403 when previewing photo #143
Comments
|
If it is 403 (forbidden), the problem should be on the permissions side. Could you tell me if there is any error on the Developers Tools (F12)? I can't reproduce. |
|
An irrelevant minor bug, the download url |
|
console shows regular 403 error. no js error logged. |
|
You sure the file has the right permissions? Can you delete ir or rename it? Or you can't just preview? |
|
Just tried: can delete with no problem. Also, search gives 403 as well. There might be something wrong with the token sent in the js, or the parsing on the server side. |
|
Could you try logging out and logging in again to see if it works again? |
Still the same :( |
|
All failing (403) requests have the
|
|
which isn't needed, because it's |
|
I think there isn't any problem with the token since you can delete (which needs the token to be sent too, but sends it in the HEADER instead of sending it in the URL). The back-end is only looking for the Auth in the URL or the Header, but I think I should remove the URL and make it check the Cookie instead. It's better. Anyway, to make sure if the problem is the token in the URL: please try downloading a TEXT file that you can edit. When you click the download button, it will also generate a URL that has the token in it and ping me 😄 Sorry for all of this |
don't! that's a great plugin, and you are responding so fast!
403 (great advice!) |
|
Hmm... Indeed it must be the token in the URL, but I don't have that problem here 😭 Which is the browser you're using? FF? |
|
Yes FF :) proudly |
|
I just tried on FF too and I don't have that problem 😭 I'll remove this URL thing anyway and make it check the cookie though. Let's see what happens. |
|
I don't know much |
|
This is where the token is extracted from the request: auth.go. |
|
I'm going to deploy this to the server now and I'll ping you when it is done so you can try again 😄 |
|
Ok I thought it was an upstream bug, but I traced all the way back to http.Request (I assume is from go stdlib?) and couldn't see anything wrong, I don't know this language well enough. Well, that's all the effort I'm going to put into this. |
|
@princemaple, the newest build is already available to be downloaded from caddyserver.com 😄 Please tell me if it works |
|
I can see that the token is gone. However, I'm still getting 403s. Can you see anything wrong with my caddyfile in this issue? |
|
BTW username update is fixed, thanks! |
|
I really can't see any problem with your Caddyfile. The strangest thing is that it you receive a 403 error when previewing, but you can download, delete and rename the file, right? And can you search and execute any commands? |
|
no I cannot download. delete and rename do work. |
|
and no I cannot search or execute commands, I tried |
|
The thing is that this only happens with requests that don't send the token via If you're using Docker, could you just try running Caddy with File Manager outside of Docker, pointing to the same files and check if it works? Or try another folder with image files to see if it works, please. This is so strange. I have to leave home right now, but I'll try to help you later and keep this issue in mind. |
|
Actually, I think I know why. For the requests that do FAIL, they are sending a basic token instead of a bearer token. Ring a bell? |
|
The most obvious problem would be permission issues, but since you can delete and rename, that must not be the problem. If the issue is really related to filemanager's source code, it must be related to the auth. |
The token is the same. But for the requests that FAIL it is sent via Cookie. The others send it via a specific HTTP header. |
|
Although, you had the same problem before, when I was passing it through the URL. |
|
Aha I'm correct |
|
Though I have no idea sending basic token instead would fail with a 403. Anyway, there's no need to save username and password locally if we have a jwt :) this should be made more secure. |
|
Are you storing username and password in the jwt? If so, this is the wrong approach to use JWT. |
|
I haven't understood which basic token is that yet.
I'm not storing the password in the JWT but I'm storing some user
information on it so the front end knows what to show to the user.
…On Wed, 19 Jul 2017 at 09:29, Po Chen ***@***.***> wrote:
Are you storing username and password in the jwt? If so, this is the wrong
approach to use JWT.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#143 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFMdsPLC5BxQFh8BmfIxzX6qoRRnzMemks5sPb5dgaJpZM4OcTOk>
.
|
|
Is that basic token something related to basic auth? : 😕 |
|
yeah if you use basic token you are doing basic auth not jwt |
|
no it's not related to the basicauth config in my caddyfile though |
|
The thing I don't understand is why is your request sending a basic token since it was supposed to be sending the JWT one. Could you please check the value of "auth" cookie for that page? |
|
I see. My |
|
This happens nowadays that people don't really restart browsers 😉 I tried a private session (which doesn't have records of my current session) and everything works as expected. |
|
My sincere apologies! |
|
No problem :) I'm glad it is solved 😀
…On Wed, 19 Jul 2017 at 10:09, Po Chen ***@***.***> wrote:
My sincere apologies!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#143 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFMdsKwPoFrCV17q15S45tL2VyhDfWr9ks5sPcfLgaJpZM4OcTOk>
.
|
|
Commit 503cc79 will prevent cases like this ;) |
Former-commit-id: 372cd53a6822a5e308b1db41593d1285f4c4ea22 [formerly 32161936b6b381a5c945ac404005f00cbc947499] [formerly 9572d67b6ead3d407f5899dcb46c2c7527fea437 [formerly d48867f]] Former-commit-id: 411c250031965f3e66c8acb341871800c120e637 [formerly 7801398085d8d8ed0e306e4fea63b94f6729b541] Former-commit-id: fe0c0ad2201510b10cb0ac724a3066ee4378fd67
Bumps [vue-i18n](https://github.com/kazupon/vue-i18n) from 8.10.0 to 8.11.1. - [Release notes](https://github.com/kazupon/vue-i18n/releases) - [Changelog](https://github.com/kazupon/vue-i18n/blob/dev/CHANGELOG.md) - [Commits](kazupon/vue-i18n@v8.10.0...v8.11.1) Signed-off-by: dependabot[bot] <support@dependabot.com>
works when trying to preview/edit text file, though
The text was updated successfully, but these errors were encountered: