Wger iOS app cannot log in when service is behind Anubis (anti-AI protection)

[philiprenich]

Priority/Impact

None

Description

NOTE: THIS IS NOT AN ISSUE WITH WGER DIRECTLY. Due to bots swarming my domain, I have installed Anubis to protect it. This works fine in the browser, and when the app was pre-logged in, it worked. I am hoping to understand Wger's install better to help configure Anubis and help others who wish to do the same.

Description

Logging in via the iOS app. Anubis intercepts requests to challenge if the client is a bot or not. Anubis can white list requests, and does so for /api paths. Does the authentication flow live on its own routing? I may be able to create a configuration specific to Wger's auth endpoints to make things work.

Error details

Error title: An error occurred
Error message: FormatException: Unexpected character (at character 1)
<!doctype html><title>Making sure you're not a bo...
^

Stack trace:

#0      _ChunkedJsonParser.fail (dart:convert-patch/convert_patch.dart:1467)
#1      _ChunkedJsonParser.parseNumber (dart:convert-patch/convert_patch.dart:1333)
#2      _ChunkedJsonParser.parse (dart:convert-patch/convert_patch.dart:935)
#3      _parseJson (dart:convert-patch/convert_patch.dart:35)
#4      JsonDecoder.convert (dart:convert/json.dart:641)
#5      JsonCodec.decode (dart:convert/json.dart:223)
#6      AuthProvider.login (package:wger/providers/auth.dart:177)
<asynchronous suspension>
#7      _AuthCardState._submit (package:wger/screens/auth_screen.dart:184)
<asynchronous suspension>

App logs (last 2 entries):

2025-10-17T21:40:57.193819 SEVERE [main] Error caught by PlatformDispatcher.instance.onError: FormatException: Unexpected character (at character 1)
<!doctype html><html lang="en"><head><title>Making sure you&#39;re not a bo...
^

2025-10-17T21:40:57.196294 SEVERE [main] Stack trace: #0      _ChunkedJsonParser.fail (dart:convert-patch/convert_patch.dart:1467)
#1      _ChunkedJsonParser.parseNumber (dart:convert-patch/convert_patch.dart:1333)
#2      _ChunkedJsonParser.parse (dart:convert-patch/convert_patch.dart:935)
#3      _parseJson (dart:convert-patch/convert_patch.dart:35)
#4      JsonDecoder.convert (dart:convert/json.dart:641)
#5      JsonCodec.decode (dart:convert/json.dart:223)
#6      AuthProvider.login (package:wger/providers/auth.dart:177)
<asynchronous suspension>
#7      _AuthCardState._submit (package:wger/screens/auth_screen.dart:184)
<asynchronous suspension>

Server version

2.4.0a2 , running via Docker

Mobile app version

latest I believe, can't get to About to check.

[rolandgeider]

hey! it's so sad that this is needed at all 🙄 I was also thinking about trying anubis, but for now the server seems to be able to withstand the onslaught. BTW, does this block "legitimate" crawlers?

But no, all the workflow should go to urls under /api/ (besides media files and so, but that doesn't seem to be the case here). I have no idea how to configure anubis, but e.g. django can be a bit finicky when configuring stuff like hostnames and you miss the ports or have a slash at the end, etc., perhaps it's something like that? Can you do a curl request to e.g. /api/v2/login/ ?

[philiprenich]

I believe the default setup is not to block legit crawlers and indexers. It is configurable to what it blocks though. I have a bunch of other stuff on the same server and reverse proxy, and also just trying to keep bots away - especially those trawling for openings (it was hitting every variation of the login it could).

/api/v2/login/ seems to be okay to curl. I'm prompted to POST a username and password and when doing that I got a JSON error back (which maybe is expected when I'm naively posting via curl). {"detail":"JSON parse error - Expecting ',' delimiter: line 1 column 72 (char 71)"}

Maybe there are follow up requests happening. Does the app load any web views? Could be something like that.

I think my alternative would be to look at mass 404 requests and ban IPs based around that.

[rolandgeider]

/api/v2/login/ seems to be okay to curl. I'm prompted to POST a username and password and when doing that I got a JSON error back (which maybe is expected when I'm naively posting via curl). {"detail":"JSON parse error - Expecting ',' delimiter: line 1 column 72 (char 71)"}

There's no web views or anything involved, but you can also open the same endpoints with the browser and get html back. If you explicitly set the type header to application/json, you should be fine. (As a last resort, if you compile the app locally, you can use flutter's dev tool to monitor each request the app makes, but that shouldn't be necessary)

BTW, we've also been hit a lot more than usual these days, I guess I'll have to look at setting up an anubis instance myself as well

[philiprenich]

Looks like I was wrong about Anubis defaulting to allowing /api by default. There is a configuration for this, but it isn't enabled by default.

I've adjusted my Anubis policy to include the following to allow a access to the Wger API.

  - name: api-for-wger
    action: ALLOW
    expression:
      all:
        - host == "my-host.com"
        - path.startsWith("/api/v2/")

This has solved the login issue in the app! 😄

[rolandgeider]

I did play a bit with anubis last week and added a sample config (wger-project/docker#145), but haven't deployed it yet. I just used their big config, which seems to cover most use cases