Can’t reset the admin password after the first login if a web context is configured

ecastilla · November 9, 2021, 8:18pm

Template for a good bug report, formatted with Markdown:

versions used: 8.9 LTS and 9.1.x
error observed:

Request URL: http://localhost:9000/sonarqube/api/users/change_password
Request Method: POST
Status Code: 401 
Remote Address: [::1]:9100
Referrer Policy: strict-origin-when-cross-origin

steps to reproduce

run a new docker container with sonarqube image, and specify a context. For example:

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -e SONAR_WEB_CONTEXT=/sonarqube -p 9000:9000 sonarqube:8.9.3-community

head to the browser and login with default credentials (admin/admin)
first time, you will be redirected to the reset password page.
type the info and hit submit.
you are redirected to the login page again. and the password doesn’t change.

I looked to the network tab at my Browser, seems the API call: /api/users/change_password returns 401.
I’m not using a front-end web server.

In Can't reset the admin password after the first login a similar issue is reported, but it’s not the same: there the user is not using a web context, and he was using an Nginx which I’m not using

antoine.vinot · August 9, 2022, 8:21am

Hi Enrique,

Thanks for sharing this issue and providing the steps to reproduce it.

I could reproduce, and after investigating, it seems that the CSRF validation fails when there is a specific web context.
I will continue my investigations to see why the CSRF validation fails and hopefully correct it for version 9.6.

I have created a ticket for this here.

antoine.vinot · August 9, 2022, 9:51am

Clearing the cookies in the web browser worked on my side.
I had two cookies for the same domain because I first started the application without web context. So I had an XSRF-TOKEN cookie with path “/” and another with path “/sonarqube”.
Removing the cookies for path “/” solves the issue.
Also, cookies are automatically refreshed after a few days, so it will suddenly be working.

I know this topic is quite old but I’d like to confirm that this was the same issue for you:
Do you by any chance remember if you first started without web context?
Do you still reproduce this bug?

Thanks

antoine.vinot · November 16, 2022, 1:53pm

I am closing this thread. The related ticket has been done.
To sum up, we added documentation for the sonar.web.context property.

system · November 23, 2022, 1:53pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.