOKIE_SECRETS
      WELCOME_FORM_WEBHOOK: "http://somerandomurl.com"
      REDIS_ENABLED: "false"
      SQL_LITE_PATH: /sqlite/porter.db
      FORCE_SSL: "true"

The login is successfull, I get the following headers back:

content-length: 74
content-type: application/json;charset=utf8
date: Tue, 22 Mar 2022 12:06:47 GMT
server: Caddy
set-cookie: porter=MTY0Nzk1MDgwN3xfeG14NUZWV1dDbU01RFh4cDlWam9EUjBqT194RVE3bXVPUmhfTndaZWhrY2xnM1dqbE5nbm5k_REDACTED_fvayuhJ0n0-aDNOA39XTZhgJxvTO7PawRXesFM=; Path=/; Expires=Thu, 21 Apr 2022 12:06:47 GMT; Max-Age=2592000; HttpOnly; Secure; SameSite=Lax

The next requests also sends the cookie back to porter but returns:

{"error":"Forbidden"}

[abelanger5]

@flobaader thanks! Just a few comments/questions based on your env and setup:

• I think the issue may be the SQL_LITE setup. Make sure you also set the env var SQL_LITE=true.
• There is no env var called FORCE_SSL, there is one called DB_FORCE_SSL. But this should not matter as we do not support SQL_LITE connections over SSL.
• To confirm, the $PORTER_COOKIE_SECRETS env variable is set as <16-char-key>;<16-char-key>? It must be two 16-character keys separated by a semicolon. A semicolon cannot be present in the keys.
• Which version of the Porter server are you pulling in?
• Lastly, if you've tried setting the SQL_LITE variable and everything else looks correct, you should take a look at the database and make sure the sessions table is written correctly. You can use sqlite3 and check via SELECT * FROM sessions;.

Let me know if any of that works for you!

[flobaader]

Hi @abelanger5,

I tried to deploy the container with and without https, with and without encryption key & cookie secret, also tried different databases. The SQlite setup seems to work since the session database contains some data. The logs of the container show the following lines:

{"level":"info","time":"2022-03-26T10:38:25Z","message":"running migrations"}
{"level":"info","time":"2022-03-26T10:38:27Z","message":"Starting server :8080"}
{"level":"info","latency":0.01545,"status":200,"method":"GET","url":"/api/metadata","time":"2022-03-26T10:38:33Z"}
{"level":"error","time":"2022-03-26T10:38:38Z","message":"Analytics not enabled"}
{"level":"error","time":"2022-03-26T10:38:38Z","message":"Analytics not enabled"}
{"level":"info","latency":65.530287,"status":200,"method":"POST","url":"/api/users","time":"2022-03-26T10:38:38Z"}
{"level":"info","latency":0.017293,"status":200,"user_id":1,"method":"GET","url":"/api/users/current","time":"2022-03-26T10:38:38Z"}
{"level":"warn","internal_error":"user is not authorized","external_error":"user is not authorized","user_id":1,"method":"GET","url":"/api/can_create_project","time":"2022-03-26T10:38:38Z"}
{"level":"info","latency":0.204631,"status":403,"user_id":1,"method":"GET","url":"/api/can_create_project","time":"2022-03-26T10:38:38Z"}
{"level":"info","latency":0.033368,"status":200,"method":"GET","url":"/api/metadata","time":"2022-03-26T10:38:38Z"}
{"level":"info","latency":0.517089,"status":200,"user_id":1,"method":"GET","url":"/api/projects","time":"2022-03-26T10:38:38Z"}
{"level":"warn","internal_error":"user is not authorized","external_error":"user is not authorized","user_id":1,"method":"GET","url":"/api/can_create_project","time":"2022-03-26T10:38:38Z"}

[abelanger5]

{"level":"warn","internal_error":"user is not authorized","external_error":"user is not authorized","user_id":1,"method":"GET","url":"/api/can_create_project","time":"2022-03-26T10:38:38Z"}

Hey @flobaader -- to clarify, are you seeing the above issue of stored cookie was not authenticated, or are you just seeing user is not authorized? These are likely two separate issues -- if you're only seeing the user is not authorized issue, the cookie is being read correctly.

To get around the authorization issue, you can set the environment variable DISABLE_ALLOWLIST=true. For some context - Porter instance admins can restrict the users who are able to create a new project through a database "allowlist" table. We'll make sure to add this to the documentation somewhere.

[flobaader]

@abelanger5 thank you for your response - this fixed my issue! Maybe a few problems are mixed here. Since I played lot with the settings, I have also seen the issue mentioned here. It would be awesome if you could document all the different tweaks that the users have to do in order to selfhost porter.

[jm8985]

I have the same issue, {"error":"Forbidden"} is the error I get after creating an account when trying to login from this endpoint: /api/users/current.
Here's my config:
sudo docker run \ --mount type=volume,source=porter_sqlite,target=/sqlite,readonly=false \ -e REDIS_ENABLED=false \ -e DISABLE_ALLOWLIST=true \ -e SERVER_URL=http://somedomain.com \ -e WELCOME_FORM_WEBHOOK=http://somedomain.com \ -e SQL_LITE_PATH=/sqlite/porter.db \ -p 8080:8080 \ -d porter1/porter:latest

And docker logs:
{"level":"info","time":"2022-08-25T16:41:27Z","message":"running migrations"} {"level":"info","time":"2022-08-25T16:41:28Z","message":"Starting server :8080"} {"level":"info","latency":257.545161,"status":200,"method":"POST","url":"/api/login","time":"2022-08-25T16:43:08Z"} {"level":"warn","internal_error":"stored cookie was not authenticated","external_error":"Forbidden","method":"GET","url":"/api/users/current","time":"2022-08-25T16:43:08Z"}

[abelanger5]

Closing this issue, as it should be resolved by one of the fixes documented below. If you have attempted all of these fixes and you're still seeing the error, we can re-open the issue:

1. Seeing stored cookie was not authenticated in the server logs after logging in: the issue here is that the browser is not sending the cookie in subsequent requests to the Porter server. This can happen if:

   • The Porter instance is not running on a secure connection. The porter cookie is set with the Secure attribute by default. To allow cookies to be written over http, add the environment variable COOKIE_INSECURE=true to the Porter instance.
   • If the Porter instance is running on localhost, certain browsers do not respect the Secure attribute on localhost by default. In this case, setting COOKIE_INSECURE=true will also fix this issue.
   • Do not access the Porter server on 0.0.0.0, use localhost or 127.0.0.1 instead (ref).
   • If you are still experiencing this, it would be helpful to check in the browser network requests if the porter cookie is being sent.

2. Seeing user is not authorized after logging in: this likely means that you are running an older version of Porter, in which case you need to set DISABLE_ALLOWLIST=true. On versions of Porter >= v0.37.0, this is set to true by default. Also make sure you are not running into any of the gotchas documented here.