Environment
-
OpenShock API: tag-79-a1
- Revision:
840534608ae49ab8e4f4d33543d537964dcccb2e
-
WebUI: Version 3
-
Deployment: Official Docker Compose
-
Reverse Proxy: Traefik v2.11.29
-
TLS: Let's Encrypt (DNS challenge via Cloudflare)
-
DNS:
shock.example.tldapi.example.tldgateway.example.tld
Steps to reproduce
-
Deploy a fresh OpenShock instance using the official Docker Compose.
-
Configure:
OPENSHOCK_WEB_DOMAIN=shock.example.tldOPENSHOCK_API_DOMAIN=api.example.tldOPENSHOCK__FRONTEND__BASEURL=https://shock.example.tldOPENSHOCK__FRONTEND__COOKIEDOMAIN=shock.example.tld
-
Register a new account.
-
Verify the account via email.
-
Login succeeds.
-
Logout.
-
Try logging in again.
Expected behavior
The user should be able to log in again.
Actual behavior
Every subsequent login fails.
The WebUI displays:
Account not activated
However, the API returns:
{
"type": "Login.InvalidDomain",
"title": "The url you are requesting a login from is not whitelisted",
"status": 403,
"message": "The url you are requesting a login from is not whitelisted"
}Additional information
activated_at is correctly set in the users table.- Password reset works correctly.
- Password reset emails are delivered successfully.
- The password can be changed successfully.
- The account exists and is activated.
- API logs only show:
HTTP POST /1/account/login responded 403
No exception or stack trace is logged.
Additional observations
The WebUI reports:
User Hub
Error: WebSocket failed to connect.
The connection could not be found on the server...
Also, requesting:
https://api.example.tld/hubs/user
returns 404.
Investigation
While debugging, I found that the API returns Login.InvalidDomain from the login endpoint.
This appears to originate from GetCurrentCookieDomain() returning null, even though the frontend and API domains are configured.
Could this be related to the cookie domain matching (DomainUtils.GetBestMatchingCookieDomain) when using separate subdomains such as:
shock.example.tldapi.example.tldgateway.example.tld
behind Traefik?
Environment
OpenShock API:
tag-79-a1840534608ae49ab8e4f4d33543d537964dcccb2eWebUI: Version
3Deployment: Official Docker Compose
Reverse Proxy: Traefik v2.11.29
TLS: Let's Encrypt (DNS challenge via Cloudflare)
DNS:
shock.example.tldapi.example.tldgateway.example.tldSteps to reproduce
Deploy a fresh OpenShock instance using the official Docker Compose.
Configure:
OPENSHOCK_WEB_DOMAIN=shock.example.tldOPENSHOCK_API_DOMAIN=api.example.tldOPENSHOCK__FRONTEND__BASEURL=https://shock.example.tldOPENSHOCK__FRONTEND__COOKIEDOMAIN=shock.example.tldRegister a new account.
Verify the account via email.
Login succeeds.
Logout.
Try logging in again.
Expected behavior
The user should be able to log in again.
Actual behavior
Every subsequent login fails.
The WebUI displays:
However, the API returns:
{ "type": "Login.InvalidDomain", "title": "The url you are requesting a login from is not whitelisted", "status": 403, "message": "The url you are requesting a login from is not whitelisted" }Additional information
activated_atis correctly set in theuserstable.No exception or stack trace is logged.
Additional observations
The WebUI reports:
Also, requesting:
returns 404.
Investigation
While debugging, I found that the API returns
Login.InvalidDomainfrom the login endpoint.This appears to originate from
GetCurrentCookieDomain()returningnull, even though the frontend and API domains are configured.Could this be related to the cookie domain matching (
DomainUtils.GetBestMatchingCookieDomain) when using separate subdomains such as:shock.example.tldapi.example.tldgateway.example.tldbehind Traefik?