mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-16 15:14:02 -05:00
[Bug]: Actual fails to sync when run under Cloudflare Zero Trust due to the expired auth token and no CORS #1879
Closed
opened 2026-02-28 19:57:04 -06:00 by GiteaMirror
·
7 comments
No Branch/Tag Specified
master
claude/verify-migration-guardrails-i82c8m
cross-version-sync-stage2
api-browser-custom-data-dir
dependabot/npm_and_yarn/npm_and_yarn-cd62b4b37a
tabedzki/feat/replacing-month-picker-with-day-picker
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
cross-version-sync-compat
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
No Label
bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#1879
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @gtrubach on GitHub (Feb 20, 2025).
Verified issue does not already exist?
What happened?
Hi,
First of all thanks for this great project!
I'm running Actual behind Cloudflare with ZeroTrust. CF issues an CF_Authorization token after login which expires after 1 day. When expired, Actual fails to call /sync endpoint as CF rejects the request due to the expired token.
There was a similar change lately https://github.com/actualbudget/actual/pull/3286, where some similar issues were fixed but unfortunately it does not work with CF ZeroTrust. But calling this code from PR works!
This leads me to the thought that something is wrong with the if condition in this line https://github.com/actualbudget/actual/blob/master/packages/loot-core/src/platform/server/fetch/index.web.ts#L13. Also similar reports can be found in the mentioned PR https://github.com/actualbudget/actual/pull/3286#issuecomment-2646377751.
It would be great if this is fixed as it makes the setup a bit unusable due to the need to clean all cookies manually daily.
How can we reproduce the issue?
Where are you hosting Actual?
Docker
What browsers are you seeing the problem on?
Chrome
Operating System
Windows 11
@gtrubach commented on GitHub (Feb 20, 2025):
Also it seems it corrupted my pwa
I tried to switch servers back and forth, but now it says that the server is not running under provided URL. The only option is to delete all cookies which I cannot do as Edge on IPhone can only delete cookies for all web sites...
@mathisgauthey commented on GitHub (Feb 28, 2025):
Got the same issue on my end.
Response body is not available to scripts (Reason: CORS Missing Allow Origin)My setup is defined here and involves Cloudflare tunnel with access restriction and Nginx Proxy Manager.
@KenGrinder commented on GitHub (Mar 5, 2025):
How to Fix CORS Issues with Cloudflare Access (Advanced Settings)
Below are the settings I’m using in Cloudflare. I asked ChatGPT to write a guide based on my settings to make it easier for anyone else that may have the same issue. I have my session duration set to 15 minutes and it's been working fine for the past ~24 hours.
1. Open Your Application in Cloudflare Zero Trust
2. Go to Advanced Settings → CORS
3. Configure the CORS Settings
Below are the recommended settings for most cases:
Bypass options requests to origin: Off
This ensures Cloudflare injects CORS headers for OPTIONS (preflight) requests.
Access-Control-Allow-Credentials: On
Required if your app uses cookies or authorization headers.
Access-Control-Max-Age (seconds):
86400Caches the preflight response for 24 hours.
Access-Control-Allow-Origin:
Add your specific domain here, for example
https://actual.XXXXXXXXX.com.Avoid using “Allow all origins” if possible for better security.
Access-Control-Allow-Methods: All methods
Ensures the browser sees allowed methods like GET, POST, PUT, OPTIONS, etc.
Access-Control-Allow-Headers: All http headers
Alternatively, list only the headers you need (e.g.
Content-Type, Authorization).@mathisgauthey commented on GitHub (Mar 6, 2025):
That is the thing I have been trying for the last two days without yet facing any issues, I can only vouch for that workaround.It doesn't work on my end. Wether I set it up using an application with
domain.tldand/or*.domain.tld, or creating a specific application on cloudflare for actual budget, I still get the same issues.Response body is not available to scripts (Reason: CORS Missing Allow Origin)@KenGrinder commented on GitHub (Mar 9, 2025):
Ah, I can confirm shortly after my instance stopped working.
Full disclosure, I barely know TypeScript and this was mostly created using AI - So this code may be awful/redundant/or incorrect, This still requires the access control allow credentials and allow origin in CF-. I've only been able to test for a few hours in a Docker after deleting the CF_Auth tokens with success, will need some additional testing to confirm.
The issue is the worker for the app stays in cache and upon auth expiration it's not able to prompt for the access page while the service is registered in cache. (You can verify this but manually unregistering the service worker via inspect element) -
For this code change, Upon auth expiration, it unregisters the worker, and prompts to re-auth through Cloudflare access.
I definitely welcome any feedback from someone who actually knows what they are talking about.
Here is my proposed changed:
Updated Fetch Wrapper to Catch Authentication Redirects
File updated:
packages/loot-core/src/platform/server/fetch/index.web.tsredirect: 'manual'for requests and handle both redirect indicators and opaque redirect responses.Replaced:
With:
Handle Authentication Redirect by Unregistering Service Worker
File updated:
packages/desktop-client/src/global-events.tsReplaced:
With:
Brief Explanation
redirect: 'manual'in fetch requests allows explicit detection of authentication redirects, prompting service worker removal and page reload to ensure the latest authentication state.Forked Repository
I've forked Actual Budget with these enhancements for testing:
https://github.com/KenGrinder/actual_CF
I'd appreciate any testing or reviews to confirm no adverse effects are introduced by these changes.
@Nerdtality commented on GitHub (Mar 11, 2025):
Can we get some kind of flag to set this to redirect correctly for CF ZTN?
@Nerdtality commented on GitHub (Mar 11, 2025):
This seems to work as a temporary solution for CF ZTN Authentication