Should rewrite HTTP to HTTPS

Question

Should rewrite HTTP to HTTPS

Opened this issue 3 months ago · 5 comments

The default username admin and the default password CHANGE_ME_ON_FIRST_LOGIN
is not working on Docker. You can't login nothing happens.

2024/07/07 01:52AM INF Medama Development Build
2024/07/07 01:52AM INF Starting server at http://localhost:8080
2024/07/07 01:52AM INF success | operation=PostAuthLogin operationId=post-auth-login method=POST path=/auth/login duration=44.068532
2024/07/07 01:52AM INF success | operation=PostAuthLogin operationId=post-auth-login method=POST path=/auth/login duration=32.713261
2024/07/07 01:52AM INF success | operation=PostAuthLogin operationId=post-auth-login method=POST path=/auth/login duration=45.484127
2024/07/07 01:52AM INF 401 unauthorised | operation=PostAuthLogin operationId=post-auth-login method=POST path=/auth/login duration=29.474782 status_code=401
2024/07/07 01:53AM INF success | operation=PostAuthLogin operationId=post-auth-login method=POST path=/auth/login duration=29.124101
2024/07/07 01:53AM INF success | operation=PostAuthLogin operationId=post-auth-login method=POST path=/auth/login duration=27.881179

Answer 1 · 2024-07-06T22:56:11.000Z

Solved, works only in https not http

Answer 2 · 2024-07-06T23:02:03.000Z

Hi! I'm going to reopen this since I think rewriting the URL from HTTP to HTTPS automatically might make this issue not appear for future users. I'm assuming you were trying to connect via your public accessible hostname and not via localhost, correct?

Answer 3 · 2024-07-06T23:21:56.000Z

Hi! I'm going to reopen this since I think rewriting the URL from HTTP to HTTPS automatically might make this issue not appear for future users. I'm assuming you were trying to connect via your public accessible hostname and not via localhost, correct?

I can log in only via HTTPS but not HTTP

Answer 4 · 2024-07-20T22:40:48.000Z

+1 Same issue here as well. Cannot login in HTTP protocol.

Answer 5 · 2024-07-21T05:09:18.000Z

For clarification on what the issue is, your browser will not save the login cookie on HTTP since it is unencrypted. Making this work on HTTP would mean disabling a couple security flags that typically protect the cookie.

I don't think I even want to offer an option to make this work on HTTP due to the security implications, so it may make sense to update the docs with a warning about this and see if automatic redirection is possible from our end.