I am unable to access my Forest Admin panel

I am unable to login to my Forest Admin panel and am receiving the following error message saying my backend is unreachable! - please help.

Screen Shot 2021-10-20 at 8.50.16 am (2)|690x388

Hi @matthew_Boyd !
Can you check if the given URL is reachable ?
Do you have any error in you browser console/network tab or on your backend ?

I have several users that have experienced this error on our Testing and Staging environments.

Failed to load resource: the server responded with a status of 404 ()
woodpecker.dev.fini.city/forest/sessions:1 

Failed to load resource: the server responded with a status of 400 (Bad Request)
b3bc1330-1acc-11eb-9130-553433093ec4:1 

Uncaught (in promise) Responsebody: ReadableStreamlocked: true[[Prototype]]: ReadableStreambodyUsed: trueheaders: Headers {}ok: falseredirected: 
falsestatus: 400
statusText: "Bad Request"
type: "cors"
url: "https://woodpecker.dev.fini.city/forest/sessions"[[Prototype]]: ResponsearrayBuffer: ƒ arrayBuffer()blob: ƒ blob()body: (...)bodyUsed: (...)clone: ƒ clone()formData: ƒ formData()headers: (...)json: ƒ json()ok: (...)redirected: (...)status: (...)statusText: (...)text: ƒ text()type: (...)url: (...)constructor: ƒ Response()Symbol(Symbol.toStringTag): "Response"get body: ƒ body()get bodyUsed: ƒ bodyUsed()get headers: ƒ headers()get ok: ƒ ok()get redirected: ƒ redirected()get status: ƒ status()get statusText: ƒ statusText()get type: ƒ type()get url: ƒ url()[[Prototype]]: Object

https://o460888.ingest.sentry.io/api/5461860/store/?sentry_key=e2ed514e88cb47caa2841b41c071a75a&sentry_version=7

Also you should never send this sort of information, unencrypted with any call: {"email":"andrew*****@finicity.com","password":"************","token":null,"twoFactorRegistration":false,"renderingId":"102807","projectId":"21447"}
This was included in the sessions request body:

Request URL: https://woodpecker.dev.fini.city/forest/sessions
Request Method: OPTIONS
Status Code: 204 No Content
Remote Address: 10.22.1.46:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Forest-Context-Url,Authorization,X-Requested-With,Content-Type
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: https://app.forestadmin.com
Access-Control-Expose-Headers: Server-Timing
Age: 0
Connection: keep-alive
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Date: Thu, 21 Oct 2021 15:10:12 GMT
Expect-CT: max-age=0
Referrer-Policy: no-referrer
Server: nginx/1.17.7
Server-Timing: traceparent;desc="00-92c1e1134f37270ba65bfaf7841c9eda-437f4502585fa161-01"
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Origin, Accept
Via: 1.1 varnish (Varnish/6.4)
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Varnish: 327891
X-XSS-Protection: 0
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: woodpecker.dev.fini.city
Origin: https://app.forestadmin.com
Referer: https://app.forestadmin.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

Request URL: https://woodpecker.dev.fini.city/forest/sessions
Request Method: POST
Status Code: 400 Bad Request
Remote Address: 10.22.1.46:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.forestadmin.com
Access-Control-Expose-Headers: Server-Timing
Age: 0
Cache-Control: no-store
Connection: keep-alive
Content-Length: 213
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Date: Thu, 21 Oct 2021 15:10:14 GMT
ETag: W/"d5-2OshuEQonwRO7OpN7vso2UM6VHE"
Expect-CT: max-age=0
Finicity-Request-Id: FIN366792
Finicity-Trace-Id: cd54e2a
Referrer-Policy: no-referrer
Server: nginx/1.17.7
Server-Timing: traceparent;desc="00-3a9b0af2f85ab230d26b0c21f8ef99a5-9901472ddaf34106-01"
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Origin, Accept
Via: 1.1 varnish (Varnish/6.4)
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Powered-By: Express
X-Varnish: 950403
X-XSS-Protection: 0
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 149
Content-Type: application/json; charset=utf-8
DNT: 1
Host: woodpecker.dev.fini.city
Origin: https://app.forestadmin.com
Referer: https://app.forestadmin.com/
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

Hi @Andrew_Prior,

Thank you for your feedback.
What do you suggest as a more secure authentication system?

Our platform has been audited (grey box) by a third party security company in April 2021.
And no vulnerability has been raised about this aspect.

1 Like

You could just use an Authorization header.

Hi again @Andrew_Prior ,

As a side note, since we certainly have spotted your issue.

We take really seriously the security of our systems. The security feedback are always welcome. If you have some suggestions for a more secure authentication system, we are pleased to receive any feedback. We have a dedicated email/process (as part of our future SOC 2 compliance) for this type of submission. :pray:

For informations, since the introduction of OIDC in the agent we do use Authorization header among others to perform secured and fast connection to the agents. :pray:

Kind regards,
Morgan

2 Likes

Hey @matthew_Boyd,

Do you still have the issue ?

Regards,
Morgan