Describe the Bug
The Android client fails to complete authentication when the Pangolin server is configured with a custom server.session_cookie_name.
In my setup, I changed the session cookie name from the default:
server:
session_cookie_name: my_custom_session_token
After logging in from the Android app, the app logs showed:
Poll successful - got auth token
Poll success - handling authentication
Authenticated request returned 401 - invoking unauthorized callback
API client received 401/403 - marking session as expired
Marking session as expired
Failed to complete authentication: Unauthorized
Traefik access logs showed that the failing request was:
GET /api/v1/user -> 401
OriginStatus=401
User-Agent=pangolin-android-0.2.0
After temporarily logging only cookie names, I noticed that the Android client was sending:
p_session_token
However, the server was configured to expect:
my_custom_session_token
Changing the server configuration back to the default fixed the issue:
server:
session_cookie_name: p_session_token
Environment
- OS Type & Version: GrapheneOS - Android 16
- Pangolin Version: 1.19.4
- Edition (Community or Enterprise): Community
- Gerbil Version: 1.4.2
- Traefik Version: v3.7.6
- Newt Version: 1.13.0
- Client Version: Android 0.2.0
To Reproduce
- Configure Pangolin with a custom session cookie name:
server:
session_cookie_name: pgl_session_token
- Restart Pangolin
- Clear Android app storage
- Open Pangolin Android client 0.2.0
- Log in to the self-hosted instance (directly or with IdP)
- Authentication appears to complete in the browser/device flow
- Android app fails with Unauthorized.
Additional context
The issue was reproduced with a self-hosted Community deployment with Podman rootful on NixOS using Traefik + Badger. The failing 401 comes from the Pangolin API origin itself, not from Traefik, CrowdSec, or Badger:
RequestPath=/api/v1/user
DownstreamStatus=401
OriginStatus=401
RouterName=api-router@file
ServiceName=api-service@file
User-Agent=pangolin-android-0.2.0
Expected Behavior
The Android client should either use the session cookie name configured by the Pangolin server, or
the server/client flow should not allow a documented configurable cookie name to break Android authentication silently.
Since server.session_cookie_name is documented as configurable, the Android client should not assume the default p_session_token cookie name.
Actual behavior:
The Android client appears to send/use p_session_token even when the server is configured with another server.session_cookie_name.
This causes /api/v1/user to return 401 Unauthorized after the device auth poll succeeds.
Describe the Bug
The Android client fails to complete authentication when the Pangolin server is configured with a custom
server.session_cookie_name.In my setup, I changed the session cookie name from the default:
After logging in from the Android app, the app logs showed:
Traefik access logs showed that the failing request was:
After temporarily logging only cookie names, I noticed that the Android client was sending:
p_session_tokenHowever, the server was configured to expect:
my_custom_session_tokenChanging the server configuration back to the default fixed the issue:
Environment
To Reproduce
Additional context
The issue was reproduced with a self-hosted Community deployment with Podman rootful on NixOS using Traefik + Badger. The failing 401 comes from the Pangolin API origin itself, not from Traefik, CrowdSec, or Badger:
Expected Behavior
The Android client should either use the session cookie name configured by the Pangolin server, or
the server/client flow should not allow a documented configurable cookie name to break Android authentication silently.
Since
server.session_cookie_nameis documented as configurable, the Android client should not assume the defaultp_session_tokencookie name.Actual behavior:
The Android client appears to send/use
p_session_tokeneven when the server is configured with anotherserver.session_cookie_name.This causes
/api/v1/userto return401 Unauthorizedafter the device auth poll succeeds.