I am unable to access my Forest Admin panel

I am unable to login to my Forest Admin panel and am receiving the following error message saying my backend is unreachable! - please help.

Screen Shot 2021-10-20 at 8.50.16 am (2)|690x388

Hi @matthew_Boyd !
Can you check if the given URL is reachable ?
Do you have any error in you browser console/network tab or on your backend ?

I have several users that have experienced this error on our Testing and Staging environments.

Failed to load resource: the server responded with a status of 404 ()
woodpecker.dev.fini.city/forest/sessions:1 

Failed to load resource: the server responded with a status of 400 (Bad Request)
b3bc1330-1acc-11eb-9130-553433093ec4:1 

Uncaught (in promise) Responsebody: ReadableStreamlocked: true[[Prototype]]: ReadableStreambodyUsed: trueheaders: Headers {}ok: falseredirected: 
falsestatus: 400
statusText: "Bad Request"
type: "cors"
url: "https://woodpecker.dev.fini.city/forest/sessions"[[Prototype]]: ResponsearrayBuffer: ƒ arrayBuffer()blob: ƒ blob()body: (...)bodyUsed: (...)clone: ƒ clone()formData: ƒ formData()headers: (...)json: ƒ json()ok: (...)redirected: (...)status: (...)statusText: (...)text: ƒ text()type: (...)url: (...)constructor: ƒ Response()Symbol(Symbol.toStringTag): "Response"get body: ƒ body()get bodyUsed: ƒ bodyUsed()get headers: ƒ headers()get ok: ƒ ok()get redirected: ƒ redirected()get status: ƒ status()get statusText: ƒ statusText()get type: ƒ type()get url: ƒ url()[[Prototype]]: Object

https://o460888.ingest.sentry.io/api/5461860/store/?sentry_key=e2ed514e88cb47caa2841b41c071a75a&sentry_version=7

Also you should never send this sort of information, unencrypted with any call: {"email":"andrew*****@finicity.com","password":"************","token":null,"twoFactorRegistration":false,"renderingId":"102807","projectId":"21447"}
This was included in the sessions request body:

Request URL: https://woodpecker.dev.fini.city/forest/sessions
Request Method: OPTIONS
Status Code: 204 No Content
Remote Address: 10.22.1.46:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: Forest-Context-Url,Authorization,X-Requested-With,Content-Type
Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
Access-Control-Allow-Origin: https://app.forestadmin.com
Access-Control-Expose-Headers: Server-Timing
Age: 0
Connection: keep-alive
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Date: Thu, 21 Oct 2021 15:10:12 GMT
Expect-CT: max-age=0
Referrer-Policy: no-referrer
Server: nginx/1.17.7
Server-Timing: traceparent;desc="00-92c1e1134f37270ba65bfaf7841c9eda-437f4502585fa161-01"
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Origin, Accept
Via: 1.1 varnish (Varnish/6.4)
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Varnish: 327891
X-XSS-Protection: 0
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Access-Control-Request-Headers: content-type
Access-Control-Request-Method: POST
Connection: keep-alive
Host: woodpecker.dev.fini.city
Origin: https://app.forestadmin.com
Referer: https://app.forestadmin.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

Request URL: https://woodpecker.dev.fini.city/forest/sessions
Request Method: POST
Status Code: 400 Bad Request
Remote Address: 10.22.1.46:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://app.forestadmin.com
Access-Control-Expose-Headers: Server-Timing
Age: 0
Cache-Control: no-store
Connection: keep-alive
Content-Length: 213
Content-Security-Policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
Content-Type: application/json; charset=utf-8
Date: Thu, 21 Oct 2021 15:10:14 GMT
ETag: W/"d5-2OshuEQonwRO7OpN7vso2UM6VHE"
Expect-CT: max-age=0
Finicity-Request-Id: FIN366792
Finicity-Trace-Id: cd54e2a
Referrer-Policy: no-referrer
Server: nginx/1.17.7
Server-Timing: traceparent;desc="00-3a9b0af2f85ab230d26b0c21f8ef99a5-9901472ddaf34106-01"
Strict-Transport-Security: max-age=15552000; includeSubDomains
Vary: Origin, Accept
Via: 1.1 varnish (Varnish/6.4)
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Powered-By: Express
X-Varnish: 950403
X-XSS-Protection: 0
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 149
Content-Type: application/json; charset=utf-8
DNT: 1
Host: woodpecker.dev.fini.city
Origin: https://app.forestadmin.com
Referer: https://app.forestadmin.com/
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="94"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36

Hi @Andrew_Prior,

Thank you for your feedback.
What do you suggest as a more secure authentication system?

Our platform has been audited (grey box) by a third party security company in April 2021.
And no vulnerability has been raised about this aspect.

1 Like

You could just use an Authorization header.

Hi again @Andrew_Prior ,

As a side note, since we certainly have spotted your issue.

We take really seriously the security of our systems. The security feedback are always welcome. If you have some suggestions for a more secure authentication system, we are pleased to receive any feedback. We have a dedicated email/process (as part of our future SOC 2 compliance) for this type of submission. :pray:

For informations, since the introduction of OIDC in the agent we do use Authorization header among others to perform secured and fast connection to the agents. :pray:

Kind regards,
Morgan

2 Likes

Hey @matthew_Boyd,

Do you still have the issue ?

Regards,
Morgan

Hi Morgan,

I am unable to login to my Forest account and would appreciate your assistance. I’ve been unable to login for a few weeks now, which is causing me issues with trying to run my business.

I’d appreciate your response at your earliest convenience please.

Matthew

Hello @matthew_Boyd,

Sorry to hear that. Since you didn’t answered my questions I thought all things were running well on your side. :slightly_frowning_face:

So you’re backend seems not to be running.

  • Do you have access to the server where it is hosted ?
  • Can you try to restart it ?
  • Your endpoint definition is https://dev-fa-ub.vollie.com.au for your Production environment, is it right ?
  • Can you share the Network tab of you browser with the failing call information ? (It could be helpful)

Thanks you for your time. I’m looking forward to hearing from you.

QUESTION: Beside, you are running a very outdated version (6.3.0) of forest-express-mongoose would you consider upgrading it in the future ?

Kind regards,
Morgan

Hi Morgan,

Following up here.

Following my answers to your questions, can you help me gain access to my Forest account please.

Matthew

Sorry, did you send me a message with the information I requested for investigation ?

I would be happy to help you if I get the answers to the following questions:

Best regards,
Morgan

Forwarding my responses here again Morgan.

Matthew

Hello @matthew_Boyd,

I wasn’t clear enough.

I need more information in order to help you. Can you share a screenshot of your your network tab (It’s very important to ensure the right diagnostic and help you) ?
Note: The failing call should be on the route /forest/sessions or /forest/sessions-google

For your information, forest-express-mongoose ( 6.3.0 ) uses the old mechanism to perform login to the agent (backend). An upgrade to version 7 could easily resolve the issue.

In the meanwhile. I’m assuming that you try to connect with google-auth, am I right ? If it’s the case can you share the email you use to perform the connection ?

Regards,
Morgan

Hi again,

I just see that the error message changed on your second screenshot → You are not allowed to login into this project

I just look at the project and I see that your user has been blocked. As part of our new pricing free plan are now limited to one user. And we have an issue to display it correctly on the old agents.

Regards,
Morgan

Hi Morgan,

Your colleague, Raja Nair, has helped me resolve this matter by informing me that I needed to upgrade Vollie’s billing from the Free tier to Team.

Thanks for your assistance,

MB

Hi @matthew_Boyd,

Glad that works for you. :pray:

Your welcome.

Kind regards,
Morgan