Skip to content

No helpful errors when attempting to login without email setup #23050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
jrockwar opened this issue Apr 26, 2025 · 18 comments
Open
1 task done

No helpful errors when attempting to login without email setup #23050

jrockwar opened this issue Apr 26, 2025 · 18 comments
Labels
bug [triage] something behaving unexpectedly

Comments

@jrockwar
Copy link

jrockwar commented Apr 26, 2025
edited
Loading

Issue Summary

After upgrading from ghost:5.117.0-alpine to ghost:5.118.0-alpine, admin login is broken: no cookies are set in the browser, and Ghost logs show 403 errors with "Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
Rolling back to ghost:5.117.0-alpine or earlier resolves the issue.

Steps to Reproduce

  1. Deploy Ghost using Docker with the ghost:5.118.0-alpine or ghost:5.118.1-alpine image.
  2. Use a standard nginx reverse proxy (as per this tutorial).
  3. Try to log in to /ghost/#/signin from a new browser or incognito window.
  4. Observe that no cookies are set and login fails with a 403.
  5. Revert Docker with ghost:5.117.0-alpine
  6. Try to log in to /ghost/#/signin from a new browser or incognito window. Login works successfully.
  7. Redeploy with the ghost:5.118.x-alpine image and try to login again. Login fails as described in (4)

If using the same browser that did the initial set-up, then the cookie is already set and login can be completed successfully.

Ghost Version

5.118.0 / 5.118.1

Node.js Version

v18.20.8

How did you install Ghost?

docker-alpine in a Hetzner VPS (Arm64 CAX11); via docker compose as per https://community.hetzner.com/tutorials/ghost-cms-on-arm64-debian

Database type

MySQL 8

Browser & OS version

Tested on MacOS Sequoia: Zen (Firefox) / Chromium / Safari; Android 15: Iceraven (Firefox), Chrome

Relevant log / error output

[2025-04-26 21:06:34] ERROR "GET /ghost/api/admin/users/me/?include=roles" 403 6ms

Authorization failed

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Error ID:
    55d2b170-22e2-11f0-90d2-31b40eaea8c0

----------------------------------------

NoPermissionError: Authorization failed
    at authorizeAdminApi (/var/lib/ghost/versions/5.118.1/core/server/services/auth/authorize.js:33:25)
    at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.118.1/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/lib/ghost/versions/5.118.1/node_modules/express/lib/router/route.js:149:13)
    at authenticate (/var/lib/ghost/versions/5.118.1/core/server/services/auth/session/middleware.js:55:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Code of Conduct

  • I agree to be friendly and polite to people in this repository
@github-actions github-actions bot added the needs:triage [triage] this needs to be triaged by the Ghost team label Apr 26, 2025
@jrockwar jrockwar changed the title Regression: Admin login/session cookies broken in ghost:5.118.1-alpine (works in 5.117.0-alpine and earlier) Regression: Admin login/session cookies broken in ghost:5.118.0-alpine (works in 5.117.0-alpine and earlier) Apr 26, 2025
@ErisDS
Copy link
Member

ErisDS commented Apr 27, 2025

Hi @jrockwar, that's all the expected behaviour with our new Device Verification security feature.

https://ghost.org/changelog/2fa/
https://github.com/TryGhost/Ghost/releases/tag/v5.118.0

The 403 error returned from the signin request itself will tell you that a code is required or what's wrong if there was an issue sending the code

The 403 from the request to GET /ghost/api/admin/users/me/?include=roles" is not the request to signin, this is the request used by the admin panel to determine if you're already logged in before showing you the signin screen, you'll see that request and 403 prior to 5.118 as well.

What's curious is you're not getting an error message related to email sending failure or some other issue that clarifies what's going wrong. Are you able to share the log from the actual signin request, which is to the ghost/api/admin/sessions/ endpoint?

@ErisDS ErisDS added the needs:info [triage] Blocked on missing information label Apr 27, 2025
@github-actions github-actions bot removed the needs:triage [triage] this needs to be triaged by the Ghost team label Apr 27, 2025
@github-actions GitHub Actions
Copy link
Contributor

Note from our bot: The needs:info label has been added to this issue. Updating your original issue with more details is great, but won't notify us, so please make sure you leave a comment so that we can see when you've updated us.

@jrockwar
Copy link
Author

jrockwar commented Apr 27, 2025
edited
Loading

Thanks for replying @ErisDS ! This makes sense as email wasn't (isn't) configured yet in my freshly setup blog, so ghost couldn't have sent emails for verification.

However what I don't understand then is:

  • Why, as you say, I didn't get any other message with ERROR severity on the logs (from the browser point of view, the failure on the login page was completely silent and the page just hung).
  • Why the browser/device pair used for the initial setup of the blog can login successfully as staff without email being set up.

I think I saw some INFO messages about email, but nothing that sounded too ominous. I'll try to get you more logs / info so you can see whether this is expected behavior or a genuine issue.

In any case, different problem but there are dozens of tutorials out there for setting up ghost that assume that email isn't required but very much an optional step; it'd be great to update documentation to say it's now a hard requirement. This might make it inviable for some applications like internal documentation for teams on self-hosted environments where it's not feasible/practical to have a mailserver.

@jrockwar
Copy link
Author

jrockwar commented Apr 27, 2025
edited
Loading

This is a less-truncated version of the ghost logs:

[2025-04-27 08:51:30] INFO "GET /ghost/" 200 30ms
[2025-04-27 08:51:30] ERROR "GET /ghost/api/admin/users/me/?include=roles" 403 6ms

Authorization failed

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Error ID:
    d00f3050-2344-11f0-a9d7-5d84571a68b5

----------------------------------------

NoPermissionError: Authorization failed
    at authorizeAdminApi (/var/lib/ghost/versions/5.118.0/core/server/services/auth/authorize.js:33:25)
    at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.118.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/lib/ghost/versions/5.118.0/node_modules/express/lib/router/route.js:149:13)
    at authenticate (/var/lib/ghost/versions/5.118.0/core/server/services/auth/session/middleware.js:55:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

[2025-04-27 08:51:30] INFO "GET /ghost/api/admin/site/" 200 6ms
[2025-04-27 08:51:30] INFO "GET /ghost/api/admin/authentication/setup/" 200 10ms
[2025-04-27 08:51:33] WARN Missing mail.from config, falling back to a generated email address. Please update your config file and set a valid from address
[2025-04-27 08:51:33] WARN Missing mail.from config, falling back to a generated email address. Please update your config file and set a valid from address
[2025-04-27 08:52:55] INFO "POST /ghost/api/admin/session" 200 100006ms
[2025-04-27 08:53:13] INFO "POST /ghost/api/admin/session" 200 100006ms

So there is a warning in there about the email. Plus if I leave it long enough, there is a... timeout? after 100 seconds.

However, interestingly, when I go to Settings > Staff, the setting for 2FA is disabled (note I never disabled it manually - this is how it came by default when I setup the blog on 5.118.1):

Image

On the browser side, all I get after 100 seconds is:

Image

Nothing is telling me in an obvious way that:

  • The email sending is failing
  • That email configuration is mandatory
  • That 2FA for Staff accounts is mandatory (or even enabled)
  • That 2FA for Staff accounts is failing

@jrockwar
Copy link
Author

I have also tried enabling Require email 2FA codes to be used on all staff logins and the output I get is identical - no new info on the logs or error message about any of the above. I think at the very least this should be more verbose, shouldn't it?

@jrockwar jrockwar changed the title Regression: Admin login/session cookies broken in ghost:5.118.0-alpine (works in 5.117.0-alpine and earlier) Admin login/session cookies broken in ghost:5.118.0-alpine (works in 5.117.0-alpine and earlier) on ghost without email setup Apr 27, 2025
@cathysarisky
Copy link
Member

Hey @jrockwar

ErisDS left some helpful links to documentation over on the forum: https://forum.ghost.org/t/cant-login-to-admin-dashboard-on-more-than-one-device/57135/3 - worth a read, if you haven't seen it yet.

As I understand it, that toggle affects whether all staff logins (new or old device) require a code, vs whether just new devices do. (So it doesn't really turn the behavior off, just reduces it. But the link above includes how to turn the behavior entirely off, if you need to. [It'd probably be better to configure outbound email instead, but...]

@ErisDS ErisDS changed the title Admin login/session cookies broken in ghost:5.118.0-alpine (works in 5.117.0-alpine and earlier) on ghost without email setup No helpful errors when attempting to login without email setup May 1, 2025
@ErisDS
Copy link
Member

ErisDS commented May 1, 2025

A little update here - all the behaviour of Ghost reported here is expected EXCEPT for the lack of clear error messaging.

I definitely want to make all of this more transparent so it's easier to debug and fix, as well as making it clearer that email is required.

There's quite a few bits to do around docs and error handling.

One thing I don't have on this issue that would be SUPER helpful is a really, really clear reproduction case.

E.g. either step-by-step bullets outlining exactly what you did OR a screencast of you going through the motions would be amazingly helpful. It would significantly speed up the time it'll take me to find and resolve the issues, as well as ensure that I get the exact right cases.

(To be clear, when I run ghost locally for development I get super clear error messages, so it's not like this is the most obvious case)

@ErisDS ErisDS added bug [triage] something behaving unexpectedly and removed needs:info [triage] Blocked on missing information labels May 1, 2025
@ErisDS
Copy link
Member

ErisDS commented May 1, 2025

Alternatively of course if anyone else can already reproduce it, fixes are welcome!

@jrockwar
Copy link
Author

jrockwar commented May 1, 2025 via email

@pong106
Copy link

pong106 commented May 3, 2025

temporary fix or bypass to turn off Auth code

https://ghost.org/docs/config/#security

security__staffDeviceVerification for docker

@JERXCHRS
Copy link

Thanks for replying @ErisDS ! This makes sense as email wasn't (isn't) configured yet in my freshly setup blog, so ghost couldn't have sent emails for verification.

However what I don't understand then is:

  • Why, as you say, I didn't get any other message with ERROR severity on the logs (from the browser point of view, the failure on the login page was completely silent and the page just hung).
  • Why the browser/device pair used for the initial setup of the blog can login successfully as staff without email being set up.

I think I saw some INFO messages about email, but nothing that sounded too ominous. I'll try to get you more logs / info so you can see whether this is expected behavior or a genuine issue.

In any case, different problem but there are dozens of tutorials out there for setting up ghost that assume that email isn't required but very much an optional step; it'd be great to update documentation to say it's now a hard requirement. This might make it inviable for some applications like internal documentation for teams on self-hosted environments where it's not feasible/practical to have a mailserver.

I second this. There have been so many published guides on how to pull this off because it’s not feasible for many. After this update hit I can’t login to admin panel without figuring out how to again setup mailgun which honestly, many don’t want to use. Would have been nice to have a heads up and trial this option not making it required by default giving self-hosting community time to deal with setup before being locked out.

@ironicbadger
Copy link

ironicbadger commented May 13, 2025
edited
Loading

Holy moly this took an hour of my life. Thank you to @pong106 for the workaround my goodness. No error messages, nothing in the logs even in debug mode. How does stuff like this get past QA?

I added

environment:
	- security__staffDeviceVerification=false

to my compose file and can now login again.

@procrastinando
Copy link

Holy moly this took an hour of my life. Thank you to @pong106 for the workaround my goodness. No error messages, nothing in the logs even in debug mode. How does stuff like this get past QA?

I added

environment:
	- security__staffDeviceVerification=false

to my compose file and can now login again.

Thank goodness! That’s exactly what I needed. I was on the verge of rebuilding my blog from the beginning today.

@ironicbadger
Copy link

I am not even really clear on how to configure things with my user so I can remove this line either.

@aa6my
Copy link

aa6my commented May 21, 2025

temporary fix or bypass to turn off Auth code

https://ghost.org/docs/config/#security

security__staffDeviceVerification for docker

for kubernetes
kubectl edit deployment ghost

env:
- name: url
  value: https://yourdomain.com
- name: security__staffDeviceVerification
  value: "false"

kubectl rollout restart deployment ghost

@damusix
Copy link

damusix commented May 25, 2025

Holy moly this took an hour of my life. Thank you to @pong106 for the workaround my goodness. No error messages, nothing in the logs even in debug mode. How does stuff like this get past QA?

I added

environment:
	- security__staffDeviceVerification=false

to my compose file and can now login again.

Yeah this was frustrating. Thanks for the fix. More frustrating that I encountered it intermittently after deploy 3 separate sites. There are zero error messages that indicate what's going on, which is bad DX @ErisDS

@dogukansahil
Copy link

Holy moly this took an hour of my life. Thank you to @pong106 for the workaround my goodness. No error messages, nothing in the logs even in debug mode. How does stuff like this get past QA?
I added

environment:
	- security__staffDeviceVerification=false

to my compose file and can now login again.

Yeah this was frustrating. Thanks for the fix. More frustrating that I encountered it intermittently after deploy 3 separate sites. There are zero error messages that indicate what's going on, which is bad DX @ErisDS

This definitely worked for casaos. I am grateful

@ChairBorn
Copy link

temporary fix or bypass to turn off Auth code

https://ghost.org/docs/config/#security

security__staffDeviceVerification for docker

I spent 2 days of my life looking for an answer to this... thank you, that worked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug [triage] something behaving unexpectedly
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests