Make database chmod best-effort for rootless podman

os.Chmod(path, 0600) fails inside rootless podman containers because fchmod is denied in the user namespace. This was fatal — the database wouldn't open, crashing the service. Changed to best-effort: log nothing on failure, database functions correctly without the permission tightening. The file is already protected by the container's volume mount and the host filesystem permissions. Root cause of the 2026-04-03 incident recovery failure — MCR and Metacrypt couldn't start until their databases were deleted and recreated. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fix SSO cookies not stored on Firefox 302 redirects
2026-04-03 09:32:52 -07:00 · 2026-03-31 23:13:37 -07:00
2 changed files with 22 additions and 9 deletions
--- a/db/db.go
+++ b/db/db.go
@@ -65,11 +65,11 @@ func Open(path string) (*sql.DB, error) {
 	// connection to serialize all access and eliminate busy errors.
 	database.SetMaxOpenConns(1)

-	// Ensure permissions are correct even if the file already existed.
-	if err := os.Chmod(path, 0600); err != nil {
-		_ = database.Close()
-		return nil, fmt.Errorf("db: chmod %s: %w", path, err)
-	}
+	// Best-effort permissions tightening. This may fail inside rootless
+	// podman containers where fchmod is denied in the user namespace.
+	// The database still functions correctly without it.
+	// See: log/2026-04-03-uid-incident.md
+	_ = os.Chmod(path, 0600)

 	return database, nil
 }
@@ -168,9 +168,7 @@ func Snapshot(database *sql.DB, destPath string) error {
 		return fmt.Errorf("db: snapshot: %w", err)
 	}

-	if err := os.Chmod(destPath, 0600); err != nil {
-		return fmt.Errorf("db: chmod snapshot %s: %w", destPath, err)
-	}
+	_ = os.Chmod(destPath, 0600) // best-effort; may fail in rootless containers

 	return nil
 }
--- a/sso/sso.go
+++ b/sso/sso.go
@@ -22,6 +22,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"net/url"
@@ -268,6 +269,12 @@ func ConsumeReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string

 // RedirectToLogin generates a state, sets the state and return-to cookies,
 // and redirects the user to the MCIAS authorize URL.
+//
+// The redirect is performed via a 200 response with an HTML meta-refresh
+// instead of a 302. Some browsers (notably Firefox) do not reliably store
+// Set-Cookie headers on 302 responses that redirect to a different origin,
+// even when the origins are same-site. Using a 200 response ensures the
+// cookies are stored before the browser navigates away.
 func RedirectToLogin(w http.ResponseWriter, r *http.Request, client *Client, cookiePrefix string) error {
 	state, err := GenerateState()
 	if err != nil {
@@ -276,7 +283,15 @@ func RedirectToLogin(w http.ResponseWriter, r *http.Request, client *Client, coo

 	SetStateCookie(w, cookiePrefix, state)
 	SetReturnToCookie(w, r, cookiePrefix)
-	http.Redirect(w, r, client.AuthorizeURL(state), http.StatusFound)
+
+	authorizeURL := client.AuthorizeURL(state)
+	escaped := html.EscapeString(authorizeURL)
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(http.StatusOK)
+	_, _ = fmt.Fprintf(w, `<!DOCTYPE html>
+<html><head><meta http-equiv="refresh" content="0;url=%s"></head>
+<body><p>Redirecting to <a href="%s">MCIAS</a>...</p></body></html>`,
+		escaped, escaped)
 	return nil
 }