Can't Create New Site. Cryptic Error message

I created a new Ghost installation on Debian 9 and MySQL. After running ghost install, I navigate to my site, attempt to create an account and keep getting

Authorization failed Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication. 
  • What version of Ghost are you using?
  • CLI: 1.11.0
  • Ghost: 2.32.0
  • What configuration?
{
  "url": "https://example.com",
  "server": {
    "port": 2368,
    "host": "127.0.0.1"
  },
  "database": {
    "client": "mysql",
    "connection": {
      "host": "localhost",
      "user": "ghost_user",
      "password": "pass",
      "database": "ghost_db"
    }
  },
  "mail": {
    "transport": "Direct"
  },
  "logging": {
    "transports": [
      "file",
      "stdout"
    ]
  },
  "process": "systemd",
  "paths": {
    "contentPath": "/var/www/example.com/html/content"
  },
  "bootstrap-socket": {
    "port": 8000,
    "host": "localhost"
  }
}
  • What errors or information do you see in the console?

When attempting to create an account I see:

Authorization failed Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication. 

I’m also having this issue which may or may not be related:

Here’s some output from ghost log

[2019-10-07 21:20:06] INFO "GET /ghost/assets/img/favicon.ico" 200 6ms
[2019-10-07 21:20:06] INFO "GET /ghost/api/canary/admin/site/" 200 21ms
[2019-10-07 21:20:06] INFO "GET /ghost/api/canary/admin/authentication/setup/" 200 29ms
[2019-10-07 21:20:06] INFO "GET /ghost/assets/img/install-welcome-ff3912d18bf8949df89c83b1c3b8bb66.png" 200 2ms
[2019-10-07 21:20:07] INFO "GET /ghost/assets/img/user-image-0d67f7ca80917835524605cf4d106aef.png" 200 2ms
[2019-10-07 21:20:13] INFO "POST /ghost/api/canary/admin/authentication/setup/" 201 234ms
[2019-10-07 21:20:14] INFO "POST /ghost/api/canary/admin/session" 201 185ms
[2019-10-07 21:20:14] ERROR "GET /ghost/api/canary/admin/settings/?type=blog%2Ctheme%2Cprivate%2Cmembers" 403 3ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
NoPermissionError: Authorization failed
    at new NoPermissionError (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/ghost-ignition/lib/errors/index.js:114:23)
    at authorizeAdminApi (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/authorize.js:76:25)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/session/middleware.js:103:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/api-key/admin.js:43:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:275:10)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:228:13
    at handleCORS (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/web/shared/middlewares/api/cors.js:73:16)
    at corsMiddleware (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:204:7)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:317:13)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)

[2019-10-07 21:20:14] ERROR "GET /ghost/api/canary/admin/config/" 403 6ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
NoPermissionError: Authorization failed
    at new NoPermissionError (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/ghost-ignition/lib/errors/index.js:114:23)
    at authorizeAdminApi (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/authorize.js:76:25)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/session/middleware.js:103:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/api-key/admin.js:43:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:281:22
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:275:10)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:228:13
    at handleCORS (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/web/shared/middlewares/api/cors.js:73:16)
    at corsMiddleware (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:204:7)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:317:13)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:335:12)

[2019-10-07 21:20:14] ERROR "GET /ghost/api/canary/admin/users/me/?include=roles" 403 8ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."
NoPermissionError: Authorization failed
    at new NoPermissionError (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/ghost-ignition/lib/errors/index.js:114:23)
    at authorizeAdminApi (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/authorize.js:76:25)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/session/middleware.js:103:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at authenticate (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/services/auth/api-key/admin.js:43:16)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:281:22
    at param (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:354:14)
    at param (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:365:14)
    at Function.process_params (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:410:3)
    at next (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:275:10)
    at /var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:228:13
    at handleCORS (/var/www/tomharperkelly.com/html/versions/2.32.0/core/server/web/shared/middlewares/api/cors.js:73:16)
    at corsMiddleware (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/cors/lib/index.js:204:7)
    at Layer.handle [as handle_request] (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/var/www/tomharperkelly.com/html/versions/2.32.0/node_modules/express/lib/router/index.js:317:13)

[2019-10-07 21:25:07] INFO "GET /ghost/" 200 12ms
[2019-10-07 21:25:07] INFO "GET /ghost/assets/ghost.min-06031c34f7208e301e1a039fefa8b02d.css" 200 20ms
[2019-10-07 21:25:08] INFO "GET /ghost/assets/ghost.min-975a8c4cd6329f05e8d6edf138e459dc.js" 200 85ms
[2019-10-07 21:25:08] INFO "GET /ghost/assets/vendor.min-8a9c6f8a3daf9a5470d26dae32d1c192.js" 200 212ms
[2019-10-07 21:25:08] ERROR "GET /ghost/api/canary/admin/users/me/?include=roles" 403 5ms

NAME: NoPermissionError
MESSAGE: Authorization failed

level: normal

"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication."

Those lines show that the setup and login completed ok on the server-side. Judging from the later error message it sounds like something is stopping the cookie that is set on the successful login request from being saved or included with later requests.

Have you tried using Incognito mode in Chrome or a different browser without any browser extensions? Is there anything else you may have in your setup that would block cookies?

@Kevin I’ve tried different browsers with the same result.

As far as I’m aware, nothing should be blocking cookies. The only thing that I’ve done that might possibly be a problem was uninstall/reinstall Ghost with the CLI commands.

Is there any other logs somewhere that might help point to a solution? Could it be an issue with my Firewall maybe?

There may be some logs in your browser’s dev tools, you could also inspect the network requests to make sure that the browser is receiving the Set-Cookie header on the POST /ghost/api/canary/admin/session request and double-check that the Cookie header is being sent on the GET /ghost/api/canary/admin/settings/?type=blog%2Ctheme%2Cprivate%2Cmembers request.

Could it be an issue with my Firewall maybe?

Possibly, if the firewall is interfering with request headers then it may cause problems.

I’m just now realizing it might be an issue with my Nginx config

proxy_cache_path /var/run/cache levels=1:2 keys_zone=STATIC:75m inactive=24h max_size=512m;

server {

    server_name example.com www.example.com;
    add_header X-Cache $upstream_cache_status;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        try_files _ @ghost;
    }

    location /content/images {
      alias /var/www/example.com/html/versions/2.31.1/content;
      access_log off;
      expires max;

      try_files $uri @ghost;
    }

    location /assets {
      alias /var/www/example.com/html/versions/2.31.1/content/themes/casper/assets;
      access_log off;
      expires max;

      try_files $uri @ghost;
    }


    location @ghost {
        proxy_cache STATIC;
        proxy_cache_valid 200 30m;
        proxy_cache_valid 404 1m;
        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
    }
}

server {

    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    return 404; # managed by Certbot
}
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;

Gonna try removing them tonight. I got the idea for this config from this post:

@ghost_throw that caching setup is quite heavy, you’ll definitely see problems (even after removing the cookie header rules) unless you exclude the /ghost/* paths so that admin API requests are not cached.

@Kevin You’re talking about the location blocks? As far as I can tell, they’re necessary to prevent 404ing for assets and images.

Is there a recommended Nginx config for caching?

Here’s my latest Nginx config. I excluded the Admin panel from being cached:

proxy_cache_path /var/run/cache levels=1:2 keys_zone=STATIC:75m inactive=24h max_size=512m;

server {

    server_name example.com www.example.com;
    add_header X-Cache $upstream_cache_status;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        try_files _ @ghost;
    }

    location /content/images {
        alias /var/www/example.com/html/versions/2.33.0/content/images;
        access_log off;
        expires max;

        try_files $uri @ghost;
    }

    location /assets {
        alias /var/www/example.com/html/versions/2.33.0/content/themes/casper/assets;
        access_log off;
        expires max;

        try_files $uri @ghost;
    }

    location ~ ^/(?:ghost|signout) { 
        add_header Cache-Control "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0";

        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
    }

    location @ghost {
        proxy_cache STATIC;
        proxy_cache_valid 200 30m;
        proxy_cache_valid 404 1m;
        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:2368;
    }
}

server {

    if ($host = www.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name example.com www.example.com;

    return 404; # managed by Certbot
}

I get the below error going to setup with a fresh install. There are no cookies after navigating to /ghost/. There is no interference from proxies or firewalls. nginx is not configured, the firewall is stopped, and I’m on a VPN accessing ghost directly.

GET http://172.23.113.8:2368/ghost/api/v3/admin/users/me/?include=roles 403 (Forbidden)
send @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:7000
ajax @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:6766
_makeRequest @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:70355
_makeRequest @ ghost.min-7410b8751d230b4082deb3ac8c5ff465.js:1464
n @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:19270
request @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:70320
ajax @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:70558
queryRecord @ ghost.min-7410b8751d230b4082deb3ac8c5ff465.js:37
n @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:19270
(anonymous) @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:68379
_ @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:33784
(anonymous) @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:33807
t.invoke @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:30742
t.flush @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:30681
t.flush @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:30786
n._end @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:31113
n.end @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:30927
n._run @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:31148
n._join @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:31130
n.join @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:30968
h @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:22482
(anonymous) @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:22491
u @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4466
c @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4477
setTimeout (async)
(anonymous) @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4486
l @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4359
fireWith @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4412
fire @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4416
l @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4359
fireWith @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4412
ready @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4573
H @ vendor.min-3c3a33d8783e734897b4069658e49171.js:formatted:4558

Thanks for sharing. I don’t know much about this. You may refer any router login guide. It might be helpful to you. Looking for some more responses.

With no assistance from @westernira who, for some unknown reason, replied with a completely useless post, I’ve determined that this 403 error is not related to the cause of the problem getting into setup. The actual error was a “502 Bad Gateway” transitioning to the /ghost/ path with a POST to obtain the api key.

There are apparently a range of configuration issues that may cause this. In my case, i added disablereuse=On to the ProxyPass directive in the Apache reverse proxy configuration.

Hope this helps someone.