Cannot login to UI with any user besides admin

We want to give our supporters access to inspect event-streams via the UI.
We created a user for this (“ajoursupport”), and added the following ‘update-default-acl’ event to the $settings-stream:

{
  "$userStreamAcl": {
    "$r": [
      "$admin",
      "$ops",
      "ajoursupport"
    ],
    "$w": [
      "$admin",
      "$ops"
    ],
    "$d": [
      "$admin",
      "$ops"
    ],
    "$mr": [
      "$admin",
      "$ops",
      "ajoursupport"
    ],
    "$mw": [
      "$admin",
      "$ops"
    ]
  },
  "$systemStreamAcl": {
    "$r": [
      "$admins",
      "ajoursupport"
    ],
    "$w": "$admins",
    "$d": "$admins",
    "$mr": [
      "$admins",
      "ajoursupport"
    ],
    "$mw": "$admins"
  }
}

Using the http-api directly without a browser, we observe that this “works”, with ajoursupport’s credentials we can GET streams but not POST new events to them. So far so good.

The problem is that ajoursupport cannot login via the UI. it’s GET /users/ajoursupport returns 401, without any visual feedback that anything has happened. Something works though, as we CAN access streams in the UI after this request by typing {baseUrl}/web/index.html#/streams/{streamId} into the address-bar of the browser.
This is not a feasible workaround alas, as our supporters needs to navigate via the UI.

It works like charm in v. 4.1.0.0
Issue observed in v. 5.0.9.0, 5.0.10.0 and 5.0.11.0

The UI request/response when clicking “Sign in” looks like this (no content):

Request URL: http://localhost:2113/users/ajoursupport
Request Method: GET
Status Code: 401 Unauthorized
Remote Address: [::1]:2113
Referrer Policy: strict-origin-when-cross-origin

Request headers:
	Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-Forwarded-Host, X-Forwarded-Prefix, X-PINGOTHER, Authorization, ES-LongPoll, ES-ExpectedVersion, ES-EventId, ES-EventType, ES-RequiresMaster, ES-HardDelete, ES-ResolveLinkTos
	Access-Control-Allow-Methods: GET, PUT, DELETE, OPTIONS
	Access-Control-Allow-Origin: *
	Access-Control-Expose-Headers: Location, ES-Position, ES-CurrentVersion
	Content-Encoding: gzip
	Content-Length: 0
	Date: Thu, 02 Sep 2021 08:16:16 GMT
	Server: Microsoft-HTTPAPI/2.0
	WWW-Authenticate: BasicCustom realm="ES",Basic realm="ES"
	
Response headers:
	Accept: application/json
	Accept-Encoding: gzip, deflate, br
	Accept-Language: da-DK,da;q=0.9,en-US;q=0.8,en;q=0.7
	Authorization: Basic YWpvdXJzdXBwb3J0OlExMjN3MjM0
	Cache-Control: no-cache
	Connection: keep-alive
	DNT: 1
	ES-LongPoll: 5
	Host: localhost:2113
	Pragma: no-cache
	Referer: http://localhost:2113/web/index.html
	sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Google Chrome";v="92"
	sec-ch-ua-mobile: ?0
	Sec-Fetch-Dest: empty
	Sec-Fetch-Mode: cors
	Sec-Fetch-Site: same-origin
	sec-gpc: 1

Same behavior in different browsers (tested with Chrome and Edge)

It’s a single node cluster running locally, with just the --run-projections=all parameter

There’s nothing interesting in the log as far as I can see.

Hope anyone can help, thanks in advance :slight_smile: