google-docs-add-on icon indicating copy to clipboard operation
google-docs-add-on copied to clipboard

Published 20 hours ago verified publisher icon Automattic

Can't connect blog with "Someone may be trying to trick you" error

Open mhawksey opened this issue 8 years ago • 7 comments

Hi,

We have a WP multisite network (v 4.7.4) with Jetpack (v 4.8.2) which we are trying to connect with the Google Docs Add-on. The authentication flow seems ok and editors/admin can:

  1. Click Add Wordpress Site
  2. Select the correct site from list on https://public-api.wordpress.com/oauth2/
  3. Click Approve

This takes users to the login page e.g. https://altc.alt.ac.uk/blog/wp-login.php with query string parameters e.g. action=jetpack_json_api_authorization&redirect_to=... but the following error is displayed:

Someone may be trying to trick you into giving them access to your site. Or it could be you just encountered a bug :). Either way, please close this window.

We do use a SAML login but even when this is disabled we get the same error message. Happy to dig further if you let me know what to look for

mhawksey avatar Apr 24 '17 09:04 mhawksey

That error message is displayed when the token or the signature don't match what Jetpack expects. It sounds like you are getting everything, but can you confirm that you are getting the token and signature parameters?

The next thing to try is to disable all plugins except for Jetpack. We've seen issues where plugins change the query string data and that causes our security checks to fail.

If that works, re-enabling them one at a time and trying again will help identify the culprit. If you can let us know which plugin is causing the problem, we can reach out to the author to help fix it. (I'm also curious if the SAML plugin is compatible)

Otherwise, what we have seen is hosting providers that are not sending the full query string to PHP or messing with the data. If the above steps don't work, let me know and we can come up with some more things to try.

georgeh avatar Apr 24 '17 15:04 georgeh

So looks like a double encoding of the query parameters. Not sure what is causing this as tried on a vanilla install. It's not possible for us to turn off all plugins as we have a couple of 'must use' so it may be one of those (SAML was not on), but looking at the network log a double encoded redirect location is returned from https://public-api.wordpress.com/oauth2/login/

content-type:text/html; charset=utf-8 date:Tue, 25 Apr 2017 09:54:39 GMT location:http://altc.alt.ac.uk/dev-only/wp-login.php?action=jetpack_json_api_authorization&redirect_to=https%3A%2F%2Fpublic-api.wordpress.com%2Foauth2%2Flogin%2F%3Fclient_id%3D51465%26response_type%3Dcode%26redirect_uri%3Dhttps%253A%252F%252Fscript.google.com%252Fmacros%252Fd%252F1kMGqNfXH0qhQq7YMbXhwDHAh8iLAkG2u74Fc18T2kEouX3VO9D8wTPa3%252Fusercallback%26state%3D...%26action%3Doauth2-login%26redirect_to%3Dhttps%253A%252F%252Fpublic-api.wordpress.com%252Foauth2%252Fauthorize%252F%253Fclient_id%253D51465%2526response_type%253Dcode%2526redirect_uri%253Dhttps%25253A%25252F%25252Fscript.google.com%25252Fmacros%25252Fd%25252F1kMGqNfXH0qhQq7YMbXhwDHAh8iLAkG2u74Fc18T2kEouX3VO9D8wTPa3%25252Fusercallback%2526state%253D...%26_wpnonce%3D44e74ed1b7&data=...

I did encounter another issue if I manually decoded the url about Jetpack JSON API not being enabled.

capture

I've searched the Jetpack settings but can't find this

capture2

mhawksey avatar Apr 25 '17 10:04 mhawksey

ok so I was able to fix the fact that JSON API was disabled from https://github.com/Automattic/jetpack/issues/6788#issuecomment-289659501 (perhaps worth including a link to wp-admin/admin.php?page=jetpack_modules in the webapp error page).

Still no further on the double parameter encoding

mhawksey avatar Apr 25 '17 11:04 mhawksey

If I manually decode the double encoded url to wp-login.php and paste it in the browser the add-on successfully authenticates. However if SAML is enabled it fails (the plugin we are using) - I can get around this by disabling SAML, pasting decoded url and re-enabling SAML

mhawksey avatar Apr 25 '17 11:04 mhawksey

... ah found the:

If your site uses HTTPS, your hosting company may be double-encoding some of the values being passed. To test this, go to http://your-site/?%40 (change your-site to the URL of your WordPress.org site). If your browser changes the URL to https://your-site/?%2540 (note that ?%40 changed to ?%2540) you need to contact your hosting company.

on https://apps.wordpress.com/google-docs/support/

[the way I got around this was paste the url into http://meyerweb.com/eric/tools/dencoder/ hit decode and paste result in the url - too complicated to include on the support page?]

mhawksey avatar Apr 25 '17 11:04 mhawksey

The solution by @mhawksey worked for me! Had to do it on a desktop browser, because access to the webbrowser dev console is required to get the authentication request.

  • check if double-encoding is an issue: http://your-site/?%40 => https://your-site/?%2540
  • change into the browser, open developer console (CMD+ALT+i in Safari)
  • do the oAuth authentication procedure again in this window (where Jetpack aka your Wordpress-Blog is aksing for allowing permission)
  • the error message should show up now
  • check the developer console tab "Network" & copy the request to wp-login.php having a very long chain of characters
  • paste it on http://meyerweb.com/eric/tools/dencoder/ and decode it
  • copy-paste the decoded string & paste it in the browser window, load it
  • done

oliveratgithub avatar Sep 01 '17 20:09 oliveratgithub

I am on Dreamhost and have my site on HTTPS-only, with a redirect from HTTP. Ran into same problem with double-encoding, verified with the http://your-site/?%40 test. @mhawksey fix worked: just copy/paste your entire URL into http://meyerweb.com/eric/tools/dencoder/ , hit the Decode button, then copy/paste that decoded URL back into your browser.

arencambre avatar Nov 10 '17 23:11 arencambre