logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

bug: misleading messaging when logto do not understand which app is requesting sigin

Open slavaGanzin opened this issue 1 year ago β€’ 9 comments

Describe the bug

I had some strange issue, that sometimes my login worked and sometimes it shows something strange:

dev:app logs  LogtoClientError: Sign-in session not found.
dev:app logs   code: "sign_in_session.not_found"
dev:app logs  
dev:app logs        at new LogtoClientError (/app/node_modules/@logto/client/lib/errors.js:13:9)
dev:app logs        at /app/node_modules/@logto/client/lib/client.js:373:19
dev:app logs  process.on unhandledRejection
dev:app logs  
dev:app logs   8 |     user_cancelled: 'The user cancelled the action.',
dev:app logs   9 |     missing_scope_organizations: `The \`${UserScope.Organizations}\` scope is required`,
dev:app logs  10 | });

Scopes were not an issue. And strangely it worked in Chrome, but didn't in Safari. Magic. I've tried to debug logto code, but there was no correlations, it worked 99% of the time, until it doesn't. I thought maybe problem was with my session solution, or because I have multiple instances of an app, maybe some conflicts with sessions? Phases of a moon? Who knows?

But finally after reading this: https://blog.logto.io/troubleshoot-logto-sign-in-404-not-found-error. I found out that it didn't work with localhost, while working completely fine with 127.0.0.1. I used localhost in Safari, and 127 in Chrome, so that is a root of magic behavior.

Expected behavior

Show descriptive error in SDK messaging: "I don't understand which app do you want to login, dummy." and a link to some docs would be enough. Saying that endpoint from which you came from wasn't registered in any of your apps and given list of registered endpoints would be ideal.

How to reproduce?

I wish I would know. I've tried to add localhost to all places in my configuration and logto app configuration trying to fix it, but localhost still do not work for me.

Context

  • [x] Logto Cloud
  • [x] "@logto/express": "^2.3.11",

slavaGanzin avatar Nov 24 '24 12:11 slavaGanzin

Hi @slavaGanzin can you provide us a detailed user flow to reproduce this error? It seems like you have a miss-match callback URL configured.

simeng-li avatar Nov 25 '24 04:11 simeng-li

@simeng-li Yes, I do have a mismatched callback URL. This issue is not about my problem; it's about misleading Logto errors. It should say "You have a mismatched URL" and not give me some ill advice about unrelated features. How I got there is not important; what's important is that the Logto team should rework error messaging. This effort goes beyond this specific case

slavaGanzin avatar Nov 25 '24 10:11 slavaGanzin

Sounds reasonable to me. @wangsijie can you take a look?

simeng-li avatar Dec 02 '24 06:12 simeng-li

{"code":"oidc.invalid_redirect_uri","message":"redirect_uri did not match any of the client's registered redirect_uris.","error":"invalid_redirect_uri","error_description":"redirect_uri did not match any of the client's registered redirect_uris","state":"XXXX","iss":"https://XXXX.logto.app/oidc"}

So you are doing this, but client barks on a wrong tree.

I would prefer if it will show url I wanted redirect to and what are available options. Because as I found out today my problem that somehow I got redirect to http and not https, so that was why there were no "match"

slavaGanzin avatar Dec 08 '24 16:12 slavaGanzin

The SDK can only detect that β€œno sign-in flow was initiated,” resulting in the error message: β€œSign-in session not found.” It cannot determine the underlying cause of this issue, so I don’t believe we should change the error message. However, we can certainly add a debug link to the documentation website for further guidance.

wangsijie avatar Dec 23 '24 03:12 wangsijie

@wangsijie I showed the error from original request, that has a proper error. But it is wrapped up in try catch in your code, so it hides descriptive error and outputs misleading one.

p.s. And one little ask more, please stop showing errors in languages, detected based on IP. If I'm using servers hosted in Finland, it doesn't make me finish.

slavaGanzin avatar Dec 23 '24 09:12 slavaGanzin

So there are two things to do:

  1. In SDK, show original error message from the server.
  2. In Server, detect lanuages only based on request IP address.

wangsijie avatar Dec 24 '24 01:12 wangsijie

  1. My question is why I get error messages in different languages?

slavaGanzin avatar Dec 24 '24 23:12 slavaGanzin

the same. logto works in docker,can not vist another docker container?

ukhack avatar Jan 02 '25 07:01 ukhack

Hi @slavaGanzin, regarding the "misleading messaging": The SDK does handle the redirect URI mismatch error and will throw an error with the code callback_uri_verification.redirect_uri_mismatched. In your case, you only see "session not found." A possible reason is that you are redirected to a new URL that has no active session data. The Express SDK, by default, uses cookie-based sessions, and cookies are saved to a specific origin. So, if the initial URL is not the same as the redirected URL, the latter cannot access the sign-in session. And a session is needed to compare the redirect URI.

wangsijie avatar Jun 12 '25 02:06 wangsijie

And regarding the language detection, we have fixed it in https://github.com/logto-io/logto/pull/7028

wangsijie avatar Jun 12 '25 02:06 wangsijie

I am closing this now, feel free to reopen if you have any further questions.

wangsijie avatar Jun 12 '25 02:06 wangsijie