Authentication issues when using Cloudflare Tunnels

[fcosanabria]

Describe the bug

Description

When accessing Memos through Cloudflare Tunnels, the application experiences authentication issues that don't occur when accessing directly via localhost or local DNS ingress.

Environment

• Setup: Local Kubernetes cluster.
• Memos Version: v0.24.0
• Browser: Orion, Brave, Chrome and Firefox

Observed Behavior

1. The UI shows as if I'm logged in, but API calls are failing with authentication errors
2. Refreshing the page logs me out immediately
3. Access tokens do not appear in the Settings
4. Storage configuration appears blank
5. Notes and images don't appear immediately - must navigate to another section to make them appear
6. Cannot make changes to notes after they appear

Expected Behavior

Authentication should work properly when accessing through Cloudflare Tunnels, just as it does when accessing directly.

Logs

2025/03/12 18:17:17 INFO client error method=/memos.api.v1.InboxService/ListInboxes error="rpc error: code = Unauthenticated desc = invalid access token"
2025/03/12 18:17:20 INFO OK method=/memos.api.v1.InboxService/ListInboxes
2025/03/12 18:21:00 INFO client error method=/memos.api.v1.UserService/GetUserSetting error="rpc error: code = Unauthenticated desc = invalid access token"
2025/03/12 18:21:01 INFO client error method=/memos.api.v1.UserService/ListUserAccessTokens error="rpc error: code = Unauthenticated desc = invalid access token"
2025/03/12 18:21:01 INFO client error method=/memos.api.v1.WorkspaceSettingService/GetWorkspaceSetting error="rpc error: code = PermissionDenied desc = permission denied"
2025/03/12 18:21:01 INFO OK method=/memos.api.v1.WorkspaceSettingService/GetWorkspaceSetting
2025/03/12 18:21:01 INFO client error method=/memos.api.v1.InboxService/ListInboxes error="rpc error: code = Unauthenticated desc = invalid access token"
2025/03/12 18:21:10 INFO client error method=/memos.api.v1.AuthService/GetAuthStatus error="rpc error: code = Unauthenticated desc = user not found"

Additional Context

• The configuration works perfectly with R2 Bucket when accessed via localhost or local DNS
• The app appears to be functioning on cache when accessed through Cloudflare Tunnels
• This behavior consistently occurs only when Cloudflare Tunnels is in the access chain

Steps to reproduce

Possible Cause

There might be issues with how authentication cookies or tokens are being handled when passing through Cloudflare Tunnels. It's possible headers are being modified or not properly forwarded.

I can provide additional information about my Kubernetes setup or steps to reproduce if needed.

The version of Memos you're using

v0.24.0

Screenshots or additional context

No response

[ehsundar]

I've read the code associated with the issue you mentioned. This error only happens when your JWT is valid. However the exact JWT in the cookies is not equal to any of your issued tokens. It seems like you're running all instances without changing secrets, and your requests are forwarded to another instance maybe on your machine. Please make sure there is only one instance on your machine and try removing users and user_setting items if possible.

[ehsundar]

BTW @boojack it's not safe at all to store the whole nine yard JWT in the database. You could have removed the signature and then there wouldn't be any vuln anymore. I could do so (without any breaking changes) if it seems right to you.

[johnnyjoygh]

it's not safe at all to store the whole nine yard JWT in the database.

@ehsundar Agree, but one thing to note is that we should and will record users' historical login data in the database, including device information (OS, browser, etc.), IP address, and so on. Of course, this could also be another security-related topic.

You could have removed the signature and then there wouldn't be any vuln anymore.

Please feel free to open a PR.