Bookstack: HTTPS connection downgraded to HTTP after social login success
After a user successfully authenticated using the social AzureAD login, BookStack receives Azure's login redirect (via HTTPS) but drop to HTTP when redirecting to the homepage. I could not test it using a different authentication provider but this issue should not be limited to AzureAD logins.
This issue occurs due to a faulty location header in BookStack's callback handler response.
https://github.com/BookStackApp/BookStack/blob/8fcb0e6820467020f5694200605e1c92c1d637d8/app/Auth/Access/SocialAuthService.php#L112
The app URL is set to HTTPS.
Steps To Reproduce
- Start the authentication flow using the AzureAD authentication driver
- Login on the Microsoft login page
- Get redirected to BookStack
- Get redirected again to the intended page (or /)
- The connection is now no longer secured using HTTPS but is established via HTTP
Expected behavior
After the callback by AzureAD is processed, don't redirect the user to the insecure HTTP site.
Screenshots
Configuration
- BookStack Version: v0.26.2
- PHP Version: 7.something
- Hosting Method (Nginx/Apache/Docker): Docker using NGINX
mariuskiessling
All 6 comments
I am observing the same issue and would be interested in seeing this fixed. Especially for end users or network environments with high-security awareness, this might cause failures or losing trust to BookStack.
erosinger
on 15 Jul 2019
Thanks for the clear information @mariuskiessling.
This is likely due to BookStack being behind a proxy, in which case BookStack is actually receiving the original request via HTTP which is remembered as a location for this redirect action.
It's likely related to #1459 which is due to be looked at for the next release therefore I'll also include this to be looked at.
ssddanbrown
on 15 Jul 2019
@ssddanbrown That鈥檚 a really good point. We are running BookStack behind an envoy proxy as part of a service mesh. The encryption of traffic is fully transparent to the service thus every connection looks like HTTP to BookStack.
Would it make sense to split the indented path and only save the relative path to the requested ressource? If needed the application鈥檚 domain could be prefixed. This would also only require minor modifications.
mariuskiessling
on 15 Jul 2019
@mariuskiessling Yeah, That makes sense and is the general plan. It may be a little tricky though as you never know how that URL will be transformed by the time it reaches BookStack, Some people may have BookStack on a deep nested path (https://example.com/my/lovely/cat/wiki) which would need be be handled properly.
Since originally writing much of the original URL logic I've gotten a better grasp of the Laravel framework and I can now see a cleaner way to handle URLs in BookStack so I'll probably do this as part of a larger refactor for the next release.
ssddanbrown
on 15 Jul 2019
Significant changes have been made to URL generation in 4b0c4e621a55d5f6f59de7451c7442a4571ad72e which should now fix this.
These changes will be in the next release, v0.27. I will close this request in the meantime. If you continue to experience issues after that version is released please open a new issue referencing this one.
ssddanbrown
on 4 Aug 2019
@ssddanbrown Thank for addressing this issue so quickly!
mariuskiessling
on 4 Aug 2019
Related issues
tpetrauskas
路
4Comments
Nedimko123
路
3Comments
spacesven
路
3Comments
Legoracers
路
3Comments
Abijeet
路
3Comments
Most helpful comment
Significant changes have been made to URL generation in 4b0c4e621a55d5f6f59de7451c7442a4571ad72e which should now fix this.
These changes will be in the next release, v0.27. I will close this request in the meantime. If you continue to experience issues after that version is released please open a new issue referencing this one.