2.4 - rev c74193e - 403 Invalid signture when we click on the url to verify the email

[anthosz]

Hello,

With the last release of Cachet (2.4), we have this 403 when we try to verify the email subscription:

Error 403
Invalid signature.
Forbidden
What does this mean?

Something went wrong on our servers while we were processing your request. Invalid signature. This occurrence has been logged, and a highly trained team of monkeys has been dispatched to deal with your problem. We're really sorry about this, and will work hard to get this resolved as soon as possible.

Moreover, the email is well in "verified" mode in the subscribers tab.

If I try to rollback to 8f91f6d (23 june), works.

[jbrooksuk]

I shall investigate this tonight. Apologies for the bug!

[jbrooksuk]

@anthosz it's working locally 🤔

How long after the email was sent are you clicking the link?

[anthosz]

@jbrooksuk less 1 minute, I can reproduce with 2 différents instances

[jbrooksuk]

Can you send me your .env file (happy for you to email me at [email protected]) and remove any sensitive information.

[peterlewis]

Have also seen this issue with newly-installed build, today. Looks to be reproducible by selecting 'Edit' on an unverified user, from within the dashboard.

[drehimself]

Also getting the same error message in a newly installed app. Running it locally, so here's my .env file:

APP_ENV=local
APP_DEBUG=true
APP_URL=http://cachet.test
APP_TIMEZONE=UTC
APP_KEY=base64:CGvJo3Kb7gIvfa/YoWxkMn2GxqVguGdV7ENMVACtU2A=
DEBUGBAR_ENABLED=false

DB_DRIVER=mysql
DB_HOST=localhost
DB_UNIX_SOCKET=null
DB_DATABASE=cachet
DB_USERNAME=root
DB_PASSWORD=
DB_PORT=null
DB_PREFIX=null

CACHE_DRIVER=database
SESSION_DRIVER=database
QUEUE_DRIVER=database

CACHET_BEACON=true
CACHET_EMOJI=false
CACHET_AUTO_TWITTER=true

MAIL_DRIVER=log
MAIL_HOST=
MAIL_PORT=null
MAIL_USERNAME=
MAIL_PASSWORD=
MAIL_ADDRESS=
MAIL_NAME=null
MAIL_ENCRYPTION=tls

REDIS_HOST=null
REDIS_DATABASE=null
REDIS_PORT=null

GITHUB_TOKEN=null

NEXMO_KEY=null
NEXMO_SECRET=null
NEXMO_SMS_FROM=Cachet

TRUSTED_PROXIES=

[warwickw]

Getting the same error when verifying the email address.
Same if I try to edit the subscriber in the dashboard.

Running on a new 2.4.0 install done today.

[TheBags]

Hi,
I've the same problem here.
New installation 2.4.0-dev installed 5 mins ago.

This is my .env:

APP_ENV="production"
APP_DEBUG="true"
APP_URL="http://localhost"
APP_LOG="errorlog"
APP_KEY="base64:xxxxxxxxxx"

DB_DRIVER="pgsql"
DB_HOST="postgres"
DB_DATABASE="postgres"
DB_USERNAME="postgres"
DB_PASSWORD="postgres"
DB_PORT="5432"

DOCKER=true

CACHE_DRIVER="apc"


QUEUE_DRIVER="database"

CACHET_EMOJI="false"
CACHET_BEACON="true"
CACHET_AUTO_TWITTER="true"

MAIL_DRIVER="smtp"
MAIL_HOST="smtp-relay.sendinblue.com"
MAIL_PORT="587"
MAIL_USERNAME="xxxxxxxxxx"
MAIL_PASSWORD="xxxxxxxxxx"
MAIL_ADDRESS="[email protected]"



NEXMO_SMS_FROM="Cachet"

Error image

TheBags

[jbrooksuk]

Apologies for the delay, I've recently started a new job so I've been a bit busy.

This is a really weird issue because it works locally, but I'll keep looking.

[TheBags]

Into the "subscribers" the user is however into "Verified" state.
The verification is then carried out, recorded in the DB also providing the error.

[jbrooksuk]

Out of interest, can someone send me a slightly modified link for their verification URL, please? I’m wondering if the URL is being modified by your email services?

[oscargala]

I have the same issue. We send our emails through Mandrill. This is the full link which according to the email goes to

https://status.novire.nl/subscribe/verify/cuTdW5LIZC49LipUGQlYFkLP1cV6JTpsZQlrch74C4?signature=fa68c395d3365dd1bc1508774d1823aba18b905d34106c5777f01788223042fc

https://mandrillapp.com/track/click/30027879/status.novire.nl?p=eyJzIjoiNjg5NDNmWVBqbk9IYlJvU3RPTVkxS2J5clFZIiwidiI6MSwicCI6IntcInVcIjozMDAyNzg3OSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL3N0YXR1cy5ub3ZpcmUubmxcXFwvc3Vic2NyaWJlXFxcL3ZlcmlmeVxcXC9jdVRkVzVMSVpDNDlMaXBVR1FsWUZrTFAxY1Y2SlRwc1pRbHJjaDc0QzQ_c2lnbmF0dXJlPWZhNjhjMzk1ZDMzNjVkZDFiYzE1MDg3NzRkMTgyM2FiYTE4YjkwNWQzNDEwNmM1Nzc3ZjAxNzg4MjIzMDQyZmNcIixcImlkXCI6XCI2Zjc0ODFlN2U2MmY0YzFkYTU5YmY4ZjAyNzNmNGRjZVwiLFwidXJsX2lkc1wiOltcIjk3ZDdhOTFjOGU4YTM2NWU2ODhjNDA4YTliYzg3YzA1NjBhZDZhODBcIl19In0

[pmkakaci]

Hello everyone,
I made a clean install of 2.4 version and i have the same issue. The verification mail is well sent but the link goes directly to a 403. Same issue with the manage subscriptions, i can chooses item but when I want to validate it, i got a 403.
Another thing, if i want to modify a verified/new user in the dashboard, error 403 too when i clicked on manage.
I'm available for some test if you need.
Kind regards,

[harleyc]

I have the same issue as pmkakaci.
Any ideas?

[pmkakaci]

Any update about this issue ?
Kind regards,

[ejbogantes]

It's happening to me too. If I have some time later maybe I will take a look.

Regards.

[MrTechQc]

Hello,

Same issue here.

Kind regards,

[KelvinVenancio]

Hello All,

Same problem here. Any updates?

Thank you!

[Mintux]

Hello,

I can confirm this error in the current 2.4 version. Verification-Link is not modified.
Would be great to get this fixed, as we had to deactivate subscriptions for now.

Thanks.

[harleyc]

Hi Team, Any updates?

[pmkakaci]

Hi @jbrooksuk, did you had time to took a look on it ?
Kind regards,

[harleyc]

Bump, Hi Team, Any updates?

[oxi0]

Hi,

I think I've found the issue:
When I extent the GET variable "signature" in the URL, it works.

I hope this helps you to fix the problem!

[harleyc]

Hi,

I think I've found the issue:
When I extent the GET variable "signature" in the URL, it works.

I hope this helps you to fix the problem!

Thank you apentermann, can you please give me some more information on how to do this?

[harleyc]

Bump, Any updates?

[clmssz]

Same here when trying to edit a subscriber - 2.4

[ghost]

Same issue, 403 Forbidden - Invalid Signature, when trying to manage subscriber, Cachet v2.4

[nalysius]

@jbrooksuk I am able to reproduce it on my machine. Here are the datas I have, if it can help you.

Cachet version: 2.4 - 212d807.
Mail driver: log.
Mail content:

[2019-09-27 13:08:29] development.DEBUG: Message-ID: <b6203d481cf9709d1d4e723f5fafeaeb@cachet-2-4.local>
Date: Fri, 27 Sep 2019 13:08:29 +0000
Subject: Verify Your Subscription
From: Cachet <cachet-local@dev.local>
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="_=_swift_1569589709_b794720a9ecab40442ff8f31735a4d3c_=_"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #f5f8fa; color: #74787E; height: 100%; hyphens: auto; line-height: 1.4; margin: 0; -moz-hyphens: auto; -ms-word-break: break-all; width: 100% !important; -webkit-hyphens: auto; -webkit-text-size-adjust: none; word-break: break-word;">
    <style>
        @media  only screen and (max-width: 600px) {
            .inner-body {
                width: 100% !important;
            }

            .footer {
                width: 100% !important;
            }
        }

        @media  only screen and (max-width: 500px) {
            .button {
                width: 100% !important;
            }
        }
    </style>

    <table class="wrapper" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #f5f8fa; margin: 0; padding: 0; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;">
        <tr>
            <td align="center" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
                <table class="content" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; margin: 0; padding: 0; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;">
                    <tr>
    <td class="header" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; padding: 25px 0; text-align: center;">
        <a href="http://cachet-2-4.local" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #bbbfc3; font-size: 19px; font-weight: bold; text-decoration: none; text-shadow: 0 1px 0 white;">
            Cachet 2.4 Dev
        </a>
    </td>
</tr>

                    <!-- Email Body -->
                    <tr>
                        <td class="body" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #FFFFFF; border-bottom: 1px solid #EDEFF2; border-top: 1px solid #EDEFF2; margin: 0; padding: 0; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;">
                            <table class="inner-body" align="center" width="570" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; background-color: #FFFFFF; margin: 0 auto; padding: 0; width: 570px; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 570px;">
                                <!-- Body content -->
                                <tr>
                                    <td class="content-cell" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; padding: 35px;">
                                        <h1 style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #2F3133; font-size: 19px; font-weight: bold; margin-top: 0; text-align: left;">Verify your subscription to  status page.</h1>
<table class="action" align="center" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; margin: 30px auto; padding: 0; text-align: center; width: 100%; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 100%;">
    <tr>
        <td align="center" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
            <table width="100%" border="0" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
                <tr>
                    <td align="center" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
                        <table border="0" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
                            <tr>
                                <td style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
                                    <a href="http://cachet-2-4.local/subscribe/verify/TrwzUW7g0hbmFv8NAtYfLKPMixcSALD6aYC8wjw9LI?signature=1c8181eef6a0bdc22fe7a9166023c2d02bcf1e0211eab62794306be6f6ff6b7f" class="button button-primary" target="_blank" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; border-radius: 3px; box-shadow: 0 2px 3px rgba(0, 0, 0, 0.16); color: #FFF; display: inline-block; text-decoration: none; -webkit-text-size-adjust: none; background-color: #3097D1; border-top: 10px solid #3097D1; border-right: 18px solid #3097D1; border-bottom: 10px solid #3097D1; border-left: 18px solid #3097D1;">Verify</a>
                                </td>
                            </tr>
                        </table>
                    </td>
                </tr>
            </table>
        </td>
    </tr>
</table>
<p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #74787E; font-size: 16px; line-height: 1.5em; margin-top: 0; text-align: left;">Click to verify your subscription to  status page.</p>
<p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #74787E; font-size: 16px; line-height: 1.5em; margin-top: 0; text-align: left;">Regards,<br>Cachet 2.4 Dev</p>
<table class="subcopy" width="100%" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; border-top: 1px solid #EDEFF2; margin-top: 25px; padding-top: 25px;">
    <tr>
        <td style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
            <p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #74787E; line-height: 1.5em; margin-top: 0; text-align: left; font-size: 12px;">If you’re having trouble clicking the "Verify" button, copy and paste the URL below
into your web browser: <a href="http://cachet-2-4.local/subscribe/verify/TrwzUW7g0hbmFv8NAtYfLKPMixcSALD6aYC8wjw9LI?signature=1c8181eef6a0bdc22fe7a9166023c2d02bcf1e0211eab62794306be6f6ff6b7f" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; color: #3869D4;">http://cachet-2-4.local/subscribe/verify/TrwzUW7g0hbmFv8NAtYfLKPMixcSALD6aYC8wjw9LI?signature=1c8181eef6a0bdc22fe7a9166023c2d02bcf1e0211eab62794306be6f6ff6b7f</a></p>
        </td>
    </tr>
</table>


                                    </td>
                                </tr>
                            </table>
                        </td>
                    </tr>

                    <tr>
    <td style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box;">
        <table class="footer" align="center" width="570" cellpadding="0" cellspacing="0" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; margin: 0 auto; padding: 0; text-align: center; width: 570px; -premailer-cellpadding: 0; -premailer-cellspacing: 0; -premailer-width: 570px;">
            <tr>
                <td class="content-cell" align="center" style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; padding: 35px;">
                    <p style="font-family: Avenir, Helvetica, sans-serif; box-sizing: border-box; line-height: 1.5em; margin-top: 0; color: #AEAEAE; font-size: 12px; text-align: center;">© 2019 Cachet 2.4 Dev. All rights reserved.</p>
                </td>
            </tr>
        </table>
    </td>
</tr>
                </table>
            </td>
        </tr>
    </table>
</body>
</html>

Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[Cachet 2.4 Dev](http://cachet-2-4.local)

# Verify your subscription to  status page.

Verify: http://cachet-2-4.local/subscribe/verify/TrwzUW7g0hbmFv8NAtYfLKPMixcSALD6aYC8wjw9LI?signature=1c8181eef6a0bdc22fe7a9166023c2d02bcf1e0211eab62794306be6f6ff6b7f

Click to verify your subscription to  status page.

Regards,Cachet 2.4 Dev

If you’re having trouble clicking the "Verify" button, copy and paste the URL below
into your web browser:
[http://cachet-2-4.local/subscribe/verify/TrwzUW7g0hbmFv8NAtYfLKPMixcSALD6aYC8wjw9LI?signature=1c8181eef6a0bdc22fe7a9166023c2d02bcf1e0211eab62794306be6f6ff6b7f](http://cachet-2-4.local/subscribe/verify/TrwzUW7g0hbmFv8NAtYfLKPMixcSALD6aYC8wjw9LI?signature=1c8181eef6a0bdc22fe7a9166023c2d02bcf1e0211eab62794306be6f6ff6b7f)

Every URL to verify the subscription is signed and the signature is invalid. That's quite strange since Laravel generates the hash (sha256) based on the route name, a key generator and the parameters. It would be useful to log every parameter when the URL is generated, to find a difference.

[wagnst]

Same issue on latest 2.4.0-dev when using normal smtp. the PHP log doesn't show any errors than:

172.24.0.3 - - [29/Sep/2019:11:07:37 +0000] "GET /subscribe/verify/Dh2HaYmcF7AarCOPuDAcSbT8WvcqAXdKTzwY3Vm2qE?signature=37e51aa9ed7501b444cf2a7c447687f6201050558214699e647f742ad073ac13 HTTP/1.1" 302 596 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" "x.x.x.x"
172.24.0.3 - - [29/Sep/2019:11:07:37 +0000] "GET /subscribe/manage/Dh2HaYmcF7AarCOPuDAcSbT8WvcqAXdKTzwY3Vm2qE HTTP/1.1" 403 1290 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0" "x.x.x.x"

After the click its still showing verified in the backend.

Any update here?

[harleyc]

Bump, Any updates?

[MrTechQc]

We have tried a bunch of things, yet nothing seems to fix it.

We are seriously considering another solution since this bug has made our status platform useless for 2+ months :/

[azielke]

It seems like the route uses the singed middleware but the generated URLs are not signed.
Removing the middleware from SubscribeRoutes.php seems to work as a hotfix.

This Line: https://github.com/CachetHQ/Cachet/blob/212d8076535894e41876bc472964afe9375c46e6/app/Http/Routes/SubscribeRoutes.php#L53

Verification seems to work, as the signature is appended, but the user is redirected to manage (without a signature), where it results in an error.

[Gajack33]

any updates?

[maddprof]

Per OPs original comment on this, commit version 8f91f6d indeed still works.

You can update the Dockerfile with this configuration to grab this release at build:

ENV cachet_ver ${cachet_ver:-8f91f6d92f536745e09ecad36c05cbbf0f992185}
ENV archive_url ${archive_url:-https://github.com/cachethq/Cachet/archive/${cachet_ver}.tar.gz}

[harleyc]

Bump.

[anthosz]

@craigballinger @jbrooksuk I confirm that we can now validate the email but cannot change our subscriptions.

When we want to modify them, we have the same issue once we want to confirm the changes (Invalid signature)

[gcommit]

Any updates on this? We all have the same issue >.<

[wagnst]

Any updates on this? We all have the same issue >.<

For me the latest state (2.4) works fine.

[anthosz]

Same for me (works well)

[gcommit]

i just checked. I am on the latest release, but it doesn't work for me

[kcan]

I have the similar problem by clicking "Manage subscription" from the notification.

[gcommit]

i found a workaround for me. Maybe this helps you:

+ use Illuminate\Support\Facades\URL; (Line 34)
- return cachet_redirect('subscribe.manage', $code) (Line 123, 212, 218)
+ return redirect()->to(URL::signedRoute(cachet_route_generator('subscribe.manage'), ['code' => $code])) (Line 123, 212, 218)

BUT, if you login as admin and try to edit subs, still results in 403