From db17c673c8e97f32c092862d088b1ef1757f59a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elias=20H=C3=B6rner?= Date: Sat, 21 Feb 2026 20:50:02 +0100 Subject: [PATCH 1/2] Test --- docs/pages/installation.md | 1 + .../Endpoints/Identity/IdentityEndpointBase.cs | 6 +++++- src/Turnierplan.App/Options/IdentityOptions.cs | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/docs/pages/installation.md b/docs/pages/installation.md index 7fad538b..571c14be 100644 --- a/docs/pages/installation.md +++ b/docs/pages/installation.md @@ -62,6 +62,7 @@ The following environment variables can be set if you want to enable specific fe | `ApplicationInsights__ConnectionString` | Can be set if you wish that your instance sends telemetry data to [Azure Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview). | - | | `Identity__AccessTokenLifetime` | Defines the lifetime of issued JWT access tokens. | `00:03:00` | | `Identity__RefreshTokenLifetime` | Defines the lifetime of issued JWT refresh tokens. | `1.00:00:00` | +| `Identity__AllowInsecure` | Set to `true` to allow login via HTTP. This is obviously not recommended. | `false` | | `Turnierplan__InstanceName` | The instance name is displayed in the header/footer of the public pages. If not specified, the string `turnierplan.NET` will be shown instead. | - | | `Turnierplan__LogoUrl` | The URL of the custom logo to be displayed in the header of the public pages. If not specified, the turnierplan.NET logo will be shown instead. | - | | `Turnierplan__ImprintUrl` | The URL of your external imprint page if you want it to be linked on the public pages. | - | diff --git a/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs b/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs index e387bf25..52510e98 100644 --- a/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs +++ b/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs @@ -78,11 +78,15 @@ protected void AddResponseCookieForToken(HttpContext context, string token, bool void AddCookie(string path) { + // If the config value 'AllowInsecure' is set to true, the cookies will be sent without the 'secure' flag. + // Thus, the browser will also send the cookies along with HTTP requests instead of HTTPS only. + var isSecure = _options.CurrentValue.AllowInsecure != true; + var cookieOptions = new CookieOptions { HttpOnly = true, SameSite = SameSiteMode.Strict, - Secure = true, + Secure = isSecure, Path = path, Expires = cookieExpires }; diff --git a/src/Turnierplan.App/Options/IdentityOptions.cs b/src/Turnierplan.App/Options/IdentityOptions.cs index e9010125..7a4a656e 100644 --- a/src/Turnierplan.App/Options/IdentityOptions.cs +++ b/src/Turnierplan.App/Options/IdentityOptions.cs @@ -9,5 +9,7 @@ internal sealed class IdentityOptions : AuthenticationSchemeOptions public TimeSpan AccessTokenLifetime { get; init; } = TimeSpan.Zero; public TimeSpan RefreshTokenLifetime { get; init; } = TimeSpan.Zero; + + public bool? AllowInsecure { get; init; } } From 979cbf1197ce11075903ce002504e46b8c4c6198 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elias=20H=C3=B6rner?= Date: Sat, 21 Feb 2026 21:02:32 +0100 Subject: [PATCH 2/2] Some updates --- docs/pages/installation.md | 12 +++++++++++- .../Endpoints/Identity/IdentityEndpointBase.cs | 4 ++-- src/Turnierplan.App/Options/IdentityOptions.cs | 2 +- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/docs/pages/installation.md b/docs/pages/installation.md index 571c14be..c9bf6655 100644 --- a/docs/pages/installation.md +++ b/docs/pages/installation.md @@ -62,7 +62,6 @@ The following environment variables can be set if you want to enable specific fe | `ApplicationInsights__ConnectionString` | Can be set if you wish that your instance sends telemetry data to [Azure Application Insights](https://learn.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview). | - | | `Identity__AccessTokenLifetime` | Defines the lifetime of issued JWT access tokens. | `00:03:00` | | `Identity__RefreshTokenLifetime` | Defines the lifetime of issued JWT refresh tokens. | `1.00:00:00` | -| `Identity__AllowInsecure` | Set to `true` to allow login via HTTP. This is obviously not recommended. | `false` | | `Turnierplan__InstanceName` | The instance name is displayed in the header/footer of the public pages. If not specified, the string `turnierplan.NET` will be shown instead. | - | | `Turnierplan__LogoUrl` | The URL of the custom logo to be displayed in the header of the public pages. If not specified, the turnierplan.NET logo will be shown instead. | - | | `Turnierplan__ImprintUrl` | The URL of your external imprint page if you want it to be linked on the public pages. | - | @@ -183,3 +182,14 @@ If you have an Entra ID app registration with the necessary permissions on the s | `ImageStorage__TenantId` | The tenant id where the app registration resides. | | `ImageStorage__ClientId` | The client id of the *app registration*. | | `ImageStorage__ClientSecret` | The value of the client secret. | + +## Troubleshooting + +Below are troubleshooting steps for some issues you might encounter during installation. + +### Connecting over HTTP + +If you are connecting to a remote (non-`localhost`) turnierplan.NET server via HTTP, you should see a *401 Unauthorized* error after logging in with your valid credentials. This is because turnierplan.NET uses secure cookies by default. You can set the `Identity__UseInsecureCookies` environment variable to `true` to change this behavior. + +!!! danger + Using HTTP is obviously not the way to go if you are connecting over the internet. For local setups this might be fine, though it is still discouraged. Most importantly, it is **not officially supported** because some parts of the client application rely on HTTPS-only browser APIs to work properly (such as clipboard or crypto). diff --git a/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs b/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs index 52510e98..8ce54528 100644 --- a/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs +++ b/src/Turnierplan.App/Endpoints/Identity/IdentityEndpointBase.cs @@ -78,9 +78,9 @@ protected void AddResponseCookieForToken(HttpContext context, string token, bool void AddCookie(string path) { - // If the config value 'AllowInsecure' is set to true, the cookies will be sent without the 'secure' flag. + // If the config value 'UseInsecureCookies' is set to true, the cookies will be sent without the 'secure' flag. // Thus, the browser will also send the cookies along with HTTP requests instead of HTTPS only. - var isSecure = _options.CurrentValue.AllowInsecure != true; + var isSecure = _options.CurrentValue.UseInsecureCookies != true; var cookieOptions = new CookieOptions { diff --git a/src/Turnierplan.App/Options/IdentityOptions.cs b/src/Turnierplan.App/Options/IdentityOptions.cs index 7a4a656e..4520cf0a 100644 --- a/src/Turnierplan.App/Options/IdentityOptions.cs +++ b/src/Turnierplan.App/Options/IdentityOptions.cs @@ -10,6 +10,6 @@ internal sealed class IdentityOptions : AuthenticationSchemeOptions public TimeSpan RefreshTokenLifetime { get; init; } = TimeSpan.Zero; - public bool? AllowInsecure { get; init; } + public bool? UseInsecureCookies { get; init; } }