-
We just released a new surfer app version, which is a major version upgrade, since it moves from LDAP to OpenID integration.
Also the cli tool now only supports access tokens. So if you use username+password in some CI/CD script with surfer. Make sure to move that to access tokens.
Because of those breaking changes, the app instances have to be updated manually via the Cloudron dashboard.
-
I just updated my first instance to the new Surfer (still with Cloudron 7.4) and am wondering if the upgrade should work out of the box.
When loading the login form and putting in my user (and 2fa) nothing seems to happen on submit (the page just stays the same). In the browser console I can see a cors error being logged on the initial load of the page.
curl 'https://my.domain.com/openid/auth?client_id=111&scope=openid%20profile%20email&response_type=code&redirect_uri=https%3A%2F%2Fstatic.domain.com%2Fapi%2Foidc%2Fcallback&nonce=111&state=111&code_challenge_method=S256&code_challenge=111' \ -H 'authority: my.domain.com' \ -H 'accept: */*' \ -H 'accept-language: en-GB,en;q=0.9,de;q=0.8,de-DE;q=0.7,en-US;q=0.6,nl-NL;q=0.5,nl;q=0.4' \ -H 'dnt: 1' \ -H 'origin: https://static.domain.com' \ -H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "Linux"' \ -H 'sec-fetch-dest: empty' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-site: same-site' \ -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \ --compressedTrying to submit the form then results in an error 500:
curl 'https://my.domain.com/openid/interaction/111/login' \ -H 'authority: my.domain.com' \ -H 'accept: */*' \ -H 'accept-language: en-GB,en;q=0.9,de;q=0.8,de-DE;q=0.7,en-US;q=0.6,nl-NL;q=0.5,nl;q=0.4' \ -H 'content-type: application/json; charset=UTF-8' \ -H 'cookie: _interaction=111; _interaction.sig=111' \ -H 'dnt: 1' \ -H 'origin: https://my.9wd.eu' \ -H 'referer: https://my.comain.com/openid/interaction/111' \ -H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "Linux"' \ -H 'sec-fetch-dest: empty' \ -H 'sec-fetch-mode: cors' \ -H 'sec-fetch-site: same-origin' \ -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \ --data-raw '{"username":"felix","password":"111","totpToken":"111"}' \ --compressedThese are the logs I can find in https://my.domain.com/logs.html?id=box that match with this:
Jun 29 16:58:50 box:apphealthmonitor app health: 19 running / 1 stopped / 0 unresponsive Jun 29 16:58:53 box:oidc [Interaction] find id:111 Jun 29 16:58:53 box:oidc [Interaction] find id:111 { id: '111', expiresIn: 3600, payload: { iat: 1688050314, exp: 1688053914, returnTo: 'https://my.domain.com/openid/auth/111', prompt: { name: 'login', reasons: [Array], details: {} }, params: { client_id: '111', code_challenge: '111', code_challenge_method: 'S256', nonce: '111', redirect_uri: 'https://static.domain.com/api/oidc/callback', response_type: 'code', scope: 'openid profile email', state: '111' }, kind: 'Interaction', jti: '111' }, consumed: false Jun 29 16:58:53 box:oidc route interaction login post uid:111 prompt.name:login invalid DN at /home/yellowtent/box/src/oidc.js:474:38 at runMicrotasks (<anonymous>) at processTicksAndRejections (node:internal/process/task_queues:96:5) -
G girish moved this topic from Announcements on
-
N nebulon marked this topic as a question on
-
The update should work as such, and unfortunately I am not able to reproduce the issue. Neither on Cloudron v7.4.2 nor v7.5 and also with 2fa setup.
The callstack showing /home/yellowtent/box/src/oidc.js:474 is also curious as with v7.4.1 it would be https://git.cloudron.io/cloudron/box/-/blob/v7.4.1/src/oidc.js?ref_type=tags#L474
-
We just released a new surfer app version, which is a major version upgrade, since it moves from LDAP to OpenID integration.
Also the cli tool now only supports access tokens. So if you use username+password in some CI/CD script with surfer. Make sure to move that to access tokens.
Because of those breaking changes, the app instances have to be updated manually via the Cloudron dashboard.
@nebulon said in Surfer version 6:
Because of those breaking changes, the app instances have to be updated manually via the Cloudron dashboard.
Ohh that's painful as we have hundred+ surfer instances and none of the issues mentioned.
This will only get amplified in a multi-cloudron setup too.
We need a better solution than manual updates.
Any ideas?
-
The update should work as such, and unfortunately I am not able to reproduce the issue. Neither on Cloudron v7.4.2 nor v7.5 and also with 2fa setup.
The callstack showing /home/yellowtent/box/src/oidc.js:474 is also curious as with v7.4.1 it would be https://git.cloudron.io/cloudron/box/-/blob/v7.4.1/src/oidc.js?ref_type=tags#L474
-
@nebulon said in Surfer version 6:
with v7.4.1 it would be
I just checked and I am on 7.4.2. on Ubuntu 20.04 (just recently upgraded from 18.04). Maybe my machine is the odd one out, but if you want to check the system out let me know.
-
G girish marked this topic as a regular topic on
-
R robi referenced this topic on
