Bug: multiple login prompts on web server.

Bug #1782068 reported by lightmaster
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
calibre
Expired
Undecided
Unassigned

Bug Description

Every time I log into the Calibre web server, it asks for my username and password 3 times. I've figured out that I can enter it correct the first time, and then hit cancel for the second and third prompts so I don't have to type it multiple times.

It asks on the submission page if this is a security vulnerability. Since this bug has to do with login prompts, I'm not sure whether or not there's a security hole that could be exploited here, so I'll tick that box just in case. Apologies if this is not the correct thing to do.

Calibre version: 3.27.1
OS: Ubuntu 16.04 (headless server)

Revision history for this message
Kovid Goyal (kovid) wrote : Re: calibre bug 1782068

I cannot replicate this with a server running on Linux and using either
up-to date versions of chrome or firefox also running on linux.

The only way I know of for you to get extra login prompts is if the
browser is making multiple requests for different password protected
resources from the server. The calibre webapp does not do this, since it
works by first downloading a single file that contains all assets
bundled up and only after that loads does it make subsequent requests.

So what browser and on what platform are you using? And how are you
running the server? With what options? behind a reverse proxy? With SSL?

From your description I am guessing something along the network path
between the server and the browser is injecting code into the HTML the
server sends, causing the issue. First try running the server+browser on
localhost and see if that eliminates the issue.

Revision history for this message
Kovid Goyal (kovid) wrote :

Oh and one thing you can do is open the console in your browser (you
might need to install dev tools first) then when you click cancel on the
extra boxes there should be a message in the console detailing exactly
what HTTP request failed authorization.

Or alternatively look in the server logs for the same information.

 status incomplete

Changed in calibre:
status: New → Incomplete
Revision history for this message
lightmaster (lightmaster-tech) wrote :

If I access the webserver through Chrome Beta 68.0.3440.40 running on an Android phone, I get multiple prompts. Firefox 68.0 on the same phone gets 1 prompt. Chrome (none beta version) 67.0.3396.87 on the same phone gets just 1 prompt.

Running Chromium 65.0.3325.181 on Raspbian OS gets just 1 prompt.

As far as I know, can't access console on mobile version of Chrome.

Does this point to a bug within mobile chrome beta then? I don't use any other site or service that uses the pop-up login style prompt so I don't know if any other site has the same issue as Calibre does on mobile chrome beta.

Revision history for this message
Kovid Goyal (kovid) wrote :

The popup login is good old HTTP AUTH a thirty year old standard, that
is much easier to use in non-browser clients (does not need
cookies/javascript). The calibre server is designed for use by
non-browser clients as well (OPDS feeds readers, dedicated apps like
calibre companion, etc.)

It certainly seems like a bug in chrome, hard to say for sure without
more details. It would be a real pity if chrome decided to break HTTP
AUTH. You can access the console by using the remote debugging feature
in chrome, a quick google should get you the details (basically connect
via usb cable to a computer running desktop chrome and the console opens
up inside desktop chrome).

Revision history for this message
lightmaster (lightmaster-tech) wrote :

I'll try that tomorrow when I'm home, don't have a USB C to USB A cable at work to connect to a computer.

Kovid Goyal (kovid)
information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for calibre because there has been no activity for 60 days.]

Changed in calibre:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.