Skip to content

Android client fails authentication when server.session_cookie_name is customized #35

Description

@K-MeLeOn

Describe the Bug

The Android client fails to complete authentication when the Pangolin server is configured with a custom server.session_cookie_name.

In my setup, I changed the session cookie name from the default:

server:
  session_cookie_name: my_custom_session_token

After logging in from the Android app, the app logs showed:

Poll successful - got auth token
Poll success - handling authentication
Authenticated request returned 401 - invoking unauthorized callback
API client received 401/403 - marking session as expired
Marking session as expired
Failed to complete authentication: Unauthorized

Traefik access logs showed that the failing request was:

GET /api/v1/user -> 401
OriginStatus=401
User-Agent=pangolin-android-0.2.0

After temporarily logging only cookie names, I noticed that the Android client was sending:

p_session_token

However, the server was configured to expect:

my_custom_session_token

Changing the server configuration back to the default fixed the issue:

server:
  session_cookie_name: p_session_token

Environment

  • OS Type & Version: GrapheneOS - Android 16
  • Pangolin Version: 1.19.4
  • Edition (Community or Enterprise): Community
  • Gerbil Version: 1.4.2
  • Traefik Version: v3.7.6
  • Newt Version: 1.13.0
  • Client Version: Android 0.2.0

To Reproduce

  1. Configure Pangolin with a custom session cookie name:
server:
  session_cookie_name: pgl_session_token
  1. Restart Pangolin
  2. Clear Android app storage
  3. Open Pangolin Android client 0.2.0
  4. Log in to the self-hosted instance (directly or with IdP)
  5. Authentication appears to complete in the browser/device flow
  6. Android app fails with Unauthorized.

Additional context

The issue was reproduced with a self-hosted Community deployment with Podman rootful on NixOS using Traefik + Badger. The failing 401 comes from the Pangolin API origin itself, not from Traefik, CrowdSec, or Badger:

RequestPath=/api/v1/user
DownstreamStatus=401
OriginStatus=401
RouterName=api-router@file
ServiceName=api-service@file
User-Agent=pangolin-android-0.2.0

Expected Behavior

The Android client should either use the session cookie name configured by the Pangolin server, or
the server/client flow should not allow a documented configurable cookie name to break Android authentication silently.

Since server.session_cookie_name is documented as configurable, the Android client should not assume the default p_session_token cookie name.

Actual behavior:

The Android client appears to send/use p_session_token even when the server is configured with another server.session_cookie_name.

This causes /api/v1/user to return 401 Unauthorized after the device auth poll succeeds.

Metadata

Metadata

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions