Trouble with auth-do-sign-in

Hi,

I am running the new rstudio server and trying to set up the app on open ondemand but I keep running into the auth-do-sign-in error. The connection.yml file is generated successfully but on using the chrome inspect tool, there is no form parsed. I’ve tried checking all topics and still haven’t been able to resolve this.

Hi and welcome!

That’s a GET request, thus there’s not body. form elements should default to POST, but even so, it looks like we set method="post" in our application.

That’s right, I figured that could be the problem after reading a couple of posts. But I’ve still not been able to get around it.
If it helps, I can share the content of my files to confirm.

submit file

# /var/www/ood/apps/sys/rstudio/submit.yml.erb
---
batch_connect:
  template: "basic"
  set_host: "host=$(hostname)"
  conn_params:
    - csrf_token
    - password
script:
  native:
    - "-p"
    - "<%= bc_queue %>"
    - "-t"
    - "<%= bc_num_hours %>:00:00"
    - "-c"
    - "<%= bc_num_slots %>"
~                              

View:

<script type="text/javascript">
(function () {
  let date = new Date();
  date.setTime(date.getTime() + (1*24*60*60*1000)); // 24 hours
  let expires = "expires=" + date.toUTCString();
  
  // Explicitly target the exact proxy node path for the cookie scope
  let cookiePath = "path=/rnode/<%= host %>/<%= port %>/";
  
  // Generate the double token layout required by RStudio 2024/2026 proxy security
  document.cookie = "csrf-token=<%= csrf_token %>;" + expires + ";" + cookiePath + ";SameSite=Lax;secure";
  document.cookie = "rs-csrf-token=<%= csrf_token %>;" + expires + ";" + cookiePath + ";SameSite=Lax;secure";
})();
</script>

<form action="/rnode/<%= host %>/<%= port %>/auth-do-sign-in" method="post" target="_blank">
  <input type="hidden" name="csrf-token" value="<%= csrf_token %>"/>
  <input type="hidden" name="rs-csrf-token" value="<%= csrf_token %>"/>

  <input type="hidden" name="username" value="<%= ENV["USER"] %>">
  <input type="hidden" name="password" value="<%= password %>">
  <input type="hidden" name="staySignedIn" value="1">
  <input type="hidden" name="appUri" value="/">

  <button class="btn btn-primary" type="submit">
    <i class="fa fa-r-project"></i> Connect to RStudio Server
  </button>
</form>

Before

# rstudio 1.4+ needs a csrf token
csrf_token=<%= SecureRandom.uuid %>

# Export the module function if it exists
<% if context.cluster =~ /kubernetes/ -%>
exec &> >(tee -a "pod.log")

source /etc/profile.d/lmod.sh

source /bin/find_host_port
source /bin/save_passwd_as_secret
password="$PASSWORD"
host="$HOST_CFG"
port="$PORT_CFG"
export SINGULARITY_HOME="$HOME"

/bin/bash /opt/open_ondemand/helpers/k8_helper csrf_token "$csrf_token"

<% else -%>
[[ $(type -t module) == "function" ]] && export -f module

# Find available port to run server on
port=$(find_port ${host})

# Define a password and export it for RStudio authentication
password="$(create_passwd 16)"

<% end -%>

export RSTUDIO_PASSWORD="${password}"

export csrf_token="<%= csrftoken %>"
~                                      

Script:

module load apptainer

# 1. Setup isolated temporary directories
export RSTUDIO_TMP="/tmp/rstudio_${USER}_${SLURM_JOB_ID}"
mkdir -p "$RSTUDIO_TMP/tmp"
mkdir -p "$RSTUDIO_TMP/run"
mkdir -p "$RSTUDIO_TMP/var-lib-rstudio-server"
mkdir -p "$RSTUDIO_TMP/log"

# 2. Create a user-owned database config forcing SQLite
echo "provider=sqlite" > "$RSTUDIO_TMP/database.conf"
echo "directory=/var/lib/rstudio-server" >> "$RSTUDIO_TMP/database.conf"

# 3. Generate the secure cookie
export RSTUDIO_SECRET="$RSTUDIO_TMP/rstudio-cookie-key"
uuidgen > "$RSTUDIO_SECRET"
chmod 600 "$RSTUDIO_SECRET"

# 4. GENERATE THE MISSING RSESSION WRAPPER (The GitHub Fix!)
export RSESSION_WRAPPER_FILE="${PWD}/rsession.sh"
(
umask 077
cat << 'EOL' > "${PWD}/rsession.sh"
#!/usr/bin/env bash

# Log all output from this workspace session
export RSESSION_LOG_FILE="/tmp/rsession.log"
exec &>>"${RSESSION_LOG_FILE}"

echo "Launching rsession..."
set -x
exec rsession "${@}"
EOL
)
chmod 700 "${PWD}/rsession.sh"

# 5. Launch RStudio in strict isolation using our dynamic wrapper
apptainer exec --cleanenv \
  --env RSTUDIO_PASSWORD="${RSTUDIO_PASSWORD}" \
  -B "${HOME}" \
  -B "${PWD}:${PWD}" \
  -B "$RSTUDIO_TMP/tmp:/tmp" \
  -B "$RSTUDIO_TMP/run:/run" \
  -B "$RSTUDIO_TMP/var-lib-rstudio-server:/var/lib/rstudio-server" \
  -B "$RSTUDIO_TMP/log:/var/log/rstudio/rstudio-server" \
  -B "$RSTUDIO_TMP/database.conf:/etc/rstudio/database.conf" \
  /opt/ohpc/pub/images/rstudio.sif \
  rserver \
  --www-port "${port}" \
  --www-address "0.0.0.0" \
  --www-same-site "none" \
  --www-verify-user-agent=0 \
  --auth-none 0 \
  --auth-pam-helper-path "${PWD}/bin/auth" \
  --rsession-path "${RSESSION_WRAPPER_FILE}" \
  --server-daemonize 0 \
  --server-user "$USER" \
  --secure-cookie-key-file "$RSTUDIO_SECRET"

You say you’re running the ‘new’ rstudio server - did this work for previous versions?

I’ve not tried the previous versions

It seems OK what you’ve given, but I guess I’d like to see the POST body to be sure the password is being passed.

Beyond that I’d like to see the rserver logs out of $RSTUDIO_TMP/log those may indicate what could be going wrong.

Also I guess I’d just verify if you can actually just enter in the username & password through the UI as you see it there manually. This isn’t what you’ll ask your users to do of course, it’d just be good as a debugging step to ensure you can login.

Turns out the log directory is empty.
Makes me suspect that rstudio server crashes at some point internally and fails to report.

I’m unable to log in

auth-sign-in?appUri=%2F&error=1

I think you also need a log etc file to tell it where to log. It’s likely logging inside the container somewhere else.

I checked the ~/etc/logging.conf.erb and it all seems intact.

[*]
log-level=debug
logger-type=file
log-dir=<%= session.staged_root.join('logs') %>

I don’t see a mountpoint for it in the singularity startup command.

Thanks for pointing that out.
I fixed that and i was able to follow the error in the log I’ve fixed it.
Works fine now