github-starred/actual
2
0
Fork 0
mirror of https://github.com/actualbudget/actual.git synced 2026-03-10 04:02:38 -05:00
Code Issues 250 Packages Projects Releases 53 Wiki Activity

[Bug]: Cannot connect to instance behind Authentik (Proxy Provider) after token expires #1836

New Issue
Closed
opened 2026-02-28 19:55:56 -06:00 by GiteaMirror · 5 comments
GiteaMirror commented 2026-02-28 19:55:56 -06:00
Owner
Copy Link

Originally created by @JeremyMusick on GitHub (Feb 6, 2025).

Verified issue does not already exist?

  • I have searched and found no existing issue

What happened?

I currently have Authentik setup to protect actual budget. I have it setup as a Proxy Provider and providing OAuth. This issue existed before the OAuth integration, so I would assume we could ignore that.

Docker Compose:

  actual_server:
    image: docker.io/actualbudget/actual-server:latest
    ports:
      # This line makes Actual available at port 5006 of the device you run the server on,
      # i.e. http://localhost:5006. You can change the first number to change the port, if you want.
      - '5006:5006'
    environment:
      # Uncomment any of the lines below to set configuration options.
      # - ACTUAL_HTTPS_KEY=/data/selfhost.key
      # - ACTUAL_HTTPS_CERT=/data/selfhost.crt
       - ACTUAL_PORT=5006
       - ACTUAL_LOGIN_METHOD=header
      # - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20
      # - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50
      # - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20
      # See all options and more details at https://actualbudget.github.io/docs/Installing/Configuration
      # !! If you are not using any of these options, remove the 'environment:' tag entirely.
    volumes:
      # Change './actual-data' below to the path to the folder you want Actual to store its data in on your server.
      # '/data' is the path Actual will look for its files in by default, so leave that as-is.
      - acutalbudget_actualbudget_data:/data
    restart: unless-stopped
volumes:
  acutalbudget_actualbudget_data:
    external: true

NGinx Configuration:

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    # Set any other headers your application might need
    # proxy_set_header Host $host;
    # proxy_set_header ...

    ##############################
    # authentik-specific config
    ##############################
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://10.10.0.7:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://auth.MYDOMAIN.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}

Image

Image

Version: 25.2.0 (Server & App)

The Problem

The server is showing offline on the app until I clear my cookies and re-login. The issue seems to coincide, time-wise, with where I set my "token validity" setting in Authentik. If I set it to 5 minutes, it stops working after 5 minutes, if I set it to 120,000 hours, it works.... for a really long time.

How can we reproduce the issue?

By replicating my setup above.

Where are you hosting Actual?

Docker

What browsers are you seeing the problem on?

Chrome

Operating System

Linux

Originally created by @JeremyMusick on GitHub (Feb 6, 2025). ### Verified issue does not already exist? - [x] I have searched and found no existing issue ### What happened? I currently have Authentik setup to protect actual budget. I have it setup as a Proxy Provider and providing OAuth. This issue existed before the OAuth integration, so I would assume we could ignore that. Docker Compose: ```services: actual_server: image: docker.io/actualbudget/actual-server:latest ports: # This line makes Actual available at port 5006 of the device you run the server on, # i.e. http://localhost:5006. You can change the first number to change the port, if you want. - '5006:5006' environment: # Uncomment any of the lines below to set configuration options. # - ACTUAL_HTTPS_KEY=/data/selfhost.key # - ACTUAL_HTTPS_CERT=/data/selfhost.crt - ACTUAL_PORT=5006 - ACTUAL_LOGIN_METHOD=header # - ACTUAL_UPLOAD_FILE_SYNC_SIZE_LIMIT_MB=20 # - ACTUAL_UPLOAD_SYNC_ENCRYPTED_FILE_SYNC_SIZE_LIMIT_MB=50 # - ACTUAL_UPLOAD_FILE_SIZE_LIMIT_MB=20 # See all options and more details at https://actualbudget.github.io/docs/Installing/Configuration # !! If you are not using any of these options, remove the 'environment:' tag entirely. volumes: # Change './actual-data' below to the path to the folder you want Actual to store its data in on your server. # '/data' is the path Actual will look for its files in by default, so leave that as-is. - acutalbudget_actualbudget_data:/data restart: unless-stopped volumes: acutalbudget_actualbudget_data: external: true ``` NGinx Configuration: ``` # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Set any other headers your application might need # proxy_set_header Host $host; # proxy_set_header ... ############################## # authentik-specific config ############################## auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://10.10.0.7:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://auth.MYDOMAIN.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } ``` ![Image](https://github.com/user-attachments/assets/e033cb3a-2a47-4e63-bac9-76f4b50b33c5) ![Image](https://github.com/user-attachments/assets/e615e412-0a39-4344-9d6a-6a3590588273) Version: 25.2.0 (Server & App) **The Problem** The server is showing offline on the app until I clear my cookies and re-login. The issue seems to coincide, time-wise, with where I set my "token validity" setting in Authentik. If I set it to 5 minutes, it stops working after 5 minutes, if I set it to 120,000 hours, it works.... for a really long time. ### How can we reproduce the issue? By replicating my setup above. ### Where are you hosting Actual? Docker ### What browsers are you seeing the problem on? Chrome ### Operating System Linux
GiteaMirror added the bug label 2026-02-28 19:55:56 -06:00
GiteaMirror commented 2026-02-28 19:55:56 -06:00
Author
Owner
Copy Link

@youngcw commented on GitHub (Feb 6, 2025):

You probably need to setup CORS headers. If you open up the network trace in the developer console you will likely see issues with missing CORS headers. Once that is resolved the app will redirect to your login if it detects the issue.

@youngcw commented on GitHub (Feb 6, 2025): You probably need to setup CORS headers. If you open up the network trace in the developer console you will likely see issues with missing CORS headers. Once that is resolved the app will redirect to your login if it detects the issue.
GiteaMirror commented 2026-02-28 19:55:57 -06:00
Author
Owner
Copy Link

@JeremyMusick commented on GitHub (Feb 6, 2025):

@youngcw - thanks for pointing me in the right direction. I do see those errors. I'll admit, I'm new to NGinx and actually having my stuff behind proper authentication. Could you help break that down for me a little more? I did run what you said through ChatGPT to help me out on this, and it returned this:

# Increase buffer size for large headers
proxy_buffers 8 16k;
proxy_buffer_size 32k;

# Make sure not to redirect traffic to a port 4443
port_in_redirect off;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;
    
    # Authentik-specific config
    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;

    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;

    # CORS Headers (Allow Cross-Origin Requests)
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
    add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;

    # Handle Preflight (OPTIONS) Requests
    if ($request_method = OPTIONS) {
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
        add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Content-Length' '0';
        add_header 'Content-Type' 'text/plain';
        return 204;
    }
}

# All requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass              http://10.10.0.7:9000/outpost.goauthentik.io;
    proxy_set_header        Host $host;
    proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
    add_header              Set-Cookie $auth_cookie;
    auth_request_set        $auth_cookie $upstream_http_set_cookie;
    proxy_pass_request_body off;
    proxy_set_header        Content-Length "";
}

# Special location for when the /auth endpoint returns a 401, redirect to the /start URL
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}

I also added these to environmental variables to my compose file

       - CORS_ALLOWED_ORIGINS=*
       - CORS_ALLOW_CREDENTIALS=true
@JeremyMusick commented on GitHub (Feb 6, 2025): @youngcw - thanks for pointing me in the right direction. I do see those errors. I'll admit, I'm new to NGinx and actually having my stuff behind proper authentication. Could you help break that down for me a little more? I did run what you said through ChatGPT to help me out on this, and it returned this: ``` # Increase buffer size for large headers proxy_buffers 8 16k; proxy_buffer_size 32k; # Make sure not to redirect traffic to a port 4443 port_in_redirect off; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # Authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; # CORS Headers (Allow Cross-Origin Requests) add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; # Handle Preflight (OPTIONS) Requests if ($request_method = OPTIONS) { add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always; add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Content-Length' '0'; add_header 'Content-Type' 'text/plain'; return 204; } } # All requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://10.10.0.7:9000/outpost.goauthentik.io; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; } # Special location for when the /auth endpoint returns a 401, redirect to the /start URL location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; } ``` I also added these to environmental variables to my compose file ``` - CORS_ALLOWED_ORIGINS=* - CORS_ALLOW_CREDENTIALS=true ```
GiteaMirror commented 2026-02-28 19:55:57 -06:00
Author
Owner
Copy Link

@youngcw commented on GitHub (Feb 6, 2025):

You are going to have better luck asking on Discord. Its very setup dependent. I gave up trying to fix it on my setup once multi user was added as a built in feature.

@youngcw commented on GitHub (Feb 6, 2025): You are going to have better luck asking on Discord. Its very setup dependent. I gave up trying to fix it on my setup once multi user was added as a built in feature.
GiteaMirror commented 2026-02-28 19:55:58 -06:00
Author
Owner
Copy Link

@JeremyMusick commented on GitHub (Feb 6, 2025):

Thanks, I'll do that.

@JeremyMusick commented on GitHub (Feb 6, 2025): Thanks, I'll do that.
GiteaMirror commented 2026-02-28 19:55:58 -06:00
Author
Owner
Copy Link

@mathisgauthey commented on GitHub (Feb 28, 2025):

Thanks, I'll do that.

Hey there pal, make sure to keep us posted as to how you fixed it in the end. I reckon we're not alone on this one : https://github.com/actualbudget/actual/issues/4422

@mathisgauthey commented on GitHub (Feb 28, 2025): > Thanks, I'll do that. Hey there pal, make sure to keep us posted as to how you fixed it in the end. I reckon we're not alone on this one : https://github.com/actualbudget/actual/issues/4422
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
Mirrored from GitHub Pull Request
 regression
reports
responsive
rules
schedules
server
merged
split transactions
tech debt
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
approved
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/actual#1836
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?