403 Invalid Signature #397

New Issue

Closed

opened 2026-02-05 17:32:28 +03:00 by OVERLORD · 13 comments

OVERLORD commented 2026-02-05 17:32:28 +03:00

Owner

Copy Link

Originally created by @mrhid6 on GitHub (Jul 30, 2025).

Current Behavior

When creating new users or resetting passwords, clicking the link in the email shows a 403 invalid signature.

There are no logs in the log folder.

https://panel.hostxtra.co.uk/password-reset/reset?email=<REDACTED>%40hotmail.co.uk&token=b2e4a61c7c4bd55bdf23cbdd98dde5c967139d7eff6fe5b895eeca571c9ce026&signature=9ff846c43925d4ef876f58dda761a995ce8d11c80fc2df9914f6ab5e6cd91d01

Expected Behavior

The password reset form is meant to show.

Steps to Reproduce

Create a new user in the UI or API.
Click on the link in the email.

Or

Click on the password reset link on the login.
Click on the link in the email.

Panel Version

1.0.0-beta23

Wings Version

1.0.0-beta15

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

Is there an existing issue for this?

• I have searched the existing issues before opening this issue.
• I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
• I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.

Originally created by @mrhid6 on GitHub (Jul 30, 2025). ### Current Behavior When creating new users or resetting passwords, clicking the link in the email shows a 403 invalid signature. There are no logs in the log folder. `https://panel.hostxtra.co.uk/password-reset/reset?email=<REDACTED>%40hotmail.co.uk&token=b2e4a61c7c4bd55bdf23cbdd98dde5c967139d7eff6fe5b895eeca571c9ce026&signature=9ff846c43925d4ef876f58dda761a995ce8d11c80fc2df9914f6ab5e6cd91d01` ### Expected Behavior The password reset form is meant to show. ### Steps to Reproduce Create a new user in the UI or API. Click on the link in the email. Or Click on the password reset link on the login. Click on the link in the email. ### Panel Version 1.0.0-beta23 ### Wings Version 1.0.0-beta15 ### Games and/or Eggs Affected _No response_ ### Docker Image _No response_ ### Error Logs ```bash ``` ### Is there an existing issue for this? - [x] I have searched the existing issues before opening this issue. - [x] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server. - [x] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.

OVERLORD closed this issue 2026-02-05 17:32:30 +03:00

OVERLORD commented 2026-02-05 17:32:31 +03:00

Author

Owner

Copy Link

@Jamesking56 commented on GitHub (Aug 3, 2025):

Is your app behind a proxy like Cloudflare by any chance?

@Jamesking56 commented on GitHub (Aug 3, 2025): Is your app behind a proxy like Cloudflare by any chance?

OVERLORD commented 2026-02-05 17:32:35 +03:00

Author

Owner

Copy Link

@mrhid6 commented on GitHub (Aug 3, 2025):

@Jamesking56 yeah it’s behind cloudflare proxy and also a nginx reverse proxy

@mrhid6 commented on GitHub (Aug 3, 2025): @Jamesking56 yeah it’s behind cloudflare proxy and also a nginx reverse proxy

OVERLORD commented 2026-02-05 17:32:37 +03:00

Author

Owner

Copy Link

@Jamesking56 commented on GitHub (Aug 3, 2025):

@Jamesking56 yeah it’s behind Cloudflare proxy and also a nginx reverse proxy

Yeah, so basically what is happening is that Laravel is generating a URL and signing it using http:// and then you are hitting it on https:// (due to Cloudflare or Nginx redirecting to HTTPS). Because of this redirect, it's causing the signature to no longer match (due to it being generated as http). I've had this a few times myself on other Laravel apps.

To fix this, you need Laravel to generate links using HTTPS instead of HTTP. To do this in my apps, I created a custom middleware which checks the X-Forwarded-Proto header from Cloudflare to tell Laravel to use HTTPS for all URL generation.

Not sure what the best way is to introduce this into Pelican. Whether we simply just add this middleware to Pelican by default or not:

class ForceHttpsMiddleware
{
    public function handle(Request $request, \Closure $next): mixed
    {
        // Force HTTPS for URL generation when behind proxy
        if ('https' === $request->header('X-Forwarded-Proto')) {
            $request->server->set('HTTPS', 'on');
            $request->server->set('SERVER_PORT', 443);
        }

        return $next($request);
    }
}

@Jamesking56 commented on GitHub (Aug 3, 2025): > [@Jamesking56](https://github.com/Jamesking56) yeah it’s behind Cloudflare proxy and also a nginx reverse proxy Yeah, so basically what is happening is that Laravel is generating a URL and signing it using `http://` and then you are hitting it on `https://` (due to Cloudflare or Nginx redirecting to HTTPS). Because of this redirect, it's causing the signature to no longer match (due to it being generated as http). I've had this a few times myself on other Laravel apps. To fix this, you need Laravel to generate links using HTTPS instead of HTTP. To do this in my apps, I created a custom middleware which checks the `X-Forwarded-Proto` header from Cloudflare to tell Laravel to use HTTPS for all URL generation. Not sure what the best way is to introduce this into Pelican. Whether we simply just add this middleware to Pelican by default or not: ```php class ForceHttpsMiddleware { public function handle(Request $request, \Closure $next): mixed { // Force HTTPS for URL generation when behind proxy if ('https' === $request->header('X-Forwarded-Proto')) { $request->server->set('HTTPS', 'on'); $request->server->set('SERVER_PORT', 443); } return $next($request); } } ```

OVERLORD commented 2026-02-05 17:32:38 +03:00

Author

Owner

Copy Link

@mrhid6 commented on GitHub (Aug 3, 2025):

So I did a bit of testing and logged the url that it generates to the larvel logs and it does produce a https url
It also matches the url in the email

@mrhid6 commented on GitHub (Aug 3, 2025): So I did a bit of testing and logged the url that it generates to the larvel logs and it does produce a https url It also matches the url in the email

OVERLORD commented 2026-02-05 17:32:40 +03:00

Author

Owner

Copy Link

@Jamesking56 commented on GitHub (Aug 3, 2025):

So I did a bit of testing and logged the url that it generates to the larvel logs and it does produce a https url It also matches the url in the email

You can dd() the signature that it produces and see if it matches what is expected, there's a built-in middleware that checks it. Might be worth verifying this.

@Jamesking56 commented on GitHub (Aug 3, 2025): > So I did a bit of testing and logged the url that it generates to the larvel logs and it does produce a https url It also matches the url in the email You can `dd()` the signature that it produces and see if it matches what is expected, there's a built-in middleware that checks it. Might be worth verifying this.

OVERLORD commented 2026-02-05 17:32:41 +03:00

Author

Owner

Copy Link

@mrhid6 commented on GitHub (Aug 3, 2025):

You can dd() the signature that it produces and see if it matches what is expected, there's a built-in middleware that checks it. Might be worth verifying this.

I’m not too familiar with PHP and laravel so not sure where this would go in the project

@mrhid6 commented on GitHub (Aug 3, 2025): > You can `dd()` the signature that it produces and see if it matches what is expected, there's a built-in middleware that checks it. Might be worth verifying this. I’m not too familiar with PHP and laravel so not sure where this would go in the project

OVERLORD commented 2026-02-05 17:32:42 +03:00

Author

Owner

Copy Link

@Jamesking56 commented on GitHub (Aug 4, 2025):

You can dd() the signature that it produces and see if it matches what is expected, there's a built-in middleware that checks it. Might be worth verifying this.

I’m not too familiar with PHP and laravel so not sure where this would go in the project

Its this middleware in Laravel that checks if the signature matches:

https://github.com/laravel/framework/blob/12.x/src/Illuminate/Routing/Middleware/ValidateSignature.php

So you could stick a dd() in there in your vendor/laravel/framework directory of pelican and see if the signature matches and do more debugging that way.

@Jamesking56 commented on GitHub (Aug 4, 2025): > > You can `dd()` the signature that it produces and see if it matches what is expected, there's a built-in middleware that checks it. Might be worth verifying this. > > I’m not too familiar with PHP and laravel so not sure where this would go in the project Its this middleware in Laravel that checks if the signature matches: https://github.com/laravel/framework/blob/12.x/src/Illuminate/Routing/Middleware/ValidateSignature.php So you could stick a `dd()` in there in your `vendor/laravel/framework` directory of pelican and see if the signature matches and do more debugging that way.

OVERLORD commented 2026-02-05 17:32:47 +03:00

Author

Owner

Copy Link

@mrhid6 commented on GitHub (Aug 4, 2025):

So, I managed to figure it out: When you have Cloudflare and proxy the DNS, then use an Nginx reverse proxy.
In the Pelican settings, you must add both the Cloudflare IPs and the IP of the nginx reverse proxy.

@mrhid6 commented on GitHub (Aug 4, 2025): So, I managed to figure it out: When you have Cloudflare and proxy the DNS, then use an Nginx reverse proxy. In the Pelican settings, you must add both the Cloudflare IPs and the IP of the nginx reverse proxy.

OVERLORD commented 2026-02-05 17:32:50 +03:00

Author

Owner

Copy Link

@AlphaCraft9658 commented on GitHub (Dec 16, 2025):

@Jamesking56 yeah it’s behind Cloudflare proxy and also a nginx reverse proxy

Yeah, so basically what is happening is that Laravel is generating a URL and signing it using http:// and then you are hitting it on https:// (due to Cloudflare or Nginx redirecting to HTTPS). Because of this redirect, it's causing the signature to no longer match (due to it being generated as http). I've had this a few times myself on other Laravel apps.

To fix this, you need Laravel to generate links using HTTPS instead of HTTP. To do this in my apps, I created a custom middleware which checks the X-Forwarded-Proto header from Cloudflare to tell Laravel to use HTTPS for all URL generation.

Not sure what the best way is to introduce this into Pelican. Whether we simply just add this middleware to Pelican by default or not:

class ForceHttpsMiddleware
{
public function handle(Request $request, \Closure $next): mixed
{
// Force HTTPS for URL generation when behind proxy
if ('https' === $request->header('X-Forwarded-Proto')) {
$request->server->set('HTTPS', 'on');
$request->server->set('SERVER_PORT', 443);
}

    return $next($request);
}

}

How do I use this or has this been implemented? I am using the Traefik Reverse proxy and Cloudflare Tunnels, but it works neither externally nor internally.

@AlphaCraft9658 commented on GitHub (Dec 16, 2025): > > [@Jamesking56](https://github.com/Jamesking56) yeah it’s behind Cloudflare proxy and also a nginx reverse proxy > > Yeah, so basically what is happening is that Laravel is generating a URL and signing it using `http://` and then you are hitting it on `https://` (due to Cloudflare or Nginx redirecting to HTTPS). Because of this redirect, it's causing the signature to no longer match (due to it being generated as http). I've had this a few times myself on other Laravel apps. > > To fix this, you need Laravel to generate links using HTTPS instead of HTTP. To do this in my apps, I created a custom middleware which checks the `X-Forwarded-Proto` header from Cloudflare to tell Laravel to use HTTPS for all URL generation. > > Not sure what the best way is to introduce this into Pelican. Whether we simply just add this middleware to Pelican by default or not: > > class ForceHttpsMiddleware > { > public function handle(Request $request, \Closure $next): mixed > { > // Force HTTPS for URL generation when behind proxy > if ('https' === $request->header('X-Forwarded-Proto')) { > $request->server->set('HTTPS', 'on'); > $request->server->set('SERVER_PORT', 443); > } > > return $next($request); > } > } How do I use this or has this been implemented? I am using the Traefik Reverse proxy and Cloudflare Tunnels, but it works neither externally nor internally.

OVERLORD commented 2026-02-05 17:32:51 +03:00

Author

Owner

Copy Link

@Jamesking56 commented on GitHub (Dec 16, 2025):

@AlphaCraft9658

1. Define the middleware: https://laravel.com/docs/12.x/middleware#defining-middleware
2. Add the code I put above to the middleware class
3. Then register it: https://laravel.com/docs/12.x/middleware#registering-middleware

@Jamesking56 commented on GitHub (Dec 16, 2025): @AlphaCraft9658 1. Define the middleware: https://laravel.com/docs/12.x/middleware#defining-middleware 2. Add the code I put above to the middleware class 3. Then register it: https://laravel.com/docs/12.x/middleware#registering-middleware

OVERLORD commented 2026-02-05 17:32:53 +03:00

Author

Owner

Copy Link

@AlphaCraft9658 commented on GitHub (Dec 16, 2025):

@AlphaCraft9658

1. Define the middleware: https://laravel.com/docs/12.x/middleware#defining-middleware
2. Add the code I put above to the middleware class
3. Then register it: https://laravel.com/docs/12.x/middleware#registering-middleware

I will take a look at it, thanks!
I hope that this will possibly be implemented into the panel itself in the near future instead of requiring a manual fix.

@AlphaCraft9658 commented on GitHub (Dec 16, 2025): > @AlphaCraft9658 > > 1. Define the middleware: https://laravel.com/docs/12.x/middleware#defining-middleware > 2. Add the code I put above to the middleware class > 3. Then register it: https://laravel.com/docs/12.x/middleware#registering-middleware I will take a look at it, thanks! I hope that this will possibly be implemented into the panel itself in the near future instead of requiring a manual fix.

OVERLORD commented 2026-02-05 17:32:56 +03:00

Author

Owner

Copy Link

@AlphaCraft9658 commented on GitHub (Dec 16, 2025):

@AlphaCraft9658

1. Define the middleware: https://laravel.com/docs/12.x/middleware#defining-middleware
2. Add the code I put above to the middleware class
3. Then register it: https://laravel.com/docs/12.x/middleware#registering-middleware

I tried registering with $middleware->append(ForceHttpsMiddleware::class);, but now I am getting error code 500.

@AlphaCraft9658 commented on GitHub (Dec 16, 2025): > [@AlphaCraft9658](https://github.com/AlphaCraft9658) > > 1. Define the middleware: https://laravel.com/docs/12.x/middleware#defining-middleware > 2. Add the code I put above to the middleware class > 3. Then register it: https://laravel.com/docs/12.x/middleware#registering-middleware I tried registering with `$middleware->append(ForceHttpsMiddleware::class);`, but now I am getting error code 500.

OVERLORD commented 2026-02-05 17:32:58 +03:00

Author

Owner

Copy Link

@Jamesking56 commented on GitHub (Dec 16, 2025):

@AlphaCraft9658

1. Define the middleware: laravel.com/docs/12.x/middleware#defining-middleware
2. Add the code I put above to the middleware class
3. Then register it: laravel.com/docs/12.x/middleware#registering-middleware

I tried registering with $middleware->append(ForceHttpsMiddleware::class);, but now I am getting error code 500.

Set APP_DEBUG=true in .env and retry to see the full error message

@Jamesking56 commented on GitHub (Dec 16, 2025): > > [@AlphaCraft9658](https://github.com/AlphaCraft9658) > > > > 1. Define the middleware: [laravel.com/docs/12.x/middleware#defining-middleware](https://laravel.com/docs/12.x/middleware#defining-middleware) > > 2. Add the code I put above to the middleware class > > 3. Then register it: [laravel.com/docs/12.x/middleware#registering-middleware](https://laravel.com/docs/12.x/middleware#registering-middleware) > > I tried registering with `$middleware->append(ForceHttpsMiddleware::class);`, but now I am getting error code 500. Set `APP_DEBUG=true` in `.env` and retry to see the full error message

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

boy132/composer-update

boy132/reorderable-egg-stuff

boy132/replace-hardcoded-hex-strings

boy132/backup-notifications

boy132/backup-hosts

shift-2026-04

charles/filament-v5

release/v1.0.0-beta33

release/v1.0.0-beta32

lance/1228

lance/2026

lance/1022

lance/1585

lance/2163

charles/spotlight

charles/ex-im-servers

auto-claude/022-docker-image-links-plugin-dir-wrong

auto-claude/022-docker-image-links-plugin-dir-wrong-clean

release/v1.0.0-beta31

auto-claude/005-run-unit-tests-in-parallel

charles/new-activitylog

release/v1.0.0-beta30

release/v1.0.0-beta29

release/v1.0.0-beta28

release/v1.0.0-beta27

release/v1.0.0-beta26

release/v1.0.0-beta25

release/v1.0.0-beta24

release/v1.0.0-beta23

release/v1.0.0-beta22

release/v1.0.0-beta21

release/v1.0.0-beta20

release/v1.0.0-beta19

release/v1.0.0-beta18

release/v1.0.0-beta17

release/v1.0.0-beta16

release/v1.0.0-beta15

release/v1.0.0-beta14

release/v1.0.0-beta13

release/v1.0.0-beta11

release/v1.0.0-beta10

release/v1.0.0-beta9

release/v1.0.0-beta8

release/v1.0.0-beta7

release/v1.0.0-beta6

release/v1.0.0-beta5

release/v1.0.0-beta4

release/v1.0.0-beta3

release/v1.0.0-beta2

release/v1.0.0-beta1

3.x

v1.0.0-beta33

v1.0.0-beta32

v1.0.0-beta31

v1.0.0-beta30

v1.0.0-beta29

v1.0.0-beta28

v1.0.0-beta27

v1.0.0-beta26

v1.0.0-beta25

v1.0.0-beta24

v1.0.0-beta23

v1.0.0-beta22

v1.0.0-beta21

v1.0.0-beta20

v1.0.0-beta19

v1.0.0-beta18

v1.0.0-beta17

v1.0.0-beta16

v1.0.0-beta15

v1.0.0-beta14

v1.0.0-beta13

v1.0.0-beta11

v1.0.0-beta10

v1.0.0-beta9

v1.0.0-beta8

v1.0.0-beta7

v1.0.0-beta6

v1.0.0-beta5

v1.0.0-beta4

v1.0.0-beta3

v1.0.0-beta2

v1.0.0-beta1

2.x

1.x

0.x

Labels

Clear labels

not confirmed

pull-request

Mirrored from GitHub Pull Request

👑 sponsor

💰 fund

🔴 hard

🟡 medium

🟡 medium

🟡 medium

🟢 easy

🟢 easy

🟢 easy

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#397