oauth
oauth copied to clipboard
FriendsOfFlarum
Potential Method Bug: State Token potentially lost when new a Oauth window opens on iOS mobile browsers
Hi FoF! Hope everyone's doing well!
While testing FoF Oauth on mobile, specifically iOS 14, I believe there is an error. Here's a link to a video demonstrating what happens.
I'm thinking it may be an exception that's raised when Flarum tries to compare tokens because the token is lost during a new window launch. Could be wrong though!
-
Link to the video: https://drive.google.com/file/d/1ZkcvVQOo-GHp7gTmKWl-w9FuitoJP77A/view?usp=drivesdk
-
Link to the error: https://sheetscience.io/auth/facebook?code=AQA-VaNxskihcMcN17wERwTwtZBAqe4dtpAgJsbC3bhjN7bKSUEUaLDz3GRLeE1vxPEhPrTO-jYx0qbRnWdMrmAkQeTDhy9AcqGBbmYaAmdmFUZYSN_YBPRNKyAZ1tAQOtLT-mKqmWRNw-wdidL0EcUAg2XA6GVMHPHrar2FdoRJ2DKgMecec2VTpj7ujfMUNVumZVSR7zwOGpYsBAW4pC9SthjYNFLjXBT1v46FtFvXhAPjWgsTTiHL2g2PfdKjIjHMLTiRtdXcdT6t8_DOf3ui_zeG6sQjUU77SiqFvkGDcMTj5ZYGMmLeFKmLZSnSiQNtJl2M7ADC6dvGFZI-ErM8&state=ababe7806dacefd6f7d9a06280beee76#=
Whoops! There was an error..zip
Thank you :)
Michael Angelo Rivera
I'm unable to view the video. Can you enable public access?
It's probably not a good idea to share a Facebook access token here. Though it will probably have expired by the time anyone can test anything.
This kind of error can happen if your URL in config.php is invalid and that a redirect is followed at some point.
It would be very odd if it doesn't happen on all browsers but only mobile.
@clarkwinkelmann should be expired soon (I think, lol). I've edited the URL of the video, can you test if it works?
Also, the login works (for other users as well) for all devices except mobile (iOS specifically). You can also test the same error if you have iPhone at https://sheetscience.io
Unfortunately I don't have any iOS device, and I don't see any obvious issue just by looking at the video.
Let's wait for another FoF member to chime in. Not sure if anyone's got Apple products to test.
@michaelangrivera i have an iPhone 12 pro on iOS 14.2.1 To assist me in testing this and confirming, please can you:
- confirm what iPhone model you are using
- confirm what iOS version you’re on
- Confirm if this same error is present on google chrome (or another browser) on your mobile.
- Provide an invite code (preferably 2) so that I can test both normal and OAuth login.
Kind regards Phil
@katosdev hi! My phone is iPhone 11 running on 14.2.1, the other user I had test it was on an iPhone 12 Pro using 14.2.1 when testing. I can have others with other models test as well.
The same error is persistent across three browsers on the iPhone- Safari, Chrome, Firefox. I've tested all 3.
X3I8I6T3 is one I have generated for you. BOBB0D1O is another I have generated. Would you like one that "activates user" as well?
Thank you,
Michael Angelo Rivera
Issue confirmed on your own site:
https://sheetscience.io/auth/google?state=0dcdf9aee655ade6fa75dab94d4079e0&code=4/0AY0e-g6mDeMEmtoRE44MaQwc3i9v34B_GKL0YhHij0Cu1kFaRqcBWLtbwAfJxLgVd9nIEw&scope=email%20profile%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile&authuser=1&hd=creatorswave.com&prompt=consent
This looks like an invalid callback URL is at fault to be honest (I tried using google by the way).
please can you confirm what your callback URL is set to?
Issue not present when PWA extension is disabled, suspect that the CSRF token is not being passed through properly for the OAuth.
Further testing is required on my local host but I may have a potential fix. This appears to be a common OAuth issue, looking at other providers.
@katosdev Awesome! Just let me know if you need any more assistance from my end!
@michaelangeloio Is the issue you were describing still happening on the latest version of fof/oauth ?
