jacobwb/hashover-next

Can't login on external site

Opened this issue · 4 comments

adnan360 commented

I'm experimenting with a Hexo site on GitLab pages. For comments I'm using HashOver Next with it. On config/settings.json I have:

	"allowed-domains": [
		"*.blogspot.com",
		"*.gitlab.io"
	]

On the Hexo site when I enter my admin username and password, it doesn't login and goes to a page within the gitlab.io site and shows a 404 error. Upon inspection I found out the form has action="/hovr/backend/form-actions.php". It does not have the domain that HashOver is in. So it is going to the php file within gitlab pages which is causing this to happen.

hashover-01

I also noticed that the automatically inserted css/meta paths do not have the domain as well.

hashover-02

Did I make a mistake in my setup that's causing this?

adnan360 commented

I don't know if that's related, but I'm getting these messages. Some are cross origin (CORS) policy related, some are path related (wrong domain).

hashover-03

jacobwb commented

You also need "supports-multisites": true, in the config file, do you have that?

  • 👍1
adnan360 commented

Thanks. It was not there. I've added it. Now the CORS messages disappeared and paths now have the domain. But console shows another error now:

Unchecked runtime.lastError: The message port closed before a response was received.

hashover-04a

Not sure what this means.

When I login now it doesn't go to gitlab 404 page anymore which is great. After submit though, the page loads again but I can see the same comment form with login option again.

Another strange thing is that when I visit <hashover path>/admin it shows me logged in. But not happening on my blog page. I've tried logging out from admin and logging in from blog again. Didn't help.

adnan360 commented

@jacobwb
This is probably an issue in browsers and how they harden things.

For example, on older versions of Firefox (or Librewolf I don't remember) I had to disable Tracking protection for the blog site and set Preferences -> Privacy & Security -> Browser Privacy to Standard in order to login. I tried on a latest, near vanilla Firefox 99.0.1 install and I didn't have to do anything. It allowed me to show as logged in on the page right out of the box.

On Brave 1.37.116 the comments didn't show up at all, so couldn't login. This wasn't the case on older versions when I opened this issue.

Some users might have their browser settings hardened or use a hardened browser (like Librewolf) that makes login not possible as is. Being able to not login or comment or asking users to change settings didn't seem ideal. I used to use Blogger which had a fullscreen comment option. This gave me an idea. So I tried a full screen script for HashOver that pretty much solves the issue. It just takes blog post URL and title through GET variables then shows comments for it.

I tried loading the fullscreen script in iframe but in Brave it was not loading. Was showing "support.google.com refused to connect." for some reason. Adding header('Access-Control-Allow-Origin: *'); didn't help. So had to just link the script at the bottom of the post and it worked on all browsers I tried.

Another thing I tried as a workaround is to not login at all. Just inputting some username, entering comment and unchecking notify, without entering password or email has let me comment just fine even if I can't login. Although not being able to login might require me to login to admin panel directly for comment moderation. But recent Brave not showing anything is worrying. So I think fullscreen script is best for me. Works on all browsers and regardless of settings.

Maybe HashOver should have something like this implemented for issues like this?