Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Actual fails to sync when run under Cloudflare Zero Trust due to the expired auth token and no CORS #4422

Open
1 task done
gtrubach opened this issue Feb 20, 2025 · 2 comments
Open
1 task done

[Bug]: Actual fails to sync when run under Cloudflare Zero Trust due to the expired auth token and no CORS #4422

gtrubach opened this issue Feb 20, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@gtrubach
Copy link

Verified issue does not already exist?

  • I have searched and found no existing issue

What happened?

Hi,

First of all thanks for this great project!

I'm running Actual behind Cloudflare with ZeroTrust. CF issues an CF_Authorization token after login which expires after 1 day. When expired, Actual fails to call /sync endpoint as CF rejects the request due to the expired token.

Access to fetch at 'https://<cf-account-name>.cloudflareaccess.com/cdn-cgi/access/login/<fqdn>?kid=<redacted>&redirect_url=%2Fsync%2Fsync&meta=<redacted>' (redirected from 'https://<fqdn>/sync/sync') from origin 'https://<fqdn>' 
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. 
If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

There was a similar change lately #3286, where some similar issues were fixed but unfortunately it does not work with CF ZeroTrust. But calling this code from PR works!

window.navigator.serviceWorker
      .getRegistration('/')
      .then(registration => {
        if (registration == null) return;
        return registration.unregister();
      })
      .then(() => {
        window.location.reload();
      });

This leads me to the thought that something is wrong with the if condition in this line https://github.com/actualbudget/actual/blob/master/packages/loot-core/src/platform/server/fetch/index.web.ts#L13. Also similar reports can be found in the mentioned PR #3286 (comment).

It would be great if this is fixed as it makes the setup a bit unusable due to the need to clean all cookies manually daily.

How can we reproduce the issue?

  1. Setup Cloudflare zero trust application using any auth method
  2. Put Actual behind it
  3. Access Actual and login
  4. Delete CF_Authorization cookie (or wait 1 day to expire)
  5. Observe that server goes offline and sync calls fail.

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Chrome

Operating System

Windows 11
@gtrubach gtrubach added the bug Something isn't working label Feb 20, 2025
@gtrubach
Copy link
Author

Also it seems it corrupted my pwa
I tried to switch servers back and forth, but now it says that the server is not running under provided URL. The only option is to delete all cookies which I cannot do as Edge on IPhone can only delete cookies for all web sites...

@mathisgauthey
Copy link

Got the same issue on my end. Response body is not available to scripts (Reason: CORS Missing Allow Origin)

My setup is defined here and involves Cloudflare tunnel with access restriction and Nginx Proxy Manager.

@mathisgauthey mathisgauthey mentioned this issue Feb 28, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gtrubach @mathisgauthey