requestrr icon indicating copy to clipboard operation
requestrr copied to clipboard

Published 20 hours ago verified publisher icon darkalfx

Web assets are not served without authentication

Open Stealthii opened this issue 3 years ago • 5 comments

On a first time run, I cannot open the login page, due to a syntax error in the requested JS files.

On further inspection, the CSS and JS files serviced by the webapp actually contain the same HTML as the initial request to /requestrr/auth/login: Screenshot 2021-04-16 at 01 18 08

All of the assets served have this issue. I am using the latest image available from ghcr.io/linuxserver/requestrr:latest

  • /requestrr/static/css/2.cf6d147e.chunk.css
  • /requestrr/static/css/main.86e135fd.chunk.css
  • /requestrr/static/js/2.3e5ff122.chunk.js
  • /requestrr/static/js/main.291a028f.chunk.js
  • /requestrr/favicon.ico

Because of this, login can't be performed which would allow use of the cached assets for future logins, and setup can't be performed.

Stealthii avatar Apr 16 '21 00:04 Stealthii

It looks like this bug was introduced in 1.0.14 via commit 169a9fc - the logic here forcibly redirects any links not to /auth. or /admin to the login URI. This should be updated to include /static at the very least.

PR #82 fixes this issue with the least impact. The fix in 169a9fc is a bit of a hotfix and should ideally be fixed with better route handling in the application.

Stealthii avatar Apr 16 '21 14:04 Stealthii

Hello, unfortunately I do not own or maintain the Linuxserver image for Requestrr.

Can you confirm that the issue you're experiencing is still present with the official image?

Thanks.

darkalfx avatar Apr 16 '21 15:04 darkalfx

Hi @darkalfx - I've tested this with darkalfx/requestrr:latest as well and the same issue occurs. Unfortunately, my fix (#82) doesn't fix this issue either (as it's not a client side redirect that's happening, but the actual response from the server being the auth HTML page).

Stealthii avatar Apr 18 '21 17:04 Stealthii

Are you able to provide repro steps for this so I can test it on my end?

darkalfx avatar Apr 18 '21 17:04 darkalfx

Hi! I'm able to repro this with the latest image. Has there been any fix for this in the past year?

Reverse proxy is Traefik 2, set up on my internal subdomain with the path /requestrr. The following assets return the HTML auth page instead of the expected static assets. Note the sizes and type column:

Screen Shot 2022-07-04 at 6 54 08 PM

Browser is Firefox 102 on MacOS. Full image used: darkalfx/requestrr:latest@sha256:26c8695d198506a0d7cedf732bf6fbd3946e43b45b22e1ddb48e13de6d3ea243

Docker swarm/compose:

    requestrr:
        image: darkalfx/requestrr
        volumes:
            - requestrr_config:/root/config
        networks:
            - web
        deploy:
            labels:
                traefik.enable: 'true'
                traefik.http.routers.requestrr.entrypoints: websecure
                traefik.http.routers.requestrr.rule: 'Host(`[redacted]`) && PathPrefix(`/requestrr`)'
                traefik.http.services.requestrr.loadbalancer.server.port: 4545

Am I missing anything here?

ChaosExAnima avatar Jul 04 '22 22:07 ChaosExAnima