New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Response header too long for default nginx configuration #1554
Comments
@nbulaj any thoughs? Our OAuth client app has been dead in the water for a while because of this. (Thank you in advance for looking!) |
I didn't find anything about input data size in https://datatracker.ietf.org/doc/html/rfc6819 (but could be that I looked up wrongly), but we can add some pre-defined restrictions for the size of the params/headers/whatever which could be configurable in the initializer. WDYT? |
@nbulaj thank you for looking! How would these restrictions behave? Would they truncate the too-long response header? If the OAuth handshake still works, then that would be great. Otherwise, if they simply reject long URLs, then that wouldn't help us much, since we want this to actually work. If it helps, we're generally seeing this error with URLs around 550 chars. That's long, but not crazy; the de facto limit in browsers is generally around 2000. Here's a formatted, redacted example URL. The long query params are
More background in mastodon/mastodon#12915 (comment). |
Friendly nudge here, this is still visibly affecting a number of our users, I field questions about this regularly. Let me know if I can do anything else to help, beyond the debugging info above! |
So if I understand well, this is due to an arbitrary limit set by the gem? Which is likely to be hit in (some kind of) OAuth apps? |
There is no limits by the gem @thom4parisot . OAuth RFC also doesn't say anything about limiting client URL so I don't sure which fix here will be acceptable |
Interesting workaround in mastodon/mastodon#12915 (comment). This error happens if you're already logged into the Mastodon instance, but if you're not logged in when you start the OAuth dance, it works fine. Does that give you all any more ideas for what to do here? |
A possible fix for this is to modify the nginx conf to increase the proxy buffer. The following worked for me:
|
Confirming that adding these setting in my |
Hello Doorkeeper Team! Have you all reconsidered implementing the fixes above so that users can authenticate Mastodon publishing through Brid.gy? |
I ended up working around this by storing the OAuth redirect state in memory on my end, which let me reduce the redirect URL length. I'll leave this open to track on Doorkeeper's end. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Steps to reproduce
Doorkeeper is used in Mastodon. An app developer encounters error when trying to authenticate a user through OAuth with a long URL or a long state param, which causes Doorkeeper to return a response with a header so long that it causes nginx to return HTTP 502 when using default proxy buffer values.
Please see linked issue mastodon/mastodon#12915.
Expected behavior
Either:
Actual behavior
upstream sent too big header while reading response header from upstream
error in nginx with default proxy buffer sizesSystem configuration
Doorkeeper initializer:
https://github.com/mastodon/mastodon/blob/50ab3f3dcb6b00109fa1462a5ca0228563abb99b/config/initializers/doorkeeper.rb
Ruby version:
3.0.3
Gemfile.lock:
https://github.com/mastodon/mastodon/blob/50ab3f3dcb6b00109fa1462a5ca0228563abb99b/Gemfile.lock
The text was updated successfully, but these errors were encountered: