Endre | Blackr4t
Endre | Blackr4t•12mo ago

Key

Error with typescript app detecting wrong hostname ? After our login-demo app using the next middleware forwards to GET https://login.foo.com/oauth/v2/authorize?client_id=289301738480009300&scope=openid%20email%20profile%20offline_access%20urn%3Azitadel%3Aiam%3Auser%3Ametadata&response_type=code&redirect_uri=https%3A%2F%2Flogin-demo.foo.com%2Fapi%2Fauth%2Fcallback%2Fzitadel&state=xlfcfYDhU9io7B4i1zlsTP-FxBYHsu9nQAbaPtevIXo&code_challenge=zX6uooEi8ixzVk6_VOxxzmmgXMThOgNfX092SP-Xl0E&code_challenge_method=S256 the login app forward me to https://login-ui-8644fb44f5-fr8km:3000/accounts?authRequestId=V2_289367805545939075 effectively breaking the login Is there a way that the typescript code should pickup the real Host / X-Forwarded-Host for this? 
login-ui-8644fb44f5-fr8km login-ui o [ConnectError]: [failed_precondition] Session has expired (COMMAND-Hkl3d)
login-ui-8644fb44f5-fr8km login-ui     at _ (/app/apps/login/.next/server/chunks/7026.js:34:160888)
login-ui-8644fb44f5-fr8km login-ui     at q (/app/apps/login/.next/server/chunks/7026.js:34:161877)
login-ui-8644fb44f5-fr8km login-ui     at next (/app/apps/login/.next/server/chunks/7026.js:34:167805)
login-ui-8644fb44f5-fr8km login-ui     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
login-ui-8644fb44f5-fr8km login-ui     at async Object.unary (/app/apps/login/.next/server/chunks/7026.js:34:166550)
login-ui-8644fb44f5-fr8km login-ui     at async Object.createCallback (/app/apps/login/.next/server/chunks/7026.js:34:173740)
login-ui-8644fb44f5-fr8km login-ui     at async w (/app/apps/login/.next/server/app/login/route.js:1:5503)
login-ui-8644fb44f5-fr8km login-ui     at async /app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
login-ui-8644fb44f5-fr8km login-ui     at async eC.execute (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
login-ui-8644fb44f5-fr8km login-ui     at async eC.handle (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
login-ui-8644fb44f5-fr8km login-ui   rawMessage: 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui   code: 9,
login-ui-8644fb44f5-fr8km login-ui   metadata: Headers {
login-ui-8644fb44f5-fr8km login-ui     'grpc-message': 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status': '9',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status-details-bin': 'CAkSI1Nlc3Npb24gaGFzIGV4cGlyZWQgKENPTU1BTkQtSGtsM2QpGlIKKnR5cGUuZ29vZ2xlYXBpcy5jb20veml0YWRlbC52MS5FcnJvckRldGFpbBIkCg1DT01NQU5ELUhrbDNkEhNTZXNzaW9uIGhhcyBleHBpcmVk',
login-ui-8644fb44f5-fr8km login-ui     'cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'content-type': 'application/grpc+proto',
login-ui-8644fb44f5-fr8km login-ui     expires: 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-expires': 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-pragma': 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     pragma: 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
login-ui-8644fb44f5-fr8km login-ui     'x-robots-tag': 'none'
login-ui-8644fb44f5-fr8km login-ui   },
login-ui-8644fb44f5-fr8km login-ui   details: [ { type: 'zitadel.v1.ErrorDetail', value: [Uint8Array] } ],
login-ui-8644fb44f5-fr8km login-ui   cause: undefined
login-ui-8644fb44f5-fr8km login-ui }
login-ui-8644fb44f5-fr8km login-ui o [ConnectError]: [failed_precondition] Session has expired (COMMAND-Hkl3d)
login-ui-8644fb44f5-fr8km login-ui     at _ (/app/apps/login/.next/server/chunks/7026.js:34:160888)
login-ui-8644fb44f5-fr8km login-ui     at q (/app/apps/login/.next/server/chunks/7026.js:34:161877)
login-ui-8644fb44f5-fr8km login-ui     at next (/app/apps/login/.next/server/chunks/7026.js:34:167805)
login-ui-8644fb44f5-fr8km login-ui     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
login-ui-8644fb44f5-fr8km login-ui     at async Object.unary (/app/apps/login/.next/server/chunks/7026.js:34:166550)
login-ui-8644fb44f5-fr8km login-ui     at async Object.createCallback (/app/apps/login/.next/server/chunks/7026.js:34:173740)
login-ui-8644fb44f5-fr8km login-ui     at async w (/app/apps/login/.next/server/app/login/route.js:1:5503)
login-ui-8644fb44f5-fr8km login-ui     at async /app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
login-ui-8644fb44f5-fr8km login-ui     at async eC.execute (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
login-ui-8644fb44f5-fr8km login-ui     at async eC.handle (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
login-ui-8644fb44f5-fr8km login-ui   rawMessage: 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui   code: 9,
login-ui-8644fb44f5-fr8km login-ui   metadata: Headers {
login-ui-8644fb44f5-fr8km login-ui     'grpc-message': 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status': '9',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status-details-bin': 'CAkSI1Nlc3Npb24gaGFzIGV4cGlyZWQgKENPTU1BTkQtSGtsM2QpGlIKKnR5cGUuZ29vZ2xlYXBpcy5jb20veml0YWRlbC52MS5FcnJvckRldGFpbBIkCg1DT01NQU5ELUhrbDNkEhNTZXNzaW9uIGhhcyBleHBpcmVk',
login-ui-8644fb44f5-fr8km login-ui     'cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'content-type': 'application/grpc+proto',
login-ui-8644fb44f5-fr8km login-ui     expires: 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-expires': 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-pragma': 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     pragma: 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
login-ui-8644fb44f5-fr8km login-ui     'x-robots-tag': 'none'
login-ui-8644fb44f5-fr8km login-ui   },
login-ui-8644fb44f5-fr8km login-ui   details: [ { type: 'zitadel.v1.ErrorDetail', value: [Uint8Array] } ],
login-ui-8644fb44f5-fr8km login-ui   cause: undefined
login-ui-8644fb44f5-fr8km login-ui }
10 Replies
FFO
FFO•12mo ago
@peintnermax can you please advise
Endre | Blackr4t
Endre | Blackr4tOP•12mo ago
@peintnermax any idea?
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
Endre | Blackr4t
Endre | Blackr4tOP•12mo ago
@peintnermax I'm using Traefik with GatewayAPI ontop of Kubernetes but sure 
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: login-ui
  namespace: foo-id
spec:
  hostnames:
    - login.foo.com
  parentRefs:
    - name: traefik-gateway
      namespace: ingress-system
  rules:
    - backendRefs:
        - name: login-ui
          port: 80
      matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: X-Forwarded-Host
                value: login.foo.com
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: login-ui
  namespace: foo-id
spec:
  hostnames:
    - login.foo.com
  parentRefs:
    - name: traefik-gateway
      namespace: ingress-system
  rules:
    - backendRefs:
        - name: login-ui
          port: 80
      matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: X-Forwarded-Host
                value: login.foo.com
@peintnermax Do you know though what's the expected headers? 🤔
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
Endre | Blackr4t
Endre | Blackr4tOP•12mo ago
@peintnermax yes that is for login -> zitadel communication, but the issue now seems to be that request.nextUrl.host is not being set to the value of the incoming Host header this means for example that 1. Proxied requests via the middleware.ts file towards zitadel will get wrong x-zitadel-public-host 2. Redirects / other things where the login app responds back to the client will get the wrong Host in the URL
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
Endre | Blackr4t
Endre | Blackr4tOP•12mo ago
Hmm, good point actually @peintnermax But that's just some of the calls though, what about the redircts also that happen that also seem to be reliant on it?
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
Endre | Blackr4t
Endre | Blackr4tOP•12mo ago
@peintnermax yeah I know that, but those are not the problem anymore anyways, we're still at the root problem still really which is that NextJS seems to ignore setting request.nextUrl.host to the incoming Host header for some reason and that causes the other later redirect() calls to give the wrong value for the host

Did you find this page helpful?