Admin Access Failure

csgeek · June 13, 2023, 11:41pm

I’m running ghost version 5.49.3 using mysql:8 (docker image). I recently upgrade to 5.49.3 from 5.35.1.

The main site loads fine without any issues but as soon as I navigate to sitename/ghost/ I get the following stack trace. Keep in mind this without ANY attempted logins or doing anything except loading the page.

site_1  | [2023-06-13 23:33:16] INFO "GET /ghost/assets/ghost-35ab1b485b6dd7b7b7cb75762c2e0229.js" 200 216ms
site_1  | [2023-06-13 23:33:16] INFO "GET /ghost/assets/vendor-bc3bd83c56b822ae56193b0d231189c0.js" 200 233ms
site_1  | [2023-06-13 23:33:16] INFO "GET /ghost/assets/chunk.976.cd1384578d700f188531.js" 200 243ms
site_1  | [2023-06-13 23:33:17] ERROR "GET /ghost/api/admin/users/me/?include=roles" 403 357ms
site_1  |
site_1  | Authorization failed
site_1  |
site_1  | "Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
site_1  |
site_1  | Error ID:
site_1  |     acbef8a0-0a42-11ee-aa4f-131b1d7eca82
site_1  |
site_1  | ----------------------------------------
site_1  |
site_1  | NoPermissionError: Authorization failed
site_1  |     at authorizeAdminApi (/var/lib/ghost/versions/5.49.3/core/server/services/auth/authorize.js:33:25)
site_1  |     at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.49.3/node_modules/express/lib/router/layer.js:95:5)
site_1  |     at next (/var/lib/ghost/versions/5.49.3/node_modules/express/lib/router/route.js:144:13)
site_1  |     at authenticate (/var/lib/ghost/versions/5.49.3/core/server/services/auth/session/middleware.js:28:13)
site_1  |     at runMicrotasks (<anonymous>)
site_1  |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
site_1  |
site_1  | [2023-06-13 23:33:17] INFO "GET /ghost/assets/img/favicon-a9c6dbdcdc3ae568f4e0dad92149a0e3.ico" 200 6ms
site_1  | [2023-06-13 23:33:17] INFO "GET /ghost/api/admin/site/" 200 6ms
site_1  | [2023-06-13 23:33:17] ERROR "GET /ghost/api/admin/users/me/?include=roles" 403 6ms
site_1  |
site_1  | Authorization failed
site_1  |
site_1  | "Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
site_1  |
site_1  | Error ID:
site_1  |     acdce0e0-0a42-11ee-aa4f-131b1d7eca82
site_1  |
site_1  | ----------------------------------------
site_1  |
site_1  | NoPermissionError: Authorization failed
site_1  |     at authorizeAdminApi (/var/lib/ghost/versions/5.49.3/core/server/services/auth/authorize.js:33:25)
site_1  |     at Layer.handle [as handle_request] (/var/lib/ghost/versions/5.49.3/node_modules/express/lib/router/layer.js:95:5)
site_1  |     at next (/var/lib/ghost/versions/5.49.3/node_modules/express/lib/router/route.js:144:13)
site_1  |     at authenticate (/var/lib/ghost/versions/5.49.3/core/server/services/auth/session/middleware.js:28:13)
site_1  |     at runMicrotasks (<anonymous>)
site_1  |     at processTicksAndRejections (node:internal/process/task_queues:96:5)
site_1  |
site_1  | [2023-06-13 23:33:18] INFO "GET /ghost/api/admin/site/" 200 5ms
site_1  | [2023-06-13 23:33:18] INFO "GET /ghost/api/admin/authentication/setup/" 200 19ms
site_1  | [2023-06-13 23:33:18] INFO "GET /ghost/assets/fonts/Inter-roman.var.woff2" 200 2ms
site_1  | [2023-06-13 23:34:04] INFO "HEAD /" 200 128ms

I am using a nginx proxy to connect to the site and here’s my proxy pass configuration:

      ## Usual SSL , server_name etc....
       client_max_body_size 50M;
        root   /var/www/html;
        index index.html index.htm;

        location /live {
               autoindex on;
                index  index.html index.htm;
        }

        location /favicon.png {
          alias /var/www/html/beta/favicon.png;
          allow all;
       }

        location /static  {
          alias /var/www/html/static;
          log_not_found off;
          access_log off;
          allow all;
       }       
        location / {
#               add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_pass http://0.0.0.0:8890;
                proxy_read_timeout      90s;
                proxy_connect_timeout   30s;
                proxy_max_temp_file_size 50m;
                client_max_body_size    50m;
                include proxy_params;
                include proxy_params;
#               proxy_ignore_headers Set-Cookie;
#               proxy_hide_header Set-Cookie;
        }
        # Block access to "hidden" files and directories whose names begin with a
        # period. This includes directories used by version control systems such
        # as Subversion or Git to store control files.
        location ~ (^|/)\. {
            return 403;
        }

Any thoughts on what could be the issue?

Kevin · June 14, 2023, 6:04am

It doesn’t look like anything is wrong there. The 403 is a standard response from the Admin app making a request to the API to see if you’re already logged in - you’re not so the API is responding with with a “not authorised” response.

Is something not working for you?

csgeek · June 14, 2023, 4:08pm

Apology, I went through the logs and it seemed like it was bugging out. The reset email was also not going through so I assumed the issue was more critical.

The issue was with the user. Thanks for responding, all is good now!