[BUG] : SSO settings are wiped out at container start

Question

[BUG] : SSO settings are wiped out at container start

Navino16 opened this issue a month ago · comments

I've set the following settings in the settings.yml file:

security:
  enableLogin: true # set to 'true' to enable login
  csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
  loginAttemptCount: 5 # lock user account after 5 tries
  loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
#  initialLogin:
#    username: "admin" # Initial username for the first login
#    password: "stirling" # Initial password for the first login
  oauth2:
   enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
   issuer: "https://auth.REDACTED" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
   clientId: "stirling-pdf" # Client ID from your provider
   clientSecret: "REDACTED" # Client Secret from your provider
   autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users
   useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
   scopes: "openid, profile, email, groups" # Specify the scopes for which the application will request permissions

When the container start the settings are loaded but then they are wiped out, resulting in settings.yml file looking like that:

security:
  enableLogin: true # set to 'true' to enable login
  csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
  loginAttemptCount: 5 # lock user account after 5 tries
  loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
#  initialLogin:
#    username: "admin" # Initial username for the first login
#    password: "stirling" # Initial password for the first login
  oauth2:
#    enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
#    issuer: "" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
#    clientId: "" # Client ID from your provider
#    clientSecret: "" # Client Secret from your provider
#    autoCreateUser: false # set to 'true' to allow auto-creation of non-existing users
#    useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
#    scopes: "openid, profile, email" # Specify the scopes for which the application will request permissions
#    provider: "google" # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak'

And obviously, at next reboot it will no longer work

Here is my docker-compose.yml file for reference:

---
services:
  ## https://hub.docker.com/r/frooodle/s-pdf
  stirling-pdf:
    image: frooodle/s-pdf:latest
    container_name: stirling-pdf
    labels:
      - diun.enable=true
    env_file:
      - ../common.env
      - ./stirling-pdf.env
    volumes:
      - ./config/stirling-pdf/settings.yml:/configs/settings.yml
      - ./config/stirling-pdf/fra.traineddata:/usr/share/tessdata/fra.traineddata
      - /absolute/path/to/data/stirling-pdf/configs:/configs
      - /absolute/path/to/data/stirling-pdf/tessdata:/usr/share/tessdata
    networks:
      - myNetwork
    restart: unless-stopped

Content of env files:

## ../common.env
PGID=1000                   # Set user used for running the container (doesn't work in every container)
PUID=1000                   # Set group used for running the container (doesn't work in every container)
TZ=Europe/Paris             # Set timezone used for running the container (doesn't work in every container)

## ./stirling.env
DOCKER_ENABLE_SECURITY=true
INSTALL_BOOK_AND_ADVANCED_HTML_OPS=true
LANGS=en_GB,fr_FR

Anthony Stirling · Answer 1 · Thu Jun 06 2024 04:58:41 GMT+0800 (China Standard Time)

could you send over your full settings file so i can try reproduce the resetting locally?

Jaunet Nathan · Answer 2 · Thu Jun 06 2024 15:43:06 GMT+0800 (China Standard Time)

@Frooodle

Full settings file:

# Welcome to settings file
# Remove comment marker # if on start of line to enable the configuration
# If you want to override with environment parameter follow parameter naming SECURITY_INITIALLOGIN_USERNAME

security:
  enableLogin: true # set to 'true' to enable login
  csrfDisabled: false # Set to 'true' to disable CSRF protection (not recommended for production)
  loginAttemptCount: 5 # lock user account after 5 tries
  loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
#  initialLogin:
#    username: "admin" # Initial username for the first login
#    password: "stirling" # Initial password for the first login
  oauth2:
   enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
   issuer: "https://auth.REDACTED" # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) end-point
   clientId: "stirling-pdf" # Client ID from your provider
   clientSecret: "REDACTED" # Client Secret from your provider
   autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users
   useAsUsername: "email" # Default is 'email'; custom fields can be used as the username
   scopes: "openid, profile, email, groups" # Specify the scopes for which the application will request permissions
#    provider: "google" # Set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
#    client:
#      google:
#        clientId: "" # Client ID for Google OAuth2
#        clientSecret: "" # Client Secret for Google OAuth2
#        scopes: "https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile" # Scopes for Google OAuth2
#        useAsUsername: "email" # Field to use as the username for Google OAuth2
#      github:
#        clientId: "" # Client ID for GitHub OAuth2
#        clientSecret: "" # Client Secret for GitHub OAuth2
#        scopes: "read:user" # Scope for GitHub OAuth2
#        useAsUsername: "login" # Field to use as the username for GitHub OAuth2
#      keycloak:
#        issuer: "http://192.168.0.123:8888/realms/stirling-pdf" # URL of the Keycloak realm's OpenID Connect Discovery endpoint
#        clientId: "stirling-pdf" # Client ID for Keycloak OAuth2
#        clientSecret: "" # Client Secret for Keycloak OAuth2
#        scopes: "openid, profile, email" # Scopes for Keycloak OAuth2
#        useAsUsername: "email" # Field to use as the username for Keycloak OAuth2

system:
  defaultLocale: 'fr-FR' # Set the default language (e.g. 'de-DE', 'fr-FR', etc)
  googlevisibility: false # 'true' to allow Google visibility (via robots.txt), 'false' to disallow
  enableAlphaFunctionality: false # Set to enable functionality which might need more testing before it fully goes live (This feature might make no changes)
  showUpdate: true # see when a new update is available
  showUpdateOnlyAdmin: true # Only admins can see when a new update is available, depending on showUpdate it must be set to 'true'
  customHTMLFiles: false # enable to have files placed in /customFiles/templates override the existing template html files

ui:
  appName: null # Application's visible name
  homeDescription: null # Short description or tagline shown on homepage.
  appNameNavbar: null # Name displayed on the navigation bar

endpoints:
  toRemove: [] # List endpoints to disable (e.g. ['img-to-pdf', 'remove-pages'])
  groupsToRemove: [] # List groups to disable (e.g. ['LibreOffice'])

metrics:
  enabled: true # 'true' to enable Info APIs (`/api/*`) endpoints, 'false' to disable

# Automatically Generated Settings (Do Not Edit Directly)
AutomaticallyGenerated:
  key: REDACTED

If it's can have any impact, the openId provider is Authelia

Anthony Stirling · Answer 3 · Fri Jun 07 2024 05:59:22 GMT+0800 (China Standard Time)

fixed in 0.25.2!