When using cloudflared to create a tunnel to DEVONthink Server, login credentials appear to be shared with anyone else who also visits the site during the time a user is logged in.
Background
I have a Zero Trust team set up. Using cloudflared to open a tunnel from Zero Trust to my home network with ingress rules to point various subdomains to specific servers. Cloudflare is handling DNS and points three subdomains to the cloudflared tunnel, which are then routed: books.mydomain.com points to my Calibre server, plex.mydomain.com points to my Plex server, and devon.mydomain.com points to DT server.
All seem to work fine (something I could never get with caddy, nginx, or OpenVPN) with one glaring exception. Once I log in to DT Server from a browser, it is served to anyone without requiring credentials. E.g., if I log in from my computer, and my daughter points her browser on her MBA to devon.mydomain.com the login window is bypassed and she has my access to the databases. My brother in another state, same thing–and as soon as I log out, they can no longer see anything (or rather, they see the weird 403 errors that occur when you’ve left a session open and it times out and you try to click on something).
This does NOT happen with Calibre or Plex, when I am logged in and someone else goes to those URLs, they are presented with the appropriate login screen and must log in before accessing those services–only DT Server seems to be bypassing the log-in screen if someone is already logged in.
No load balancing or weird ccokies that I’ve changed from the default settings.
I set up a simple web page with basic auth, and while logged in, making other attempt also log in, which is consistent with the way Calibre server and Plex server are running–it only seems to affect DT.
Seems like there must be some kind of man-in-the-middle effect going on. I assume the Devonthink server is basically REST, so persistence is the job of the visiting client.
When a second visitor gets in on a first user’s credentials, does the second user drop into the same view of DT as the first had?
Another test would be to have one simple Apache page, authenticated or not, set a cookie and let another page display the cookie. If one user could get the cookie set and the next one view it, that would be evidence as to the problem being in DT or not.
Well, there you go. I would have bet good money on that being impossible. The credentials must be carried by the visitor as cookies.
About the only other thing I can think of at the moment is to use your browser’s developer tools and compare cookies on two browsers.
My guess is you’ll see session cookies for authentication. They should be different for different users.
If you’re running two browser instances on the same machine, that would be a different situation. For different browsers on different machines, login and authentication should be separate - or at least that’s what it seems to me as a guess without information.
If either the browser, the computer or the current user account (the one of the system, not the one of the server) are different, then the cookies should be definitely different and independent.
As soon as the next release will be available, please enable the hidden preference ServerDebugLog and try to reproduce the issue.
The file ~/Library/Application Support/DEVONthink 3/Console.log plus the time of your login and the time of somebody else accessing the web interface without being prompted to login would be great.
Or if you’re interested in a beta, just let me know.
