Logout page from Wordpress account redirects to yunohost login page. Doesnt let account log out

merchmanager · May 14, 2021, 2:32pm

/ Message template (english)

My YunoHost server : Latest 4.2 -Updated to latest stable release

Hardware: VPS with debian 10

YunoHost version: 4.2.4
**I have access to my server :Through SSH & through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : No
If yes, please explain:

Description of my issue

(1) **What am i trying to do -**I am trying to run a wordpress website with woocommerce in it. users needs to have access to login and logout from their woo commerce account.
(2) Origin of the issue Yunohost makes you install wordpress in subdirectory if you want to install other apps(which i understand). So i have installed wordpress in mydomain.tld/home/
(3) Two issues started happening. one i was able to resolve, another i couldn’t.
(4) Anyone typing in **www.**mydomain.tld/home was being redirected to yunohost. I resolved this by setting up a redirect on *.mydomain.tld to redirect it to mydomain.tld/home. This takes away my capability to keep subdomains in future, but for now, first things first.
(5)I managed to install the wordpress and everything went smoothly. I didn’t pay attention to the SSO plugin (simple LDAP) as it was (i) Not covered in documentation (ii) it was 5 years old (iii) its own page said that it works only till wordpress 4.7 (latest wp is 5.7). i uninstalled it
(6) But one problem is that on logging out of wordpress using simple link https://mydomain.tld/home/my-account/customer-logout/ I log out fine, but wordpress has this security feature of adding a nonce.
(7) so the real link looks like https://mydomain.tld/home/my-account/customer-logout/?_wpnonce=8a7d681a84
(8) When a link with nonce comes in, it doesnt log out, but yunohost steps in with a login page.

If someone could suggest a way to completely sidestep yunohost till the time a URL like mydomain.tld/yunohost appears, it will be best. I have been reading something around .htaccess and nginx config but before that i wanted to see if there is a better way here.

merchmanager · May 14, 2021, 3:42pm

After rummaging around looking for ngnix configuration, i believe that i am in the general area and setting somewhere here is to blame, but i don’t know enough to set it right.
(1) All 404 are being redirected to yunohost, which shouldnt happen. Should be redirected to root wordpress site (which i defined while installing wordpress )
(2) Any redirects and some conditional url also getting redirected to sso…which shouldn’t be the case.

(/usr/share/ssowat/access.lua)

– Get request arguments
uri_args = ngx.req.get_uri_args()

    -- Logout is also called via a `GET` method
    -- TODO: change this ?
    if uri_args.action and uri_args.action == 'logout' then
        logger.debug("Logging out")
        return hlp.logout()

    -- If the `r` URI argument is set, it means that we want to
    -- be redirected (typically after a login phase)
    elseif is_logged_in and uri_args.r then
        -- Decode back url
        back_url = ngx.decode_base64(uri_args.r)

        -- If `back_url` contains line break, someone is probably trying to
        -- pass some additional headers
        if string.match(back_url, "(.*)\n") then
            hlp.flash("fail", hlp.t("redirection_error_invalid_url"))
            logger.error("Redirection url is invalid")
            return hlp.redirect(conf.portal_url)

merchmanager · May 14, 2021, 3:43pm

@Aleks please help… i dont code, and thats why i went with yunohost

merchmanager · May 14, 2021, 7:05pm

same issue elsewhere on yunohost as well… i would like to believe that any answer will help multiple people

github.com/YunoHost-Apps/wordpress_ynh

Logging out of wordpress doesn't log out

opened 06:00PM - 01 Apr 21 UTC

closed 10:07PM - 08 Apr 21 UTC

eauchat

I don't know if the issue is related to the wordpress app specifically or to yun…ohost in general, since I have similar issues with other apps (or maybe they are different, but anyway). The issue is that if I'm logged in wordpress and click logout in the wordpress interface, I'm redirected to the sso login page, but if I open the administration url again, I'm still logged in. My setup is wordpress single site with url: `wp.domain.tld`, and main yunohost domain is `ynh.domain.tld`.

merchmanager · May 14, 2021, 7:40pm

After over 10 hours of trying to find a workaround, this is how to resolve it if you face the challenge.
(1) Problem is being caused by permissions on yunohost + default implimentation of SSO as far as wordpress is concerned.
(2) How: Post a normal customer/subscriber clicks on logout from woocommerce account , in the yunohost version, wordpress tries to redirect you to wordpress login by default.(and not the woocommerce login as happens elsewhere)
(3) This wordpress login is in the restricted area and therefore yunohost steps in with a SSO page.
Solution I added wordpress admin area permission to visitors and post that the user account was allowed to log out. Not a secure solution and beats the yunohost permission management logic, but there was no option. As a secondary measure, have installed harder rules on limited login attempt logout, tightened recaptcha, cloudflare bot and sucuri to secure the admin page. Not as great, but for timebeing there is no other option.
@Aleks if a minor tweak here or there helps, please do include this in next release

system · June 13, 2021, 7:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.