Is authentication on Collabora 6.4 broken?

First up, there doesn’t seem to be a Collabora forum (in the usual sense) for discussing issues. I find this odd. Issues can be reported on Github here (also accessible via the Collabora Online - Community Page)

So, I’ve had Collabora 4.x working forever with Nextcloud 18 and 19. Last night, I had a look at the Collabora portal at https://collabora.mydomain.com/loleaflet/dist/admin/admin.html and thought ‘That’s nice, but it looks different from what I have previously seen. There must have been a fairly recent update.’

screenshot.830

Checking my update logs for the Collabora Docker container, I note there were four CODE updates since Sept 25. This coincided with the announcement on Sept 24 of CODE 6.4 and a jump from CODE 4.2.7.

The new CODE admin dashboard has the facility to shut down the CODE server.

screenshot.831

‘That’s new’ I thought and then it dawned on me that I wasn’t presented with an authentication prompt to access the admin console. This was set up originally in the docker-compose.yml and worked for CODE 4.x.

version: '3.3'
services:
  code:
    ports:
      - '9980:9980'
    container_name: collabora-code
    environment:
      - domain=cloud\.mydomain\.com
      - server_name=collabora\.mydomain\.com
      - username=admin
      - password=alakazam
      - 'extra_params=--o:ssl.enable=false --o:ssl.termination=true'
    restart: always
    image: collabora/code

Checking the Collabora container log sudo docker logs -f collabora-code, I see the following errors once the CODE server becomes available:

wsd-00006-00006 2020-10-20 03:40:02.123015 [ loolwsd ] INF  WSD initialization complete: setting log-level to [warning] as configured.| wsd/LOOLWSD.cpp:3990
Ready to accept connections on port 9980.

wsd-00006-00043 2020-10-20 03:40:09.420116 [ websrv_poll ] WRN  client - server version mismatch, disabling browser cache. Expected: 6ad9d47| wsd/FileServer.cpp:285
wsd-00006-00043 2020-10-20 03:40:09.453557 [ websrv_poll ] ERR  FileServerRequestHandler::NotAuthenticated: No authentication information found| wsd/FileServer.cpp:476

It appears to me that the built-in authentication proxy has broken and the admin console has become a security risk.

Observations:

  1. After extensive experimentation, I note I can get a login prompt if the password is secret, which seems really bizarre to me. If I try setting any other password, I get no login prompt.

  2. There’s no facility to log out of the admin console.

EDIT: For the moment, I’ve addressed the issue by placing the admin console behind an authentication proxy that is independent of Collabora.

Persevering behind the scene, I also notice that the built-in authentication proxy does not accept special characters in the password. I tried with a password that had an asterisk and an ampersand in it and this is what I saw in the Collabora log when starting the container.

SAXParseException: Invalid token in '/etc/loolwsd/loolwsd.xml', line 176 column 155

Avoiding special characters allows the Collabora startup to complete successfully, however, the issue with the built-in authentication proxy persists.

Well, I’m going to have to revise this down. It appears there’s some caching issue happening, which I haven’t isolated. Clearing the browser cache doesn’t resolve the issue, but after a reboot, I am presented with the login prompt for the admin console.

Still, there are those (minor?) auxiliary issues:

  1. There’s no logout facility for the admin console; and
  2. Collabora doesn’t support special characters in the password.