Unable to log in
koehn opened this issue · comments
After much mucking about, I was able to install the application, created a login policy, and I can see the main page.
When I try to log in using an app (I tried pinafore, the Mastodon iOS app, and Ivory):
- I enter my email address, corresponding to the policy I created
- I enter the validation code that gets sent to my email
At this point, I get a blank page with a URL like https://dogfood.social/oauth/authorize?client_id=[redacted]&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push.
If I View Source from a browser, the source of the login page is empty (no HTML at all).
In the logs I see the following:
{
"outcome": "ok",
"scriptName": "pages-worker--844423-production",
"exceptions": [],
"logs": [
{
"message": [
"-> GET https://dogfood.social/oauth/authorize?client_id=[redacted]&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push "
],
"level": "log",
"timestamp": 1675971779529
},
{
"message": [
"<- 200"
],
"level": "log",
"timestamp": 1675971779652
},
{
"message": [
"Error: invalid handle: localPart: https://dogfood.social/ap/users/brad"
],
"level": "error",
"timestamp": 1675971779652
}
],
"eventTimestamp": 1675971779529,
"event": {
"request": {
"url": "https://dogfood.social/oauth/authorize?client_id=REDACTED&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push",
"method": "GET",
"headers": {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"accept-encoding": "gzip",
"accept-language": "en-US,en;q=0.9",
"cf-access-jwt-assertion": "REDACTED",
"cf-connecting-ip": "2606:54c0:7681:27f0::e:100",
"cf-connecting-o2o": "1",
"cf-ipcountry": "US",
"cf-ray": "796f1765fb67e20e",
"cf-visitor": "{\"scheme\":\"https\"}",
"connection": "Keep-Alive",
"cookie": "REDACTED",
"host": "dogfood.social",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15",
"x-forwarded-for": "2606:54c0:7681:27f0::e:100",
"x-forwarded-proto": "https",
"x-real-ip": "2606:54c0:7681:27f0::e:100"
},
"cf": {
"longitude": "-88.90740",
"httpProtocol": "HTTP/2",
"tlsCipher": "AEAD-AES128-GCM-SHA256",
"continent": "NA",
"asn": 13335,
"clientAcceptEncoding": "gzip",
"country": "US",
"tlsClientAuth": {
"certIssuerDNLegacy": "",
"certIssuerSKI": "",
"certSubjectDNRFC2253": "",
"certSubjectDNLegacy": "",
"certFingerprintSHA256": "",
"certNotBefore": "",
"certSKI": "",
"certSerial": "",
"certIssuerDN": "",
"certVerified": "NONE",
"certNotAfter": "",
"certSubjectDN": "",
"certPresented": "0",
"certRevoked": "0",
"certIssuerSerial": "",
"certIssuerDNRFC2253": "",
"certFingerprintSHA1": ""
},
"tlsVersion": "TLSv1.3",
"city": "Humboldt",
"timezone": "America/Chicago",
"requestPriority": "weight=255;exclusive=0;group=0;group-weight=0",
"edgeRequestKeepAliveStatus": 1,
"postalCode": "38343",
"colo": "ORD",
"latitude": "35.83860",
"region": "Tennessee",
"regionCode": "TN",
"asOrganization": "iCloud Private Relay",
"metroCode": "640",
"pagesHostName": "wildebeest-koehn.pages.dev"
}
},
"response": {
"status": 200
}
},
"id": 3
}
The URI https://dogfood.social/ap/users/brad resolves to something that looks like an ActivityPub Actor.
OK, it looks like an incompatibility with Ivory on iOS. If I delete the actor and re-register with Pinafore I have no issue creating and accessing the new account. I still cannot login with Ivory, but at least it seems to federate messages and support some clients.
Nope. I cannot log in with Safari either. Chrome seems to work alright.
Also Ivory isn't compatible with Wildebeest yet.
The fork is up to date. I cannot login using Safari on iOS or MacOS.
On Safari I continue to see the Error: invalid handle: localPart: https://dogfood.social/ap/users/brad in the CF function log.
I can log into that account using Chrome.
{
"outcome": "ok",
"scriptName": "pages-worker--844423-production",
"exceptions": [],
"logs": [
{
"message": [
"-> GET https://dogfood.social/oauth/authorize?client_id=[redacted]&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push "
],
"level": "log",
"timestamp": 1675974932028
},
{
"message": [
"<- 200"
],
"level": "log",
"timestamp": 1675974932140
},
{
"message": [
"Error: invalid handle: localPart: https://dogfood.social/ap/users/brad"
],
"level": "error",
"timestamp": 1675974932140
}
],
"eventTimestamp": 1675974932028,
"event": {
"request": {
"url": "https://dogfood.social/oauth/authorize?client_id=REDACTED&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push",
"method": "GET",
"headers": {
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"accept-encoding": "gzip",
"accept-language": "en-US,en;q=0.9",
"cf-access-jwt-assertion": "REDACTED",
"cf-connecting-ip": "2606:54c0:7680:fb0::e:287",
"cf-connecting-o2o": "1",
"cf-ipcountry": "US",
"cf-ray": "796f645d18e2e1bf",
"cf-visitor": "{\"scheme\":\"https\"}",
"connection": "Keep-Alive",
"cookie": "REDACTED",
"host": "dogfood.social",
"priority": "u=0, i",
"user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15",
"x-forwarded-for": "2606:54c0:7680:fb0::e:287",
"x-forwarded-proto": "https",
"x-real-ip": "2606:54c0:7680:fb0::e:287"
},
"cf": {
"longitude": "-93.26220",
"httpProtocol": "HTTP/3",
"tlsCipher": "AEAD-AES128-GCM-SHA256",
"continent": "NA",
"asn": 13335,
"clientAcceptEncoding": "gzip",
"country": "US",
"tlsClientAuth": {
"certIssuerDNLegacy": "",
"certIssuerSKI": "",
"certSubjectDNRFC2253": "",
"certSubjectDNLegacy": "",
"certFingerprintSHA256": "",
"certNotBefore": "",
"certSKI": "",
"certSerial": "",
"certIssuerDN": "",
"certVerified": "NONE",
"certNotAfter": "",
"certSubjectDN": "",
"certPresented": "0",
"certRevoked": "0",
"certIssuerSerial": "",
"certIssuerDNRFC2253": "",
"certFingerprintSHA1": ""
},
"tlsVersion": "TLSv1.3",
"city": "Minneapolis",
"timezone": "America/Chicago",
"requestPriority": "",
"edgeRequestKeepAliveStatus": 1,
"postalCode": "55478",
"colo": "ORD",
"latitude": "44.98340",
"region": "Minnesota",
"regionCode": "MN",
"asOrganization": "iCloud Private Relay",
"metroCode": "613",
"pagesHostName": "wildebeest-koehn.pages.dev"
}
},
"response": {
"status": 200
}
},
"id": 3
}
I see your deploy build has failed: https://github.com/koehn/wildebeest/actions/runs/4136976733/jobs/7151555674.
Could you please agree to the pricing and rerun the build?
I did accept pricing and had a successful deploy before these errors occurred.
I’m getting the same errors when trying to log in via Firefox and Edge, strangely enough.
May be nothing or maybe something unrelated but I noticed that line 8 of this log entry ends with an un-escaped space:
{ "outcome": "ok", "scriptName": "pages-worker--844423-production", "exceptions": [], "logs": [ { "message": [ "-> GET https://dogfood.social/oauth/authorize?client_id=[redacted]&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push " ], "level": "log", "timestamp": 1675974932028 }, { "message": [ "<- 200" ], "level": "log", "timestamp": 1675974932140 }, { "message": [ "Error: invalid handle: localPart: https://dogfood.social/ap/users/brad" ], "level": "error", "timestamp": 1675974932140 } ], "eventTimestamp": 1675974932028, "event": { "request": { "url": "https://dogfood.social/oauth/authorize?client_id=REDACTED&redirect_uri=https%3A%2F%2Fpinafore.social%2Fsettings%2Finstances%2Fadd&response_type=code&scope=read%20write%20follow%20push", "method": "GET", "headers": { "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "accept-encoding": "gzip", "accept-language": "en-US,en;q=0.9", "cf-access-jwt-assertion": "REDACTED", "cf-connecting-ip": "2606:54c0:7680:fb0::e:287", "cf-connecting-o2o": "1", "cf-ipcountry": "US", "cf-ray": "796f645d18e2e1bf", "cf-visitor": "{\"scheme\":\"https\"}", "connection": "Keep-Alive", "cookie": "REDACTED", "host": "dogfood.social", "priority": "u=0, i", "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15", "x-forwarded-for": "2606:54c0:7680:fb0::e:287", "x-forwarded-proto": "https", "x-real-ip": "2606:54c0:7680:fb0::e:287" }, "cf": { "longitude": "-93.26220", "httpProtocol": "HTTP/3", "tlsCipher": "AEAD-AES128-GCM-SHA256", "continent": "NA", "asn": 13335, "clientAcceptEncoding": "gzip", "country": "US", "tlsClientAuth": { "certIssuerDNLegacy": "", "certIssuerSKI": "", "certSubjectDNRFC2253": "", "certSubjectDNLegacy": "", "certFingerprintSHA256": "", "certNotBefore": "", "certSKI": "", "certSerial": "", "certIssuerDN": "", "certVerified": "NONE", "certNotAfter": "", "certSubjectDN": "", "certPresented": "0", "certRevoked": "0", "certIssuerSerial": "", "certIssuerDNRFC2253": "", "certFingerprintSHA1": "" }, "tlsVersion": "TLSv1.3", "city": "Minneapolis", "timezone": "America/Chicago", "requestPriority": "", "edgeRequestKeepAliveStatus": 1, "postalCode": "55478", "colo": "ORD", "latitude": "44.98340", "region": "Minnesota", "regionCode": "MN", "asOrganization": "iCloud Private Relay", "metroCode": "613", "pagesHostName": "wildebeest-koehn.pages.dev" } }, "response": { "status": 200 } }, "id": 3 }
Anywho, I'm here because I, too, cannot log in using any available client. @xtuc, can you clarify whether any CF Access authentication provider is compatible? Specifically, is pin-based authentication compatible?
OK, so parseHandle is being called with a URI instead of a @brad@dogfood.social, and it’s unhappy. Let’s change the parseHandle to accept URIs as well as handles. BRB.
@xtuc See if you like this patch.
I'm a bit confused. I personally ran into this issue and the revert fixed for me. I have to I investigate tomorrow, sorry for the inconvenience.
Have you tried to merge the patch on your fork (on main in order to trigger the deploy) to see if it fixes?
@DataDrivenMD all auth providers should be as supported, as long as they expose an email.
I'm a bit confused. I personally ran into this issue and the revert fixed for me. I have to I investigate tomorrow, sorry for the inconvenience.
Have you tried to merge the patch on your fork (on main in order to deploy) to see if it fixes?
@DataDrivenMD all auth providers should be as supported, as long as they expose an email.
The issue resolved literally as the notification for this reply landed in my inbox. I honestly don't know exactly what I did to clear the issue, but I can share that I was trying different permutations of CF Access Policies to see if that was the issue. I was also tweaking the CORS settings via Cloudflare Access- just a few minutes earlier I added the web client domain to the allowed origins fields. If I'm able to figure out what happened, I'll definitely circle back to expand on my findings.
It does fix the issue on my fork. FWIW, I initially created the account with pinafore.social.
It does fix the issue on my fork. FWIW, I initially created the account with pinafore.social.
Can confirm that login is now working.
Would you mind trying to revert the patch, let it deploy and try login again? As I said, for me the revert fixed the issue and I'm wondering if it started working for you because of a successful deploy.
I reverted the change, re-deployed, and am still able to log in. Now I have no idea what’s going on, but for now I’ll close my PR. 🤷
I'm pretty sure I have everything setup right, but when I go to login at /oauth/authorize with my Access-allowed email address, and enter my PIN, all I get is Server error 400, nothing at all in the real-time log console for wildebeest-consumer-username, and metrics that indicate nothing but script thrown exceptions. On refresh, I get a 404 page missing page. Definitely logged into Access, but it doesn't seem to have created an account successfully. This is with Safari and Chrome on MacOS.
