Invalid Origin error on the server

Support
1

Operating system

Linux

Joplin version

3.2.13

What issue do you have?

Hi all,

I'm also getting the invalid origin error when I try to login on a dockerised/nginx proxied install of Joplin server.

I know Laurent is planning to remove this check (New Install - Invalid origin error - #14 by laurent) but its still in the latest version.

Does anyone know if there is a way I can inject a code change when building the docker container (using a Dockerfile to run a script etc) to alter the code to remove the check? and if so, which code would need editing and to what?

Many Thanks

2

Hi all,

I figured this out myself so sharing my code to do so (under Docker, my Joplinserver is running under Docker with NGINX as the reverse proxy).

This, for me, removes the origin check and bypasses the annoying invalid origin error.

Noting this may not work in the future if the Docker hub image is changed in some way. You can also just run the SED command yourself if you're not using docker, changing the file location as you need.

I updated my docker compose to build the server using a Dockerfile instead of just pulling the image.

I changed the app section of the docker compose from this:

app:
        image: joplin/server:latest

to this:


  app:
    build:
      context: .
      dockerfile: Dockerfile

Then I created a new Dockerfile in the same folder with this content:

# Use the original image as the base image.
FROM joplin/server:latest

# Run the command to modify the file as needed at build time.
RUN sed -i 's/return host1 === host2;/return true;\n        \/\/ return host1 === host2;/' /home/joplin/packages/server/dist/utils/routeUtils.js

then to build the Docker container:

docker-compose up --build -d

Technical details

The part of the server which perform the origin check and consistently failed for me was in this file:
/home/joplin/packages/server/dist/utils/routeUtils.js

The updated process now builds the Joplin server container as before, but now it runs a command (SED) to search for the Origin check section and always return true instead regardless of what the origin is.

It searches for:

function isValidOrigin(requestOrigin, endPointBaseUrl, routeType) {
    const host1 = (new url_1.URL(requestOrigin)).host;
    const host2 = (new url_1.URL(endPointBaseUrl)).host;
    if (routeType === types_2.RouteType.UserContent) {
        // At this point we only check if eg usercontent.com has been accessed
        // with origin usercontent.com, or something.usercontent.com. We don't
        // check that the user ID is valid or is event present. This will be
        // done by the /share end point, which will also check that the share
        // owner ID matches the origin URL.
        if (host1 === host2)
            return true;
        const hostNoPrefix = host1.split('.').slice(1).join('.');
        return hostNoPrefix === host2;
    }
    else {
        return host1 === host2;
    }
}

and changes it to:

function isValidOrigin(requestOrigin, endPointBaseUrl, routeType) {
    const host1 = (new url_1.URL(requestOrigin)).host;
    const host2 = (new url_1.URL(endPointBaseUrl)).host;
    if (routeType === types_2.RouteType.UserContent) {
        // At this point we only check if eg usercontent.com has been accessed
        // with origin usercontent.com, or something.usercontent.com. We don't
        // check that the user ID is valid or is event present. This will be
        // done by the /share end point, which will also check that the share
        // owner ID matches the origin URL.
        if (host1 === host2)
            return true;
        const hostNoPrefix = host1.split('.').slice(1).join('.');
        return hostNoPrefix === host2;
    }
    else {
           return true;
        // return host1 === host2;
    }
}