Unsecure and incorrect reset token

hotsoup · May 11, 2021, 12:40pm

Examples and configs:

I am using the docker variant of v5 and besides new users (not clients) being unable to register, I also get a unsecure page before sending the new password after a reset request. On all the other pages the Let’s encrypt certificate is working as should.

The token in the URL also doesn’t match the one in the database.

I followed the setup process over on github /invoiceninja/dockerfiles

I have attached the docker-compose.yml, env en hosts in hopes that someone might spot the mistake or issue that might be causing this.

As for my reverse proxy I use nginx or to be more precise Nginx Proxy Manager with a default conf and a Let’s Encrypt Certificate. Where it routes from the local x.x.x.10:88 to finance.example.com

For my host file and extra hosts I set it to my local IP of the machine that it’s running on. The only variable containing the subdomain is the APP_URL.

The SMTP part works like a charm, sends out the invoices and password resets but with a invalid token.

hillel · May 11, 2021, 3:36pm

Hi,

It’s the first time I’ve heard of this issue.

@david @ben any thoughts?

david · May 11, 2021, 9:21pm

Does the same error occur when using the provided dockerfile - unmodiified - from the repo?

This sounds like a proxy issue.

hotsoup · May 12, 2021, 8:06am

@david by dockerfile do you mean the docker-compose.yml or the makefile from the repo?
I will also try not using a external mariadb as database and use the provided in the compose and see if that helps.

hotsoup · May 12, 2021, 8:34am

@david @hillel Regarding the docker version.

If my local IP is x.x.x.10 and I want to run it through a reverse proxy I can just fill in x.x.x.10 everywhere where it states the default 192.168.0.124, also within the compose file and for my APP_URL I would need to fill out the actual domain as in finance.example.com correct?

david · May 12, 2021, 8:44am

@hotsoup

Yes, just replace with your network config. Also if you are running behind a proxy, you’ll need to configured the TRUSTED_PROXIES= environment variable

hotsoup · May 12, 2021, 8:58am

@david
If I understand correctly I would need to add the TRUSTED_PROXIES in my ENV as

TRUSTED_PROXIES=https://finance.example.com

Do I also need to add anything within the compose file or is the env enough?
The in5.test can be kept as is right?

Btw thanks for the quick responding

hotsoup · May 12, 2021, 9:17am

I’ve now setup it up like this https://imgur.com/a/90QFWKX I will give it a try and come back if the problem remains

david · May 12, 2021, 10:09am

I believe the trusted proxy will be the internal local network IP so for you x.x.x.10/0 etc.

hotsoup · May 12, 2021, 10:38am

So @david I did a fresh install and after setting the trusted proxy to x.x.x.10/0 the setup pages properly opens but now this occurs file(/var/www/app/.env): failed to open stream: No such file or directory.

[Album] imgur.com

Only thing I changed is the local IP from 192.x.x.x to mine x.x.x.10 and added trusted proxy, kept default database image and default db credentials, but no luck.

This is what my setup page looks like, after adding a first admin user it reverts empty with the error message in the link above.