ma1sd icon indicating copy to clipboard operation
ma1sd copied to clipboard

Published 20 hours ago verified publisher icon ma1uta

M_UNAUTHORIZED

Open the-moog opened this issue 4 years ago • 18 comments

When a user clicks on their User Profile in Riot, Ma1sd says: It appears the client has requested: 2.244.174.94 - - [13/Jun/2020:14:25:18 +0200] "GET /_matrix/identity/v2/hash_details HTTP/1.1" 401 502 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Riot/1.6.4 Chrome/80.0.3987.134 Electron/8.0.3 Safari/537.36"

ma1sd says: [XNIO-1 task-6] WARN io.kamax.mxisd.auth.AccountManager - Account not found. [XNIO-1 task-6] ERROR io.kamax.mxisd.http.undertow.handler.AuthorizationHandler - Account not found from request from: matrix.cambsac.org.uk [XNIO-1 task-6] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request GET http://matrix.cambsac.org.uk/_matrix/identity/v2/hash_details - Error M_UNAUTHORIZED: Supplied credentials are invalid

But no clue as to why.

Is this an issue? I note that the user profile does not show an email address. This user (myself) has always been in Synapse.

Is this related to my attempt to authenticate some users through django?

Thanks, Jason

the-moog avatar Jun 13 '20 12:06 the-moog

Oh yeah huuge volumes of these in our logs.. nginx-log-identity-v2-hash_details

eMPee584 avatar Jun 16 '20 21:06 eMPee584

Try to enable V2 api in the ma1sd config.

ma1uta avatar Jun 22 '20 21:06 ma1uta

yeah we have.. also tried enabling the hashing part yesterday..

matrix:
    domain: SERVER.TLD
    v1: true   # deprecated
    v2: true   # MSC2140 API v2. Riot require enabled V2 API.
hashing:
    enabled: true
    rotationPolicy: per_requests
    hashStorageType: in_memory
    algorithms:
      - none
      - sha256

│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-25] ERROR io.kamax.mxisd.http.undertow.handler.CheckTermsHandler - Non accepting request from: matrix.SERVER.TLD                                                                                                                                                 │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-25] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request GET http://matrix.SERVER.TLD/_matrix/identity/v2/hash_details - Error M_UNAUTHORIZED: Supplied credentials are invalid                                                                  │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.http.undertow.handler.auth.v2.AccountRegisterHandler - Registration from domain: SERVER.TLD, expired at Thu Jun 25 04:36:44 GMT 2020                                                                                                     │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.auth.AccountManager - Registration from the server: SERVER.TLD                                                                                                                                                                           │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.matrix.HomeserverFederationResolver - No DNS overwrite for SERVER.TLD                                                                                                                                                                    │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.matrix.HomeserverFederationResolver - Resolution of SERVER.TLD via well-known to https://matrix.SERVER.TLD:8448                                                                                                                       │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.auth.AccountManager - Domain resolved: SERVER.TLD => https://matrix.SERVER.TLD:8448                                                                                                                                                   │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.auth.AccountManager - Allow registration only for trust domain.                                                                                                                                                                             │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.auth.AccountManager - Allow user @USER:SERVER.TLD to registration                                                                                                                                                                     │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.auth.AccountManager - UserId: @USER:SERVER.TLD                                                                                                                                                                                        │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-26] INFO io.kamax.mxisd.auth.AccountManager - User @USER:SERVER.TLD registered                                                                                                                                                                                │
│Jun 25 06:36:40 matrix matrix-ma1sd[96279]: [XNIO-1 task-27] INFO io.kamax.mxisd.auth.AccountManager - Found account for user: @USER:SERVER.TLD

Aah now I grok the logic

enabling policies shields the given paths from users who have not explicitly confirmed the terms. So commented the policy-block again, clean log now 😅

eMPee584 avatar Jun 25 '20 04:06 eMPee584

Hello, I'm having an identical issue and it's driving me batty. I have an existing account that I'd like to register with ma1sd but it is adamantly refusing to let me do this, with M_UNAUTHORIZED reported in the dev tools for Element. I don't know what's preventing it, but it's super frustrating. I'm using spantaleev/matrix-docker-ansible-deploy to put this together and it's been a hell of a ride, not gonna lie. V2 is enabled (and is now by default) but that doesn't seem to help.

Thoughts? I'm at a loss and I don't even know where to start looking.

ctwelve avatar Aug 09 '20 19:08 ctwelve

@ctwelve What does your policies block say?

eMPee584 avatar Aug 09 '20 20:08 eMPee584

@eMPee584 As far as I can tell I do not have a policies block configured. I have no entries either in my Ansible variables, nor is there a policiesblock in the templates used to build said config.

ctwelve avatar Aug 10 '20 13:08 ctwelve

And this is probably a noob issue on my part, but...where is the documentation for this policies block I probably need?

ctwelve avatar Aug 10 '20 13:08 ctwelve

This is what I am specifically getting in Element Desktop:

image

ctwelve avatar Aug 10 '20 14:08 ctwelve

ah, that's the register endpooint.. is registration enabled?

eMPee584 avatar Aug 10 '20 14:08 eMPee584

It is. i've ensured there's a validated email attached to my account, too. It will allow me to verify 3PIDs but it simply won't let me assign matrix.arkmuse.org as the identity server.

ctwelve avatar Aug 10 '20 15:08 ctwelve

Here's an example wherein I can't attach my identity server for discovery, but I can add 3PIDs. image

ctwelve avatar Aug 10 '20 15:08 ctwelve

I can use vector.im to publish 3PIDs successfully. So it's like ma1sd is working partially as it's verifying both email and msisdns when I attach them to my account on my homeserver. It simply won't allow me to register for the identity server.

ctwelve avatar Aug 10 '20 15:08 ctwelve

Ah, I have solved the issue! In my case, it was a result of internal vs external DNS. Definitely a non-obvious problem!

ctwelve avatar Aug 13 '20 17:08 ctwelve

Hello Justin / ctwelve,

could you please kindly elaborate what exactly was the problem in your case, how you found it out and what was the solution?

Basically, my setup of Synapse is working perfectly. I only cannot seem to get the 3PIDs working correctly. The problems I am facing are quite similar those you described.

In the browser console I get the same error (401) when opening the "all settings" in element. At the same time the ma1sd log says: [XNIO-1 task-13] INFO io.kamax.mxisd.auth.AccountManager - Domain resolved: my-homeserver.com => https://matrix.my-homeserver.com:8448 [XNIO-1 task-14] ERROR io.kamax.mxisd.auth.AccountManager - Wrong response status: 502 [XNIO-1 task-14] INFO io.kamax.mxisd.http.undertow.handler.BasicHttpHandler - Request POST http://matrix.my-homeserver.com/_matrix/identity/v2/account/register - Error M_UNAUTHORIZED: Supplied credentials are invalid

I have already been suspecting DNS, but I do not know how to debug. So I would be thankful to learn what you did.

Thank you!

rootuser avatar Sep 04 '20 07:09 rootuser

Ah, I have solved the issue! In my case, it was a result of internal vs external DNS. Definitely a non-obvious problem!

Hello @ctwelve ! I have the same issue. Could you please explain your solution a bit?

@ma1uta do you have any idea how to solve this issue?

Thank you both!

T3chTobi avatar Dec 04 '20 08:12 T3chTobi

Ah, I have solved the issue! In my case, it was a result of internal vs external DNS. Definitely a non-obvious problem!

I'd appreciate any input! I'm stuck...

T3chTobi avatar Dec 06 '20 20:12 T3chTobi

Ah, I have solved the issue! In my case, it was a result of internal vs external DNS. Definitely a non-obvious problem!

love it when the response is "Oh I solved it teehee" without sharing what they did...

AIndoria avatar Dec 10 '22 18:12 AIndoria

Aha! Agree! Explain what the problem was with DNS?

BlackSazha avatar Dec 27 '22 10:12 BlackSazha