Cross domain authorization fails

[gradosevic]

I have the authorization issue when using a site on a different domain:

 [DEBUG] {middleware/auth.go:71 middleware.(*Authenticator).auth.func1} auth failed, can't get token: token cookie was not presented: http: named cookie not present

In the browser, I get 401 and Unauthorize after logging in.

I want to use one docker instance on remark.example1.com for all of my sites, including other domains. I presume this is supported? I have enabled CORS in my example1.com site (please check the virtual host config down below).

Basically, I have added both sites example1.com and example2.com in yml and disabled docker cors with PROXY_CORS=true, but it's not working. If I switch to use the exact site either example1 or example2 it works but when I try to access e.g. site example2.com on remark.example1.com it doesn't work.

This is my yml file

version: "2"

services:
  remark:
    build: .
    image: umputun/remark42:latest
    container_name: "remark42"
    hostname: "remark42"
    restart: always

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"

    # uncomment to expose directly (no proxy)
    ports:
      - "8888:8080"

    environment:
      - REMARK_URL=https://remark.example1.com
      - SECRET=secret
      - SITE=example1.com,example2.com
      - STORE_BOLT_PATH=/srv/var/db
      - BACKUP_PATH=/srv/var/backup
      - PROXY_CORS=true
      - DEBUG=true
      - AUTH_ANON=true
      - AUTH_GOOGLE_CID=<key>
      - AUTH_GOOGLE_CSEC=<key>
      - NOTIFY_ADMINS=slack
      - NOTIFY_SLACK_CHAN=<channel>
      - NOTIFY_SLACK_TOKEN=<key>
      - AUTH_GITHUB_CID=<key>
      - AUTH_GITHUB_CSEC=<key>
    volumes:
      - ./var:/srv/var

My Apache virtual host for remark.example1.com looks something like this:

<VirtualHost *:443>
        Header set Access-Control-Allow-Origin "*"
        ServerName remark.example1.com
        ServerAlias www.remark.example1.com

	ProxyRequests Off
	ProxyPreserveHost On
	ProxyVia Full
	<Proxy *>
		Require all granted
	</Proxy>

	RequestHeader set X-Forwarded-Proto "https"
	RequestHeader set X-Forwarded-Port "443"
	
        ProxyPass /  http://127.0.0.1:8888/
	ProxyPassReverse / http://127.0.0.1:8888/
...

Thanks for help.

Originally posted by @gradosevic in #1129 (comment)

[BenRoe]

Hello,
i have a similar problem. Remark42 is hosted on comments.domain1.com and the site who uses remark is on domain2.com.
The VPS uses Plesk with NGINX as proxy.
If i try to login with Twitter, or Github, login button still shown and i can't comment.

Is it possible to host Remark on a different server? Can someone point into a direction or post what necessary?
Many Thanks.

[paskal]

#1163 is a relevant discussion. In short, we don't know how to make it work at the moment, maybe we should even write it down into documentation so that it would be known to the users.

[uPagge]

faced the same problem, but it seems that everything worked before
#1214

[paskal]

Likely due to browser update\change rather than Remark42 changes: I assumed that it should be possible to fix that situation with some set of headers, but I never figured out which set of headers should it be. I assume that the host with comments should somehow allow the remark42 domain in order for it to work properly.

If you'll find anything useful, please share it.

[uPagge]

I do not care, so I just changed the remark42 domain and everything worked))

[hycday]

no sure if this was solved and how...
in short :

I have remark42 on sub.domain1.com working on sub.domain1.com/web (demo page), working good on domain1.com when called on the website and possible to add/delete comments, but when calling from domain2.com it doesnt work (i get 401 error)

This is what I have in my docker-composer.yml:

environment:
- REMARK_URL=https://sub.domain1.com
- SECRET=abc
- SITE=dom1, dom2
- PROXY_CORS=false
- DEBUG=true
- AUTH_ANON=true
- ALLOWED_HOSTS=domain1.com domain2.com sub.domain1.com

when using it in domain2.com I get the infamous 401 error remark.mjs:2 GET https://sub.domain1.com/api/v1/user?site=dom2 401 on Chrome console

anyone can help ?

[paskal]

I've tried my best and failed to figure out how to fix it. I'll try once more as it's a severe problem that I want to see fixed.

[akellbl4]

Do you have any working example? I guess it's browser limitations in terms of cross domain communications.

[hycday]

here you go for working example:

https://vpsone.ovh/
https://vpstwo.ovh/
https://rem.vpstwo.ovh/web/

I can post comments on vpstwo.ovh but not on vpsone.ovh

and this is my remark42 docker-compsoe.yml:

environment:
  - REMARK_URL=https://rem.vpstwo.ovh
  - SECRET=secret
  - SITE=vpsone,vpstwo,
  - PROXY_CORS=false
  - DEBUG=true
  - AUTH_ANON=true
  - ALLOWED_HOSTS=vpsone.ovh vpstwo.ovh rem.vpstwo.ovh

[paskal]

Posting comments as anonymous and as an email user works when I have domain.org and comments served from remark42.comments.org, without setting ALLOWED_HOSTS and PROXY_CORS. I've tested in Safari, Chrome and Firefox. What I can't do is I can't make GitHub login work as it relies on setting the redirect URL back to the domain it was called from. The authenticator currently supports setting only a single callback URL at the start and right now it's not possible to make oAuth providers work with another domain name. It's something I can fix.

However, in your case, something else is off. The problem in the browser is reported as §[Error] Blocked a frame with origin "https://vpsone.ovh" from accessing a frame with origin "https://rem.vpstwo.ovh". Protocols, domains, and ports must match..

When adding the wrong Content-Security-Policy (without the hostname I'm trying to access the comments from, vpsone.ovh in your case and domain.org in mine) I'm getting Refused to load https://remark42.comments.org/web/iframe.html?host=https%3A%2F%2F remark42.comments.org&site_id=remark42&components=embed&url=https%3A%2F%2Fdomain.org%2F2022%2Fsystem-design-interview%2F because it does not appear in the frame-ancestors directive of the Content Security Policy.. When I set the correct name (domain.org), I'm able to reproduce the problem you've reported: something is clearly wrong with headers we set (or don't set), I'll figure out what's the problem and will write back.

[paskal]

Firefox 102 does work with Content-Security-Policy frame-ancestors the same way as without it.

Chrome 103 doesn't work without emitting any errors.

Safari 15.5 doesn't work and emits the error Blocked a frame with origin "https://domain.org" from accessing a frame with origin "https://remark42.comments.org". Protocols, domains, and ports must match.

[paskal]

I found a solution for your particular problem @hycday.

You can set or not set ALLOWED_HOSTS as it just restricts embedding the remark42 on list of domains you set, like ALLOWED_HOSTS='self',domain1.org,domain2.org would allow it to work on the same domain remark42 works by itself (for a demo on the /web/ to work).

The requirement for remark42 to work on a different domain than the one you're embedding it on is AUTH_SAME_SITE=none, otherwise you have this error in the remark42 log:

[DEBUG] {middleware/auth.go:75 middleware.(*Authenticator).auth.func1} auth failed, can't get token: token cookie was not presented: http: named cookie not present

And this error in the login set-cookie in Chrome dev console:

I'll write that down in the documentation.

UPD: here is it.

[hycday]

I confirm that adding AUTH_SAME_SITE=none to the env variable solved it :) thanks a LOT for that ! super helpful

[rez0n]

Hi, I have an almost similar issue, all auth providers are works but email auth returns "Forbidden" in UI and "Unauthorized" in the API response.

docker-compose

version: '3'

networks:
  ext_network:
    external: true

services:
  remark:
    image: umputun/remark42:master
    container_name: "comments.django.guru"
    hostname: "comments.django.guru"
    restart: always
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"
    environment:
      - DEBUG=true
      - REMARK_URL=https://comments.django.guru
      - SITE=django.guru
      - SECRET=123
      - NOTIFY_USERS=email
      - [email protected]
      - NOTIFY_ADMINS=email
      - [email protected]
      - [email protected]
      - SMTP_HOST=email-smtp.eu-central-1.amazonaws.com
      - SMTP_PORT=465
      - SMTP_TLS=true
      - SMTP_USERNAME=AKI...
      - SMTP_PASSWORD=BPV...
      - AUTH_SAME_SITE=none
      - PROXY_CORS=false
      - AUTH_ANON=true
      - AUTH_EMAIL_ENABLE=true
      - AUTH_GITHUB_CID=abc
      - AUTH_GITHUB_CSEC=def
    labels:
      - traefik.enable=true
      - traefik.http.services.comments_django_guru_https.loadbalancer.server.port=8080
      - 'traefik.http.routers.comments_django_guru_https.rule=Host("comments.django.guru")'
      - traefik.http.routers.comments_django_guru_https.entrypoints=https
      - traefik.http.routers.comments_django_guru_https.tls=true
      - traefik.http.routers.comments_django_guru_https.tls.certresolver=myresolver
      - 'traefik.http.routers.comments_django_guru_http.rule=Host("comments.django.guru")'
      - traefik.http.routers.comments_django_guru_http.entrypoints=http

    volumes:
      - ./remark42_data:/srv/var

Screenshots:
https://share.cleanshot.com/08tKlc
https://share.cleanshot.com/DAcZdv

Logs

[INFO]  {logger/logger.go:134 logger.(*Middleware).Handler.func1.1} GET - /auth/email/login?site=django.guru&[email protected]&user=asd - comments.django.guru - 4ac829c178e8 - 403 (14)

I tried a lot of different combinations of settings and both images (latest/master), maybe someone have any suggestions on how to solve this?

[umputun]

I don't think your issue has anything to do with cross-domain. Most likely, you were rejected because either site id or user-id was detected as susposios here. Probably site or user don't pass reSite / reUser regexes.

[rez0n]

Hi @umputun
Much thanks, the problem was in site_id (which was domain), I changed dot to the underscore and it works correctly.
I had a lot headache fixing it, would be great to have an obvious error message about this somewhere for future newbies.
Thanks for this cool project.

[umputun]

yw. I have added a warn log message for the rejected site/user or email address cb98885

[paskal]

Current, up-to-date documentation on the topic: https://remark42.com/docs/manuals/separate-domain/

[pluja]

Any updates on this issue? Are there any plans on solving it?

[paskal]

For authorisation using oAuth like GitHub or Google is impossible on domains other than the original one to work, someone needs to rewrite the auth package and how Remark42 interacts with it. I don't think anyone other than me is interested in doing this. I think I'll be able to look into it somewhere within a year from now.