Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POSTing a message returns 403 only when the Origin header is set. #580

Open
3 of 11 tasks
lilopkins opened this issue Jul 14, 2023 · 3 comments
Open
3 of 11 tasks

POSTing a message returns 403 only when the Origin header is set. #580

lilopkins opened this issue Jul 14, 2023 · 3 comments
Labels
a:bug Something isn't working

Comments

@lilopkins
Copy link

Can the issue be reproduced with the latest available release? (y/n) yes

Which one is the environment gotify server is running in?

  • Docker
  • Linux machine
  • Windows machine
Docker startup command or config file here (please mask sensitive information)
  gotify:
    image: docker.io/gotify/server:latest
    restart: always
    networks:
      - proxy
    environment:
      - TZ=Europe/London
      - GOTIFY_DEFAULTUSER_PASS=***
      - GOTIFY_SERVER_CORS_ALLOWORIGINS=[\"*\"]
      - GOTIFY_SERVER_CORS_ALLOWMETHODS=[\"GET\",\"POST\"]
      - GOTIFY_SERVER_CORS_ALLOWHEADERS=[\"Authorization\",\"content-type\"]
    volumes:
      - ./data:/app/data

Do you have an reverse proxy installed in front of gotify server? (Please select None if the problem can be reproduced without the presense of a reverse proxy)

  • None
  • Nginx
  • Apache
  • Caddy
Reverse proxy configuration (please mask sensitive information)

On which client do you experience problems? (Select as many as you can see)

  • WebUI
  • gotify-cli
  • Android Client
  • 3rd-party API call (Please include your code)

What did you do?

Triggering a request to gotify through Javascript sends it alongside some default headers, one of which is Origin.

What did you expect to see?

Sending a cURL request to gotify without an Origin header works as expected:

curl -v 'http://localhost/message?token=***' -X POST -H content-type:application/json --data-raw '{"title":"GH demo","priority":10,"message":" test"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /message?token=*** HTTP/1.1
> Host: localhost
> User-Agent: curl/7.88.1
> Accept: */*
> content-type:application/json
> Content-Length: 51
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Fri, 14 Jul 2023 17:57:04 GMT
< Content-Length: 114
<
* Connection #0 to host localhost left intact
{"id":12,"appid":2,"message":" test","title":"GH demo","priority":10,"date":"2023-07-14T18:57:04.296865466+01:00"}

What did you see instead? (Include screenshots, android logcat/request dumps if possible)

Sending a cURL request to gotify with an Origin header set returns a 403:

curl -v 'http://localhost/message?token=***' -X POST -H content-type:application/json -H 'Origin: https://example.com/' --data-raw '{"title":"GH demo","priority":10,"message":" test"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> POST /message?token=*** HTTP/1.1
> Host: localhost
> User-Agent: curl/7.88.1
> Accept: */*
> content-type:application/json
> Origin: https://example.com/
> Content-Length: 51
>
< HTTP/1.1 403 Forbidden
< Content-Type: application/json
< Date: Fri, 14 Jul 2023 17:55:32 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact

Note that the example curl requests here are sent from within the container itself to eliminate other causes.
@lilopkins lilopkins added the a:bug Something isn't working label Jul 14, 2023
@eternal-flame-AD
Copy link
Member

You need to add example.com to the cors allowedorigins in the config file.

You request is denied because the server thinks somehow example.com made a request out to gotify, so it denies it for security reasons.

@lilopkins
Copy link
Author

So I've had a play around and it looks like my issue was as a combination of two things:

  1. It was unclear that the allowedorigins config field was parsed as a regex from the documentation.
  2. When I was configuring through environment variables, invalid regexes (which throw errors when I use a config file), were just ignored with no warnings or errors shown.

Perhaps this could be in a documentation update, and maybe errors returned from config via environment variables?

@eternal-flame-AD
Copy link
Member

I think you might have misspelled the config name, I have to admit it is complicated to write entire configs in environment variables, but this one should panic as expected:

> GOTIFY_SERVER_CORS_ALLOWORIGINS="[\")example.com\"]" go run -ldflags="-X main.Mode=prod" .                                                                         (base) 
Starting Gotify version unknown@unknown
panic: regexp: Compile(`)example.com`): error parsing regexp: unexpected ): `)example.com`

Another possibility is you are running in dev mode, in dev mode the server ignores this option altogether.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a:bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lilopkins @eternal-flame-AD