janitor icon indicating copy to clipboard operation
janitor copied to clipboard

Published 20 hours ago verified publisher icon JanitorTechnology

Forced sign out

Open Coder206 opened this issue 7 years ago • 7 comments

@jankeromnes I was trying to access one of my accounts today (about 5 minutes ago was my latest attempt - it took me all day to find the time to open the Spam folder... :( ). I went to the website and signed in, I provide my email, and found the link. When I followed it, the website looked fine, then when I came to click any of the tabs (eg, Settings, Projects or Contributions) my account would log out and look the way it did before providing my email. I also tried the Sign out button, this one was working as expected bringing me back to the main page. Not sure what to make of this...

Coder206 avatar Mar 20 '17 22:03 Coder206

Has anyone else experienced this?

Coder206 avatar Mar 20 '17 22:03 Coder206

Well, that's unfortunate. Thanks for reporting this issue!

The way authentication works on https://janitor.technology is that every session is assigned a unique token (stored inside a cookie). When you sign in, you prove to the server that the token in your cookie belongs to your Janitor account (by means of a secret key sent by email, which works only once), and so the web app starts showing information about your account (e.g. you see the "Contributions" section appear in the top bar).

When you navigate to another page, or come back to the website later, if you cookie is still the same, in theory the website should recognize you.

  1. Sign in links are supposed to work only once. Could you please make sure that following a link actually signs you in? What happens if you refresh the page?

  2. Once you're successfully authenticated, does your cookie token stays the same for every page you visit? Note: You can inspect your cookies on any website by opening the DevTools with the F12 key, and going to the "Storage" panel in Firefox (you may need to enable that panel in the settings) or to the "Application" panel in Chrome.

  3. There might be a bug in our email-login module which we use to authenticate tokens. Around the same time you saw these issues, I found these error messages in the server logs:

[2017-03-20T21:59:58.604Z] <your email> verified
[2017-03-20T22:01:27.218Z] <your email> verified
[2017-03-20T22:02:21.640Z] <your email> verified
[2017-03-20T22:02:39.728Z] email not verified { Error: ENOENT: no such file or directory, open 'tokens/session/SGcxbVdY<...>zZndz0'
    at Error (native)
  errno: -2,
  code: 'ENOENT',
  syscall: 'open',
  path: 'tokens/session/SGcxbVdY<...>zZndz0' }
[2017-03-20T22:03:25.692Z] <your email> verified
[2017-03-20T22:03:37.665Z] <your email> verified
[2017-03-20T22:03:45.999Z] <your email> verified
[2017-03-20T22:06:08.796Z] email not verified Error: Unverified email: undefined
    at login.confirmEmail (/home/janx/janitor/lib/sessions.js:99:16)
    at /home/janx/janitor/node_modules/email-login/src/api.js:166:18
    at /home/janx/janitor/node_modules/email-login/src/registry.js:192:18
    at /home/janx/janitor/node_modules/email-login/src/registry.js:34:33
    at tryCallOne (/home/janx/janitor/node_modules/fsos/node_modules/promise/lib/core.js:37:12)
    at /home/janx/janitor/node_modules/fsos/node_modules/promise/lib/core.js:103:15
    at flush (/home/janx/janitor/node_modules/asap/raw.js:50:29)
    at _combinedTickCallback (internal/process/next_tick.js:67:7)
    at process._tickCallback (internal/process/next_tick.js:98:9)

jankeromnes avatar Mar 20 '17 23:03 jankeromnes

Note: the <your email> verified lines indicate that you followed a sign-in link which successfully signed you in.

@espadrine Please have a look at the above error log. Does this look like an email-login bug? Is it expected that sometimes a file is expected to be in tokens/session/ but does in fact not exist?

Additionally, the Unverified email: undefined line looks fishy: https://github.com/JanitorTechnology/janitor/blob/master/lib/sessions.js#L99 is it expected that sometimes a sign-in link is confirmed with no errors, but the returned session has session.email === undefined?

jankeromnes avatar Mar 20 '17 23:03 jankeromnes

@jankeromnes I tried it again with one of my accounts and it worked... Not sure I can reproduce the error once more. However, the page appeared like this when I logged in at the time mentioned above:

screenshot from 2017-03-20 19-54-21

Then looked like this (after clicking one of the links at the top right):

screenshot from 2017-03-20 19-53-16

Coder206 avatar Mar 20 '17 23:03 Coder206

Thanks a lot for taking these screenshots. I'm glad that you're now able to use the Janitor normally.

The two email verification problems visible in the server logs above seem to be two separate issues, which have occasionally occurred in the past. Investigating these further will be hard, but it should be done because occasional sign-in problems are annoying.

jankeromnes avatar Mar 21 '17 00:03 jankeromnes

The email verification token has a short expiry timespan, so it was likely no longer valid.

I think you should display a page for failed login attempts here: https://github.com/JanitorTechnology/janitor/blob/master/app.js#L65 as user can be null (see https://github.com/JanitorTechnology/janitor/blob/master/lib/users.js#L39).

(The equivalent in the main example: https://github.com/espadrine/email-login-example/blob/master/app.js#L46)

espadrine avatar Mar 21 '17 08:03 espadrine

This bug also prevented @ZeHiro from signin in with the link from his invitation email. Sorry!

jankeromnes avatar May 22 '17 07:05 jankeromnes