[GH-ISSUE #1143] Resource with no domain causes endless redirect loop #6576

New Issue

Closed

opened 2026-04-25 15:29:04 -05:00 by GiteaMirror · 3 comments

GiteaMirror commented 2026-04-25 15:29:04 -05:00

Owner

Copy Link

Originally created by @srgustafson8 on GitHub (Jul 27, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1143

Originally assigned to: @miloschwartz on GitHub.

Running v1.7.3, recently upgraded from v1.5.x
Docker Compose running on AWS Lightsail

I triggered a strange error today where I created a new resource but never selected/added the domain as below:

The resource creates successfully, but then causes the app go into a redirect loop - any request made goes into a loop like this (real url obfuscated)

https://pangolin.url/auth/resource/14?redirect=https%3A%2F%2Fpangolin.url%2Fauth%2Fresource%2F14%3Fredirect%3Dhttps%253A%252F%252Fpangolin.url%252Fauth%252Fresource%252F14%253Fredirect%253Dhttps%25253A%25252F%25252Fpangolin.url%25252Fauth%25252Fresource%25252F14%25253Fredirect%25253Dhttps%2525253A%2525252F%2525252Fpangolin.url%2525252Fauth%2525252Fresource%2525252F14%2525253Fredirect%2525253Dhttps%252525253A%252525252F%252525252Fpangolin.url%252525252Fauth%252525252Fresource%252525252F14%252525253Fredirect%252525253Dhttps%25252525253A%25252525252F%25252525252Fpangolin.url%25252525252Fauth%25252525252Fresource%25252525252F14%25252525253Fredirect%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fpangolin.url%2525252525252Fauth%2525252525252Fresource%2525252525252F14%2525252525253Fredirect%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fpangolin.url%252525252525252Fauth%252525252525252Fresource%252525252525252F14%252525252525253Fredirect%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fpangolin.url%25252525252525252Fauth%25252525252525252Fresource%25252525252525252F14%25252525252525253Fredirect%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fpangolin.url%2525252525252525252Fauth%2525252525252525252Fresource%2525252525252525252F14%2525252525252525253Fredirect%2525252525252525253Dhttps%252525252525252525253A%252525252525252525252F%252525252525252525252Fpangolin.url%252525252525252525252Fauth%252525252525252525252Fresource%252525252525252525252F14%252525252525252525253Fredirect%252525252525252525253Dhttps%25252525252525252525253A%25252525252525252525252F%25252525252525252525252Fpangolin.url%25252525252525252525252Fauth%25252525252525252525252Fresource%25252525252525252525252F14%25252525252525252525253Fredirect%25252525252525252525253Dhttps%2525252525252525252525253A%2525252525252525252525252F%2525252525252525252525252Fpangolin.url%2525252525252525252525252Fauth%2525252525252525252525252Fresource%2525252525252525252525252F14%2525252525252525252525253Fredirect%2525252525252525252525253Dhttps%252525252525252525252525253A%252525252525252525252525252F%252525252525252525252525252Fpangolin.url%252525252525252525252525252Fauth%252525252525252525252525252Fresource%252525252525252525252525252F14%252525252525252525252525253Fredirect%252525252525252525252525253Dhttps%25252525252525252525252525253A%25252525252525252525252525252F%25252525252525252525252525252Fpangolin.url%25252525252525252525252525252Fauth%25252525252525252525252525252Fresource%25252525252525252525252525252F14%25252525252525252525252525253Fredirect%25252525252525252525252525253Dhttps%2525252525252525252525252525253A%2525252525252525252525252525252F%2525252525252525252525252525252Fpangolin.url%2525252525252525252525252525252Fauth%2525252525252525252525252525252Fresource%2525252525252525252525252525252F14%2525252525252525252525252525253Fredirect%2525252525252525252525252525253Dhttps%252525252525252525252525252525253A%252525252525252525252525252525252F%252525252525252525252525252525252Fpangolin.url%252525252525252525252525252525252Fauth%252525252525252525252525252525252Fresource%252525252525252525252525252525252F14%252525252525252525252525252525253Fredirect%252525252525252525252525252525253Dhttps%25252525252525252525252525252525253A%25252525252525252525252525252525252F%25252525252525252525252525252525252Fpangolin.url%25252525252525252525252525252525252Fauth%25252525252525252525252525252525252Fresource%25252525252525252525252525252525252F14%25252525252525252525252525252525253Fredirect%25252525252525252525252525252525253Dhttps%2525252525252525252525252525252525253A%2525252525252525252525252525252525252F%2525252525252525252525252525252525252Fpangolin.url%2525252525252525252525252525252525252Fauth%2525252525252525252525252525252525252Fresource%2525252525252525252525252525252525252F14%2525252525252525252525252525252525253Fred

Can't see anything in the logs relating to this. The only fix is to delete that resource from the database directly.

Should the domain control be mandatory? I believe the behaviour recently changed, so it is now relatively easy to enter a correct domain as below, but without it actually being selected:

vs

Originally created by @srgustafson8 on GitHub (Jul 27, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1143 Originally assigned to: @miloschwartz on GitHub. Running v1.7.3, recently upgraded from v1.5.x Docker Compose running on AWS Lightsail I triggered a strange error today where I created a new resource but never selected/added the domain as below: <img width="530" height="248" alt="Image" src="https://github.com/user-attachments/assets/cbae75e3-f9c1-400a-b9e2-c1e271f35fc8" /> The resource creates successfully, but then causes the app go into a redirect loop - any request made goes into a loop like this (real url obfuscated) ```text https://pangolin.url/auth/resource/14?redirect=https%3A%2F%2Fpangolin.url%2Fauth%2Fresource%2F14%3Fredirect%3Dhttps%253A%252F%252Fpangolin.url%252Fauth%252Fresource%252F14%253Fredirect%253Dhttps%25253A%25252F%25252Fpangolin.url%25252Fauth%25252Fresource%25252F14%25253Fredirect%25253Dhttps%2525253A%2525252F%2525252Fpangolin.url%2525252Fauth%2525252Fresource%2525252F14%2525253Fredirect%2525253Dhttps%252525253A%252525252F%252525252Fpangolin.url%252525252Fauth%252525252Fresource%252525252F14%252525253Fredirect%252525253Dhttps%25252525253A%25252525252F%25252525252Fpangolin.url%25252525252Fauth%25252525252Fresource%25252525252F14%25252525253Fredirect%25252525253Dhttps%2525252525253A%2525252525252F%2525252525252Fpangolin.url%2525252525252Fauth%2525252525252Fresource%2525252525252F14%2525252525253Fredirect%2525252525253Dhttps%252525252525253A%252525252525252F%252525252525252Fpangolin.url%252525252525252Fauth%252525252525252Fresource%252525252525252F14%252525252525253Fredirect%252525252525253Dhttps%25252525252525253A%25252525252525252F%25252525252525252Fpangolin.url%25252525252525252Fauth%25252525252525252Fresource%25252525252525252F14%25252525252525253Fredirect%25252525252525253Dhttps%2525252525252525253A%2525252525252525252F%2525252525252525252Fpangolin.url%2525252525252525252Fauth%2525252525252525252Fresource%2525252525252525252F14%2525252525252525253Fredirect%2525252525252525253Dhttps%252525252525252525253A%252525252525252525252F%252525252525252525252Fpangolin.url%252525252525252525252Fauth%252525252525252525252Fresource%252525252525252525252F14%252525252525252525253Fredirect%252525252525252525253Dhttps%25252525252525252525253A%25252525252525252525252F%25252525252525252525252Fpangolin.url%25252525252525252525252Fauth%25252525252525252525252Fresource%25252525252525252525252F14%25252525252525252525253Fredirect%25252525252525252525253Dhttps%2525252525252525252525253A%2525252525252525252525252F%2525252525252525252525252Fpangolin.url%2525252525252525252525252Fauth%2525252525252525252525252Fresource%2525252525252525252525252F14%2525252525252525252525253Fredirect%2525252525252525252525253Dhttps%252525252525252525252525253A%252525252525252525252525252F%252525252525252525252525252Fpangolin.url%252525252525252525252525252Fauth%252525252525252525252525252Fresource%252525252525252525252525252F14%252525252525252525252525253Fredirect%252525252525252525252525253Dhttps%25252525252525252525252525253A%25252525252525252525252525252F%25252525252525252525252525252Fpangolin.url%25252525252525252525252525252Fauth%25252525252525252525252525252Fresource%25252525252525252525252525252F14%25252525252525252525252525253Fredirect%25252525252525252525252525253Dhttps%2525252525252525252525252525253A%2525252525252525252525252525252F%2525252525252525252525252525252Fpangolin.url%2525252525252525252525252525252Fauth%2525252525252525252525252525252Fresource%2525252525252525252525252525252F14%2525252525252525252525252525253Fredirect%2525252525252525252525252525253Dhttps%252525252525252525252525252525253A%252525252525252525252525252525252F%252525252525252525252525252525252Fpangolin.url%252525252525252525252525252525252Fauth%252525252525252525252525252525252Fresource%252525252525252525252525252525252F14%252525252525252525252525252525253Fredirect%252525252525252525252525252525253Dhttps%25252525252525252525252525252525253A%25252525252525252525252525252525252F%25252525252525252525252525252525252Fpangolin.url%25252525252525252525252525252525252Fauth%25252525252525252525252525252525252Fresource%25252525252525252525252525252525252F14%25252525252525252525252525252525253Fredirect%25252525252525252525252525252525253Dhttps%2525252525252525252525252525252525253A%2525252525252525252525252525252525252F%2525252525252525252525252525252525252Fpangolin.url%2525252525252525252525252525252525252Fauth%2525252525252525252525252525252525252Fresource%2525252525252525252525252525252525252F14%2525252525252525252525252525252525253Fred ``` Can't see anything in the logs relating to this. The only fix is to delete that resource from the database directly. Should the domain control be mandatory? I believe the behaviour recently changed, so it is now relatively easy to enter a correct domain as below, but without it actually being selected: <img width="777" height="246" alt="Image" src="https://github.com/user-attachments/assets/b98a59b3-ee6a-47af-82ef-014a668a7547" /> vs <img width="755" height="123" alt="Image" src="https://github.com/user-attachments/assets/6c0eb7b8-0772-4460-a2ba-f3e589f8795d" />

GiteaMirror closed this issue 2026-04-25 15:29:04 -05:00

GiteaMirror commented 2026-04-25 15:29:05 -05:00

Author

Owner

Copy Link

@miloschwartz commented on GitHub (Jul 31, 2025):

1.8.0 makes the domain a requirement. Let me know if this is fixed!

<!-- gh-comment-id:3140842915 --> @miloschwartz commented on GitHub (Jul 31, 2025): 1.8.0 makes the domain a requirement. Let me know if this is fixed!

GiteaMirror commented 2026-04-25 15:29:06 -05:00

Author

Owner

Copy Link

@srgustafson8 commented on GitHub (Aug 1, 2025):

@miloschwartz will give this a test later, thanks!

<!-- gh-comment-id:3143755544 --> @srgustafson8 commented on GitHub (Aug 1, 2025): @miloschwartz will give this a test later, thanks!

GiteaMirror commented 2026-04-25 15:29:07 -05:00

Author

Owner

Copy Link

@srgustafson8 commented on GitHub (Aug 3, 2025):

@miloschwartz fixes the problem by preventing creation of the resource without a domain - although to me it's lacking some some UI feedback as to why the creation doesn't work - just seems to do nothing when you click the button. Either way this issue is resolved! Thank you

<!-- gh-comment-id:3148513153 --> @srgustafson8 commented on GitHub (Aug 3, 2025): @miloschwartz fixes the problem by preventing creation of the resource without a domain - although to me it's lacking some some UI feedback as to why the creation doesn't work - just seems to do nothing when you click the button. Either way this issue is resolved! Thank you

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-94425a55d0

dependabot/npm_and_yarn/dev-minor-updates-4aaf4dbce4

dependabot/go_modules/install/minor-updates-a249525a56

crowdin_dev

auto-update

dev

fix-site-delete

fix-3104

exit-node-reconnect

fix-logoUrl

button-to-rebuild-association

rdp-ssh

dependabot/npm_and_yarn/brace-expansion-5.0.6

copilot/fix-documentation-input-output-types

dependabot/github_actions/sigstore/cosign-installer-4.1.2

redis

resource-policies

dependabot/npm_and_yarn/next-15.5.18

dependabot/npm_and_yarn/fast-uri-3.1.2

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

breakout-sites-tables

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.4

1.18.3

1.18.2

1.18.1

1.18.0

1.18.0-rc.0

1.17.1

1.17.0

1.17.0-rc.0

1.16.2

1.16.1

1.16.0

1.16.0-rc.0

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.15.0-rc.0

1.14.1

1.14.0

1.14.0-rc.0

1.13.1

1.13.0

1.13.0-rc.0

1.12.3

1.12.2

1.12.1

1.12.0

1.12.0-rc.0

1.11.1

1.11.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6576