I have created this blog in order for me to write about my experience as software engineer.
In an other post I will comment on my used plugins and why I made choose to use them, but for now let see a problem that I am having and what is the possible solutions. This solution is going to be views from the VPS side of hosting and the WHM no access side of hosting.
But first let’s see what is the problem.
For my login form I choose to have the option for google, facebook and twitter login button, for the users to have easy register/login choices.
While facebook and twitter worked out of the box using Nextend Social Login, Google has a problem which by the first look I couldn’t find what it was.
But with a closer look to the URI
https://www.piratez.gr/wp-login.php?loginSocial=google&state=<state>&code=<code>&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&prompt=none
This resulted to 404 – page not found error.
Now I had two point of information:
1) 404 error
2) The URI which has the depricated but used for backward compatibility https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile
This scopes have been changed to the email and profile scope that you can see in the URI.
Immediately I knew that there was a problem with some of the values, therefore I removed the deprecated values and tried to manually re-apply the link and it got through.
There is a major problem here. This variables are sent directly from google using the callback URL I have declared to google API, therefore I cannot interfere with the values. On top of that I had a WAF installed in the site. (Which we will talk in an other post about it).
My second try, was to deactivate the WAF and try again, but it resulted in the same failure, with the same error page and the same symptoms.
The only other underlying security I have, is the modsecurity, which has rules and filters about the urls and how to process them. Sadly this blog is currently in a host in https://www.inwebpro.gr, an excellent host with a focus on security, and especially secure configuration for the server and good support and hosting. The only downside, is that the WHM (reseller hosting), has somewhat limited options that you can do, except if you ask for the permissions from the company, which will somewhat “void” you support on self harmful acts in the server’s instance.
What I want to achieve, is to whitelist the domain https://www.googleapis.com , in order for mode security to allow this url for as long as google provides it.
Now I am waiting for a reply in my request ticket ( it won’t take long, but as this is no critical issue, I have marked my ticket with moderate priority), but as I have searched a little more in google about the issue I have found that this have already been answered to the nextend website here.
I will return with a version 2 of this post to analyze the resolving of the issue.
After my communication with the hosting provider, the issue is RESOLVED by disabling the specific URL from the modsecurity rule for the specific hosting.
If you ever encounter the same problem, just disable the specific URL from the modsecurity rule, and all will work as expected!
EDIT 3/2/2022: We have made a server migration, and we are waiting for the server admin to do the same exception to the mod security.
EDIT 4/2/2022: login is now again working by using the same fix.