-
Notifications
You must be signed in to change notification settings - Fork 394
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Broken Invitation Links - http://kong is the domain #1228
Comments
I think this was introduced in PR #999, where a bit of magic is used to determine the hostname regardless of the configured In my case the host in the confirmation mails is set to |
There is some breaking change in a minor release: In our case, after upgrading Docker image to anything above v2.67.0 (correct)
v2.67.1 (broken)
I've tried to reproduce this outside of the docker environment, kong etc. by injecting our configuration through Unfortunately I don't have much time currently to add some additional logging to the code, compile the binary and debug/run it from the Docker context, to understand at which stage the URL does get broken. |
I suspect that it's part of the: baseUrl := config.API.ExternalURL
xForwardedHost := req.Header.Get("X-Forwarded-Host")
xForwardedProto := req.Header.Get("X-Forwarded-Proto")
if xForwardedHost != "" && xForwardedProto != "" {
baseUrl = fmt.Sprintf("%s://%s", xForwardedProto, xForwardedHost)
} else if req.URL.Scheme != "" && req.URL.Hostname() != "" {
baseUrl = fmt.Sprintf("%s://%s", req.URL.Scheme, req.URL.Hostname())
} Sorry for mentioning you directly: @kangmingtay, but perhaps you could help us to understand the intention behind these two In our case we run Kong in the HTTP context, as we terminate SSL at the upper layer. I suspect that because of Kong running in |
Our infamous fix is here: v2.151.0...tomekit:auth:v2.151.0_tr it's likely not something that should be merged to |
@tomekit we use those headers to determine the hostname to use for email links and the In the supabase context, the
does kong forward the original request url in a header? |
I'm facing the same problem. |
I am not sure, I am using default kong setup from: https://supabase.com/docs/guides/self-hosting/docker |
I'm also having this issue (as reported in the original issue, with The issue is present with |
I'm not sure if anyone has realized but in the docker-compose.yml it states |
i verify and ok in 2.67.0 but using 2.99.00 not work correct |
Is present bug in v2.67.1 and next. In v2.67.0 is correct use of SUPABASE_URL in sended e-mal link. |
Issue is indeed still there. Would be nice to somehow be able to specify this. |
How come this issue is not prioritized? If I'm not mistaken then all affected by this issue are vulnerable to man-in-the-middle attacks because of the unencrypted traffic. 🤔 I'm self-hosting with docker and it seems that all email links are currently with Is there a workaround to force Sorry for the direct mentions, but it seems that you guys could have some more info on this. @tomekit @kangmingtay |
@Obeyed How are you self-hosting? What are the environment variables added to the GoTrue/Auth container? |
With docker swarm behind nginx proxy. Have Using image I assume these two environment variables are the relevant ones (not the real domains, but you get the idea):
This is the example link from an invitation email that would be sent out:
Notice, the Any other info that can help? |
Hi @Obeyed, Given that Supabase team is likely busy with other items your best bet is either to wait or apply it yourself and build a Docker image, alternatively use our build: Good luck ! |
@hf do you need any more info? It would be great to get some insight into how this can be set up such that it works as expected. Right now I'm unsure of which HTTP Headers / Environment Variables to set to get the desired output with |
Yes you probably need to set those headers deep in your stack, both in Kong and/or Nginx. GoTrue uses these headers to allow you to host the Auth server on multiple domains. Unfortunately I'm not an expert in Kong so can't help you out there. |
If you want you can open a PR that adds a new config variable to ignore those headers in GoTrue. |
Up till version 2.67.0, this worked properly as expected. Though it's cool to be able to specify multiple custom domains (the feature in 2.67.1 which if I understand correctly introduced the breaking change), this leaves many of us self-hosters without the option to properly specify even a single domain. It seems weird to have an If it is too much to ask for the original functionality to be brought back, perhaps the variable In the meantime, I thought I'd mention our solution which might be a bit obvious but could be useful to some: we've implemented custom endpoints for those actions that need to send emails (e.g. magic link, reset password), calling |
This affects |
I also think that this problem is quite serious, and I hope it can be properly resolved, otherwise privatized deployment will be affected. If I have the ability I will also try to submit a PR. |
In the docker-compose.yml file there is a line SUPABASE_URL: http://kong
This worked for me and the Invite emails are now giving the correct link. |
However, this means that STUDIO will attempt to access kong from the outside For security reasons, it is recommended that studio access kong from within the docker container While helpful in the short term, this problem needs to be fixed in the long term. |
In my case it also happens when trying to reset my password :( Any progress on this? I see this problem has been here for a while. |
This was bugging me hard. So I added a force no-change environment variable and submitted a PR. With the changes:
.env: API_EXTERNAL_URL=https://sb.mydomain.com/auth/v1
API_FORCE_EXTERNAL_URL=true Kubernetes: environment:
API_EXTERNAL_URL: https://sb.mydomain.com/auth/v1
API_FORCE_EXTERNAL_URL: "true" Fix repo: nickmitchko/auth |
@nickmitchko Thanks much, because this was getting really boring... |
We can temporarily fix this by changing the |
We have the same issue. |
I find it really unbelievable this issue is still open. |
If I find time I'll update my repo with the latest changes again. |
I am experiencing a similar issue with the storage API, |
still facing the same issue |
MAILER_URLPATHS_CONFIRMATION="${API_EXTERNAL_URL}/auth/v1/verify" this works |
Adds a new config option `GOTRUE_MAILER_EXTERNAL_HOSTS` that serves as an allowlist to all the acceptable hosts provided to the APIs. Fixes #1228
🤖 I have created a release *beep* *boop* --- ## [2.163.1](v2.163.0...v2.163.1) (2024-10-22) ### Bug Fixes * external host validation ([#1808](#1808)) ([4f6a461](4f6a461)), closes [#1228](#1228) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
hi everyone, we fixed this issue recently by specifying a new config param - this is somewhat similar to the suggestion @nickmitchko proposed but we're solving it with an allow list rather than a flag to disable it |
Hi @kangmingtay I setup a self-host Supabase and ran into an error that suggests I have been wondering why, so if you or someone can advise, that will be great. I was following Calvin's excellent tutorial on turning on SAML SSO. https://calvincchan.com/blog/self-hosted-supabase-enable-sso |
excellent- now, the crucial bit that seems to elude the internet, where can I set this value? (using supabase-cli for local docker env)
What is the officially blessed location? |
@gavinc I wasn't sure myself, so I just did some greps through Supabase CLI and it seems to maintain a mapping of toml config -> auth env values. Unfortunately I don't see this config value mapped so a pull request would need to be made on the CLI to set them from the toml file. A quick hack for you might be to add your own # See the current setting for env var: GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED
curl -s http://127.0.0.1:54321/auth/v1/settings | jq -r '.external.anonymous_users'
docker exec -u root -it 2f883354b5a0 \
/bin/sh -c \
'echo "GOTRUE_EXTERNAL_ANONYMOUS_USERS_ENABLED=true" > .env'
# Append any other settings you want, or just cp a file into the container.
docker exec -u root -it 2f883354b5a0 \
/bin/sh -c \
'echo "GOTRUE_MAILER_EXTERNAL_HOSTS=http://myexternalhost.local" >> .env'
# Restart container
docker restart 2f883354b5a0
# Both env vars should now be updated, we make sure the file was read by
# checking the settings endpoint.
curl -s http://127.0.0.1:54321/auth/v1/settings | jq -r '.external.anonymous_users' |
Really appreciate the hack @cstockton - I did manage to apply it (to the Auth container) and did indeed see that the reload applied the externa_anon change - saw the GO_TRUE in the .env file... and yet inthe auth logs still getting: as if I hadn't put in http://localhost:3000/ :( This is all in an attempt to stop supabase from apparently eating the invite params when forwarding to the auth callback. My hunt continues :( |
This is failing for me too :/ @gavinc any progress? @kangmingtay:
|
In the end I had to shamefully merely assume that it works on production and get a workaround system built where I can give it an invite URL and it will give me back the URL that supabase would create if this was working correctly, so that I can check my flow. |
Bug report
Describe the bug
Currently, when sending an invitation to a user, the invitation link in the email is
http://kong/auth/v1/verify?token=xxx
rather than the proper domain.To Reproduce
Steps to reproduce the behaviour, please provide code snippets or a repository:
Expected behaviour
It was expected that the invitation URL to contain the configured URLs in the
.env
file rather thanhttp://kong
as the domain.The text was updated successfully, but these errors were encountered: