Redirection after login - stops

timbo

Hello o/
Since the last update to 4.3.2 after the login at my.xxx.tld with 2FA enabled, Firefox sometimes redirects to a Page called "Cloudron [something] OAuth" with a domain scheme like this:

my.xxx.tld/login_callback.html?token=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&state=XXXXXXXXXXXX

Then nothing happens. I also disabled the noscript plugin at all and stopped my pihole, to test if these were causing this - no.
I was also able to replicate this in MS edge and chromium browser "Brave".

Wish you all a nice weekend o7

nebulon

Can you possibly get a persistent log of the browser requests from the browser inspector tools, so we can follow that flow?

timbo

Hi @nebulon
As soon as it is possible for me save that log i will post it here.

murgero

Are you using firefox by chance? I have this same issue (removing the login_calback blah blah stuff continues the login) in chrome I do not have this problem - Clearing browser cache does not help either (tested on multiple machines)

timbo

So i had a little time to further inspect this issue.
I was able to reproduce this every time in following setup: Firefox 70.0.1 (64-Bit), Privacy setting "strict"

Typing in the adressbar: my.xxx.tld forwards me to https://my.xxx.tld/api/v1/session/login?returnTo=https://my.xxx.tld/login_callback.html

Normal login-screen appears, i fill in my credentials and getting forwarded to https://my.xxx.tld/login_callback.html?token=[STRING]&state=[STRING]
This site then does nothing.
This is the source-code:

<html>
<head>
    <title> Cloudron OAuth Callback </title>

    <script>

    'use strict';

    var search = decodeURIComponent(window.location.search).slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});

    if (!search.token) {
        console.error('No token found');
    } else if (!search.state || !window.localStorage.oauth2State || search.state !== window.localStorage.oauth2State ) {
        console.error('OAuth2 state error');
    } else {
        // the actual app picks up the access token from localStorage
        localStorage.token = search.token;

        // clear oauth2 state
        delete window.localStorage.oauth2State;

        var returnTo = window.localStorage.returnTo;
        delete window.localStorage.returnTo;

        if (returnTo) window.location.href = returnTo;
        else window.location.href = '/';
    }

    </script>

</head>
<body>
</body>
</html>

As @murgero said, yes; when i then just remove the "/login_callback.html?token=[STRING]&state=[STRING]" in address-bar everything works fine.

This is the Browserlog, if it helps:

Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMWindowUtils.removeSheetUsingURIString]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource://gre/modules/ExtensionCommon.jsm :: runSafeSyncWithoutClone :: line 75"  data: no] 2 ExtensionCommon.jsm:75:12
    runSafeSyncWithoutClone resource://gre/modules/ExtensionCommon.jsm:75
    cleanup resource://gre/modules/ExtensionContent.jsm:402
    close resource://gre/modules/ExtensionContent.jsm:925
    destroyed resource://gre/modules/ExtensionContent.jsm:1010
    observe resource://gre/modules/ExtensionContent.jsm:1028
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
Content Security Policy: 'x-frame-options' wird wegen 'frame-ancestors'-Direktive ignoriert.
[Exception... "Favicon at "https://my.xxx.tld/favicon.ico" failed to load: Not Found."  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: resource:///modules/FaviconLoader.jsm :: onStopRequest :: line 236"  data: no]