Login keep failing After Upgrade Ghost Local to version 3

I am facing a new issue after upgrading to my ghost version to 3.


Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.


Logs says


{"name":"Log","hostname":"xxxxxxx-las-2","pid":356,"level":50,"req":{"meta":{"requestId":"3aa68608-dd59-45c1-a11f-f527725ba20a","userId":null},
"url":"/users/me/?include=roles","method":"GET","originalUrl":"/en/blog/ghost/api/v3/admin/users/me/?include=roles","params":{},"headers":
{"x-real-ip":"aa.bb.cc.226","host":"www.test.xxxxxxx.com","x-forwarded-for":"aa.bb.cc.226","x-forwarded-proto":"https","connection":"close","accept":"application/json,
text/javascript, */*; q=0.01","x-requested-with":"XMLHttpRequest","x-ghost-version":"3.20","app-pragma":"no-cache","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36","content-type":"application/json; 
charset=UTF-8","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://www.test.xxxxxxx.com/en/blog/ghost/","accept-encoding":"gzip, 
deflate, br","accept-language":"en"},"query":{"include":"roles"}},"res":{"_headers":{"x-powered-by":"Express","cache-control":"no-cache, private, no-store, must-revalidate, max-stale=0,
post-check=0, pre-check=0","content-type":"application/json; charset=utf-8","content-length":"321","etag":"W/\"141-Bdi/RWqkP8h7mDzhhD3/NO2f4Uw\"","vary":"Accept-Encoding"},"statusCode":403,
"responseTime":"4ms"},"err":{"id":"1d858a30-bafb-11ea-b3d6-816724f7cea1","domain":"https://www.test.xxxxxxx.com/en/blog/","code":null,"name":"NoPermissionError","statusCode":403,"level":"normal",
"message":"Authorization failed","context":"\"Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.\"",
"stack":"NoPermissionError: Authorization failed\n    at new NoPermissionError (/var/www/xxxxxxx/public_html/en/blog/versions/3.20.0/node_modules/ghost-ignition/lib/errors/index.js:134:23)\n    
at authorizeAdminApi (/var/www/xxxxxxx/public_html/en/blog/versions/3.20.0/core/server/services/auth/authorize.js:28:25)\n    at Layer.handle [as handle_request] 
(/var/www/xxxxxxx/public_html/en/blog/versions/3.20.0/node_modules/express/lib/router/layer.js:95:5)\n    at next 
(/var/www/xxxxxxx/public_html/en/blog/versions/3.20.0/node_modules/express/lib/router/route.js:137:13)\n    at authenticate 
(/var/www/xxxxxxx/public_html/en/blog/versions/3.20.0/core/server/services/auth/session/middleware.js:24:13)\n    at runMicrotasks (<anonymous>)\n    
at processTicksAndRejections (internal/process/task_queues.js:97:5)"},"msg":"Authorization failed","time":"2020-06-30T17:57:08.309Z","v":0}

Something related to my config. I dont know what is the error. Ghost installed on a sub-directory /en/blog

Here is my config

upstream ghost_upstream {
    server 127.0.0.1:3369;
    keepalive 64;
}

proxy_cache_path /var/run/cache levels=1:2 keys_zone=STATIC:75m inactive=24h max_size=512m;

server {
    listen       80;
    expires $expires;
    server_name xxbbccee.com www.xxbbccee.com www.test.xxbbccee.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    expires $expires;
    server_name  xxbbccee.com;
    ssl_certificate /etc/httpd/ssl/xxbbccee.crt;
    ssl_certificate_key /etc/httpd/ssl/xxbbccee.key;
    return 301 https://www.xxbbccee.com$request_uri;

}

server {
    listen 443 ssl http2;
    expires $expires;
    server_name  www.xxbbccee.com www.test.xxbbccee.com *.xxbbccee.com;
    ssl_certificate /etc/httpd/ssl/xxbbccee.crt;
    ssl_certificate_key /etc/httpd/ssl/xxbbccee.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    root   /var/www/xxbbccee/public_html;
    index index.php index.phtml index.html index.htm index.cgi index.pl;
    error_log /var/log/nginx/xxbbccee_error.log;
    access_log /var/log/nginx/xxbbccee_access.log;

# Ghost Blog

   location ~ ^/en/blog(?:ghost|signin|signout)/ {
        add_header Cache-Control "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0";
        proxy_hide_header X-powered-by;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        expires 10m;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://ghost_upstream;

    }

    location ^~ /en/blog {
        proxy_cache STATIC;
        proxy_cache_valid 200 30m;
        proxy_cache_valid 404 1m;
        proxy_pass http://ghost_upstream;
#       proxy_pass http://127.0.0.1:3369;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
        proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
        proxy_ignore_headers Set-Cookie;
        proxy_hide_header Set-Cookie;
        proxy_hide_header X-powered-by;
        expires 10m;
    }
    location /content/images {
        alias /var/www/xxbbccee/public_html/en/blog/content/images;
        access_log off;
        expires max;
    }
#    location /assets {
#        alias /var/www/xxbbccee/public_html/en/blog/content/themes/xxbbccee_3.7/assets;
#        access_log off;
#        expires max;
#    }
}

Unable to determine the authenticated user or integration. Check that cookies are being passed through if using session authentication.

This is telling you that cookies are required.

proxy_ignore_headers Set-Cookie;
proxy_hide_header Set-Cookie;

This disables cookies

1 Like

Thank you :). I commented that lines

Now the login is working fine. But log still reporting the same error

"domain":"https://www.test.aabbccdd.com/en/blog/","code":null,"name":"NoPermissionError","statusCode
":403,"level":"normal","message":"Authorization failed","context":"\"Unable to determine the authenticated 
user or integration. Check that cookies are being passed through if using session 
authentication.\"","stack":"NoPermissionError: Authorization failed\n    at new NoPermissionError 
(/var/www/aabbccdd/public_html/en/blog/versions/3.20.0/node_modules/ghost-
ignition/lib/errors/index.js:134:23)\n    at authorizeAdminApi 
(/var/www/aabbccdd/public_html/en/blog/versions/3.20.0/core/server/services/auth/authorize.js:28:25

Also, another issue found when I logged out. After signout, the page is not redirecting to the sign-in page. It redirects to https://www.test.aabbccdd.com/en/blog/ghost/#/site, when I try to log in, It automatically point to #site.

I have to close the entire browser application then log-in to ghost again to get the admin login page.

Any suggestion?

Strip your nginx config back til it matches our default and add your custom rules back one-by-one:

this statment always give me error.

I deleted all rules and set to the default setting. I was using the default settings before. But it was showing same error in the logs, issue with signout, also when I delete a post, its not disappearing from the All posts list, When i try to delete it again, it shows error post not found. But I see it list in the all posts. Same on creating/updating articles. Updating articles, sometimes, would never get submitted. and when reloading the article, it would show the older one.

Then I started ivestigatting about this. Then found those rules etc etc… I dont want config make too complex. But something is not work with my settings. I am not sure where is the issue…

Here is the my complete config file

server {
    listen       80;
    expires $expires;
    server_name aabbccdd.com www.aabbccdd.com www.test.aabbccdd.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    expires $expires;
    server_name  aabbccdd.com;
    ssl_certificate /etc/httpd/ssl/aabbccdd.crt;
    ssl_certificate_key /etc/httpd/ssl/aabbccdd.key;
    return 301 https://www.aabbccdd.com$request_uri;

}

server {
    listen 443 ssl http2;
    expires $expires;
    server_name  www.aabbccdd.com www.test.aabbccdd.com *.aabbccdd.com;
    ssl_certificate /etc/httpd/ssl/aabbccdd.crt;
    ssl_certificate_key /etc/httpd/ssl/aabbccdd.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    root   /var/www/aabbccdd/public_html;
    index index.php index.phtml index.html index.htm index.cgi index.pl;
    error_log /var/log/nginx/aabbccdd_error.log;
    access_log /var/log/nginx/aabbccdd_access.log;

# Ghost Blog

    location ^~ /en/blog {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:3369;
#        if (location !== '/en/blog') { proxy_redirect off; }

   }

# Page Speed

    pagespeed on;
    pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
    pagespeed RewriteLevel OptimizeForBandwidth;

    location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
        add_header "" "";
        }

    location ~ "^/pagespeed_static/" { }
    location ~ "^/ngx_pagespeed_beacon$" { }
    pagespeed SslCertDirectory /etc/httpd/ssl;
    pagespeed SslCertFile /etc/httpd/ssl/aabbccdd.crt;

# FastCGI Settings

    location ~ \.(php|phtml)$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.phtml; # index.phtml index.fcgi index.cgi;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~ \.(pl|cgi)$ {
        try_files $uri =404;
        gzip off;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
        fastcgi_index index.cgi;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

# Error Pages
    error_page 404 /en/errorpages/404.phtml;
    error_page 403 /en/errorpages/403.phtml;
    error_page 400 /en/errorpages/400.phtml;
    error_page 401 /en/errorpages/401.phtml;
    error_page 500 502 503 504 /50x.html;

}

Here the Ghost Config

{
  "url": "https://www.test.aabbccdd.com/en/blog/",
  "server": {
    "port": 3369,
    "host": "127.0.0.1"
  },
  "database": {
    "client": "sqlite3",
    "connection": {
      "filename": "/var/sqlite3/aabbccdd.db"
    }
  },
  "mail": {
    "transport": "SMTP",
    "from": "support@aabbccdd.com"
  },
  "logging": {
    "transports": [
      "file",
      "stdout"
    ]
  },
  "process": "local",
  "paths": {
    "contentPath": "/var/www/aabbccdd/public_html/en/blog/content"
  }
}

The file I linked to is a template, the line you mention is template code:

<% if (location !== '/') { %>proxy_redirect off;<% } %>

This is what switches logic between installs at the root / and subdirectories like yours.

It says, if this is not a root install then add the rule proxy_redirect off;. So as you are not running Ghost at the root path, you should add this rule.

Everything you are describing sounds like problems with the API being cached, and the one line I see that is not something I’ve encountered before is expires $expires;, which sounds like it’s to do with caching. Maybe try without that.

I disabled that line and now no more authentication errors. Thank you :slight_smile:

But still, the other issues exist.

Ghost Blog

location ^~ /en/blog {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:3369;
    proxy_redirect off;

}

Updating / creating articles, sometimes, would never get submitted. and when reloading the article, it would show the older one. I added a test one. It never shows in the admin panel. But I see that in the website. Same on deleted post. I see that list in the admin portal >> All posts. But not displays in the blog site.

Also, no errors reporting in the logs now

These all sound like you have cached API responses. Do you have some other cache in front of the site?

Thank you, Hannah :slight_smile:

I sorted the issue with logins and posts. There had a cache setting in front of the website. I disabled all and that sorted the issue.

Now I see the same logs while signout. Signout works perfectly and it redirects to the log-in page fine.

But the logs report this

“name”:“NoPermissionError”,“statusCode”:403,“level”:“normal”,“message”:“Authorization
failed”,“context”:"“Unable to determine the authenticated user or integration. Check that cookies are
being passed through if using session authentication.”",“stack”:"NoPermissionError: Authorization
failed\n at new NoPermissionError (/var/www/aabbccddee/public_html/en/blog/versions/3.20.0/node_modules/ghost-
ignition/lib/errors/index.js:134:23)\n at authorizeAdminApi (/var/www/aabbccddee/public_html/en/blog/versions/3.20.0/core/server/services/auth/authorize.js:28:25)\