I am making my own users add form with croogo users plugin.
when I try to make my own fields, it gives me error/
Security Error
The requested address was not found on this server.
Request blackholed due to "auth" violation.
whats the reason for this problem?
Could be a forgotten Form::end(), a <select> with no options, or even a simple syntax error, or anything really.
I suggested in http://thread.gmane.org/gmane.comp.cms.croogo/598 to try sticking $this->log(Debugger::trace()) in CroogoAppController::blackHoleCallback()
then go through the stacktrace (in tmp/logs/error.log) and see what's going on.
Or turn off Security component temporarily to debug the problem.
Related
I know there's an earlier question with this subject here, but the OP never reported if the one answer resolved the issue. And since
Internal Server Error
is about as user-unfriendly as you can get, I would love to change this to something that feels more like "a message" than "an anvil dropped on your foot".
I have found one other SO post that tangentially relates to this issue (about that disappearing "duplicate emails" switch), but the problem is indeed not about whether or not to allow duplicate emails (or how to revive hidden admin controls) but how a very ordinary issue is communicated to the user - well, like how Keycloak notifies the user when they try and register with an existing username.
We're currently using the Docker version of Keycloak 12.0.4 with some customisations (a custom BCrypt module, some logging changes) running in IBM Cloud, using a Postgresql DB. We also added a custom theme & internationalisation. The same error occurs also when using the default Keycloak theme, though.
Here are our Login settings:
It turned out to be a configuration issue, but so deeply hidden that even the Keycloak developer who looked into the ticket I created had glossed over it.
The perpetrator was in menu Configure > Authentication > tab: Flows > choose dropdown: Registration > Profile validation radio button [o REQUIRED | o DISABLED]
This was set to disabled, which in effect prevents the duplicate email check in the registration form that the Realm settings > tab: Login form suggest are active. But then, of course, the database won't like that, with above-mentioned result.
This combination of settings should at least issue a warning, of course. I hope this will be corrected.
I already tried reading the documents as well try out the changing default behaviors https://flask-jwt-extended.readthedocs.io/en/latest/changing_default_behavior.html to handle the error (the link shows how to handle expired token) and search around in google everything in every keyword combination i could do but seems no one has example about this.
I tried using #jwt.revoked_token_loader to handle the RevokedTokenError but it seems it doesn't work as I applied it like this
#jwt.revoked_token_loader
def revoked_token_response(revoked_token):
jwtkn = revoked_token['jti']
return jsonsify({
'msg': 'token {} already been revoked!'.format(jwtkn)
)}, 401
actually, i don't know exactly how does the example on the link to handle expired tokens had parameter of 'expired_token', is that self-declaration like what I did above on the 'revoked_token'?? as far as I know, 'jti' is like a default value in the flask-jwt-extended package as I see error whenever I don't use this (in my db, it is different but there is no problem at all.
I tried following this tutorial and it works out fine on my side (as well his original code source) but I see that this one doesn't have a catch exception also on Revoke Tokens https://codeburst.io/jwt-authorization-in-flask-c63c1acf4eeb
I use postman and if based on the tutorial link, here's how i get this
i do login
i use the access token generated to access protected routes ('/secrets')
i do logout
i use again the access token generated to access protected routes
after the last one, i get this error on my server side (ide):
....flask_jwt_extended\utils.py", line 216, in verify_token_not_blacklisted
raise RevokedTokenError('Token has been revoked')
flask_jwt_extended.exceptions.RevokedTokenError: Token has been revoked
127.0.0.1 -- [02/Jul/2019 22:25:26] "GET /secrets HTTP/1.1" 500 -
in postman, this is what I get:
{
'message': 'Internal Server Error'
}
my target is to send out a custom json response instead of 'Internal Server Error'
edit:
I am no wiz on programming or such, a beginner that wanted to practice out python about secured web development. I don't yet quite understand still how decorator works out in terms of application, etc. so i don't know if others tweaks out the flask-jwt-extended package to work such things out.
Getting back a 500 error normally occurs because of a bug in other flask extensions and how that interact with native flask errorhandlers. You can find a bunch of discussions about it here (https://github.com/vimalloc/flask-jwt-extended/issues/86), but the tl;dr version is you might need to set app.config['PROPAGATE_EXCEPTIONS'] = True if using something like Flask-Restul, or use a hack like this if using flask-restplus:
jwt = JWTManager(app)
api = Api()
jwt._set_error_handler_callbacks(api)
If those don't help you, please take a look through that linked github issue, and if nothing in there helps make a reply in that issue detailing your setup.
Cheers.
On our server-side authentication with Facebook we get a random and weird issue. Facebook calls the call back URL two times with the same code. This is only happening for some users and not on every login.
This is the flow we have implemented on our side: https://developers.facebook.com/…/manually-build-a-login-fl… . We have been using it since the beginning of 2013 and we haven't noticed any issues so far.
And this is the error we get when we are exchanging the code for an access token the second time.
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"fbtrace_id":"traceID"}}
We tried to log this issue as a bug on https://developers.facebook.com/bugs but unfortunately it doesn't work.
It keeps showing unexpected error. Not to mention that i was unable to find the correct bug category.
Any idea on how we can fix this?
Thanks!
Could it be that users are clicking twice to process auth service? Try disabling the button before calling Facebook auth service
What language are you using?
I just had this problem in Ruby using Devise for Rails. I had created an omniauth.rb initializer file, and added a config line item in the devise.rb initializer file.
If you did this too, you can remove the omniauth.rb initializer file and you should be good to go!
when I use a proper SSL Certificate on my Web-Site I get bugs in joomla which don't appear if using an unknown certificate of http:
When logging in with wrong credentials, I get to the error page 500 instead of validation and instead of the message "Username or password are wrong ..." faded in.
When registering and the wrong text in ReCaptcha is tipped instead of validation the data in all the fields is deleted and no message about wrong captcha is faded in.
What am I doing wrong when using the proper SSL-Certificate?
Note to ReCaptcha:
In K2 I put the script source metioned here.
Putting
RewriteCond .*(/component/users/?view=login) off
at the end of my .htaccess didn't help.
Technical data, which may be relevant:
SSL-Certificate: GeoTrust RapidSSL
CMS: Joomla! 2.5.9 Stable
Login-Form: Standard-Module of Joomla
Register-Form: Authentication-Plugin of Joomla + K2 2.6.2
Thank you very much in advance.
I have solved the problem. It wasn't an SSL issue.
These paths in configuration.php were not correct at the root and I've overlooked it :(
public $log_path = '/SERVER_PATH/JOOMLA_INSTALLATION/logs';
public $tmp_path = '/SERVER_PATH/JOOMLA_INSTALLATION/tmp';
So when you log on with wrong credentials or type a wrong ReCaptcha text, joomla tries to create the directories mentioned above. If joomla fails to do it (and it was the case), instead of validation by login form and ReCaptcha you get the strange behavior, described in my previous post.
#Lodder: I'll update my K2 next time
#Jobin Jose: Yes, I activated SSL adminside.
Recently, Facebook has updated the component "request dialog" assigning responsibility to the exclusion of requests to the developers (http://developers.facebook.com/docs/reference/dialogs/requests#deleting). He also made other adjustments to the format of the request id. Thus added configuration option "request 2.0 efficient" on menu of the application developer.
The problem started after this change , the component "request dialog Multi - Friend- Selector" is in serious trouble. The component is crashed while trying to load friends. Sometimes friends loads, but the component does not resize height.
See the image of the errors:
Crashed before load friends:
http://postimage.org/image/glk2mf3bb/
Resize fail
http://postimage.org/image/iobduhn41/
In chrome browser component generates the following error:
s-static.ak.facebook.com/rsrc.php/v1/yS/r/syXGEAW5WYH.js:36 Uncaught TypeError: Cannot read property 'origin' of undefined
In firefox generates following error:
Erro: Permission denied to access property 'DocRPC'Arquivo-fonte: https://s-static.ak.facebook.com/rsrc.php/v1/yS/r/syXGEAW5WYH.js Linha: 36
Can you reproduce the error with the code itself Documentation
http://developers.facebook.com/docs/reference/dialogs/requests
Help please.
Seeing same errors here, but I can add some info:
It does seem to work if you use the basic example in https://developers.facebook.com/docs/reference/dialogs/requests, which opens up the dialog in a new browser window.
In Chrome, I found an additional error message to the one you posted:
"Unsafe JavaScript attempt to access frame with URL [...] from frame with URL [...]facebook.com/dialog/apprequests. Domains, protocols and ports must match."
From all that I guess the error may be related to the dialog display mode (read https://developers.facebook.com/docs/reference/dialogs). Within my app, I am getting this error exactly as you do, unless I set display to something like 'popup', in which case everything works (but a new borwser window is opened). The docs do state that "Because of the risk of clickjacking, [iframe] is only allowed for some certain dialogs, and requires you to pass a valid access_token." Well, passing access tokens did no good for me.
Little question: are you using some toolkit like GWT?