Access Denied after 1st unsuccessful login

[strowi]

Hi,

i am not sure if this is a problem with the script or with my crowd-instance, but if i enter the wrong password, access is denied and i don't get the Login-Prompt again until a browser restart/cache clean.

[kenshaw]

Actually, this is a combination of Nginx and your web browser. What browser are you using? I checked this on a live installation with Firefox and Chrome and did not have any issues with a bad password. Do you perhaps have some kind of password management extension that continues to send the bad user/pass?

Since it's just HTTP authentication, you can always force send the username/password in the URL:

http://:@domain.example.tld/p/a/t/h

[strowi]

Ok, looked into it a little bit more... Actually i get a "500 internal server error" and the following output in nginx-error log:

015/02/09 10:00:19 [error] 16997#0: *22311 lua entry thread aborted: runtime error: unknown reason
stack traceback:
coroutine 0:
    [C]: in function 'error'
    /usr/local/share/lua/5.1/Spore.lua:31: in function 'raises'
    /usr/local/share/lua/5.1/Spore.lua:160: in function </usr/local/share/lua/5.1/Spore.lua:83>
    (tail call): ?
    /etc/nginx/lua/crowd-auth.lua:66: in function </etc/nginx/lua/crowd-auth.lua:1>, client: 192.168.90.93, server: xyz.local, request: "GET / HTTP/1.1", host: "xyz.local"

Maybe trouble with the spore-version?

Installed rocks:

lpeg
0.12.1-1 (installed) - /usr/local/lib/luarocks/rocks

lua-spore
0.3.1-1 (installed) - /usr/local/lib/luarocks/rocks

luajson
1.3.3-1 (installed) - /usr/local/lib/luarocks/rocks

luasec
0.5-2 (installed) - /usr/local/lib/luarocks/rocks

luasocket
3.0rc1-1 (installed) - /usr/local/lib/luarocks/rocks
cks

[kenshaw]

Yes, it is likely an issue with the latest version of lua-Spore. I've checked our production and staging installation configurations, and everything is pinned at 0.2.1-1:

lua-spore
   0.2.1-1 (installed) - /usr/local/lib/luarocks/rocks

I will try updating this on our testing environments, and see if I get the same error. If I do, then I'll (in due time) fix whatever compatibility issue that got introduced.

[strowi]

thx for looking into it.. are all lua-packages on 0.2.1-1 ? Or can you post the output of "luarocks list" ?

[kenshaw]

The other packages that we have are the same versions as what you listed, which is why I didn't bother pasting:

Installed rocks:
----------------

lpeg
   0.12-1 (installed) - /usr/local/lib/luarocks/rocks

lua-spore
   0.2.1-1 (installed) - /usr/local/lib/luarocks/rocks

lua-testlongstring
   0.2.0-1 (installed) - /usr/local/lib/luarocks/rocks

lua-testmore
   0.3.1-1 (installed) - /usr/local/lib/luarocks/rocks

luajson
   1.3.2-1 (installed) - /usr/local/lib/luarocks/rocks

luasocket
   2.0.2-5 (installed) - /usr/local/lib/luarocks/rocks

lunit
   0.5-2 (installed) - /usr/local/lib/luarocks/rocks

[strowi]

Ok, Downgrading the packages seems to fix at least the internal server error. But i still get only a single login prompt. If i enter the correct credentials it works. If i enter sth else i directly get a 403 without the possibility to reenter. And there is no extension whatsoever loaded in chrome-incognito..

Using http://user:pass@.. works.

[kenshaw]

I'll look into it. For what it's worth, we're using nginx on debian stable (wheezy).