mastodon-android icon indicating copy to clipboard operation
mastodon-android copied to clipboard
verified publisher icon mastodon

Better handle expired token

Open xtuc opened this issue 3 years ago • 7 comments

I'm using the Android app with an Mastodon implementation that use expirable user tokens, I believe the official Mastodon server can be configured to expire tokens too.

For instance, when I try to edit my profile from the app, I see in the server's logs:

GET /api/v1/accounts/verify_credentials 401
Error: JWT has expired.

and the app shows an error: https://user-images.githubusercontent.com/1493671/215757542-862302eb-f43b-4bea-91e8-99330b96073f.jpeg without trying to recover. The only way is to manually logout and login again for a new token.

Note that the app is showing errors everywhere but /api/v1/accounts/verify_credentials is best for demonstration.

The same issue is present on iOS but haven't opened an issue yet.

xtuc avatar Jan 31 '23 12:01 xtuc

Mastodon implementation that use expirable user tokens

And it does that to solve what?

grishka avatar Jan 31 '23 20:01 grishka

@grishka It's good security practice to periodically rotate private keys and set expiry on tokens.

xtuc avatar Feb 01 '23 13:02 xtuc

Again, what is the practical issue that the involvement of time in authentication would solve? "Good security practice" is something merely theoretical. In practice, if someone obtains a device where you're logged in, there are two options:

  • You set a password (or biometric auth, whatever) on the OS level. They won't gain access to your account regardless of whether your sessions expire.
  • There is no OS-level password. They'll gain access to your account regardless of whether your sessions expire, because I'm sure they don't expire in 15 minutes like they do in banks.

So, expiring sessions do nothing to protect anyone from anything — they're nothing but an annoyance. So are password expiration policies. Here are my thoughts on authentication involving time formulated more succinctly by a friend (in Russian).

grishka avatar Feb 01 '23 13:02 grishka

For more context, the user session tokens we are using are JWT and are signed. It's the signing key pair that is automically and periodically rotated, meaning that after a certain time the JWT can't be verified anymore. Leaking the private key is much worse than a user's JWT, it's good practice to proactively rotate them.

We set the expiry on JWT to have users request a new JWT signed with the new pair of keys. This isn't an annoyance to users as it can be handled behind the scenes. Our problem is that the Mastodon application doesn't allow to relogin once the JWT has expired.

I understand that Mastodon doesn't rely on signed JWT and might not run into this issue.

xtuc avatar Feb 01 '23 14:02 xtuc

How do you imagine "relogin behind the scenes" working? The regular login flow involves opening a web browser in which the user enters their credentials and clicks "allow", and then gets redirected back to the app via a custom URL scheme. I'd assume that the browser session would also expire in your setup — so there won't be any way to do it without user interaction.

grishka avatar Feb 01 '23 15:02 grishka

"behind the scenes" was maybe a bit optimistic. Similar to the login flow, would it be possible to open a web browser, follow redirections and load cookies left during login? With some authentification provider that would allow to relogin without interaction from the user and worse case the user has to login again.

xtuc avatar Feb 01 '23 15:02 xtuc

Necro comment!

Issue

I just added a second account to my Android app on:

  • "Mastodon for Android v2.9.4 (133)"
  • server "Social.Seattle.Wa.Us"

After several days .. may be a week .. I saw the message everywhere, "The access token is invalid" ....

When I tried to make a social action beyond searching, I see the message. I tried to Star something. That failed. I tried to comment and post .. those failed. I was able to search around and read stuff.

Workaround

I contacted the server admin and was advised to log back out and log in again and that refreshed the access token. It was a successful, and moderately painful workaround. I had to log out of all of my accounts, not just the one that was obviously malfunctioning. I could do all the things I liked to do, before the token expired. Also a notification appeared that was suppressed by the expired auth token.

Impact

As it is this server is nearly unusable in this Android app for users with more than one account, given the workaround annoyingly blows away auth credentials for every logged in account.

Ask

Please let me know how I can help to fix this.

I'm just a user and don't know if the server configuration is something I have control over, I assume "no".

  • I can interrogate the server administrator, and report back here, if that would be helpful?

  • Is this expiring off token thing an anti-feature, for the broader Mastodon client universe? I noticed the conversation started talking about opening up a new browser window.

  • Is there like a whole new feature that is needed to be added to the client login flow for all Mastodon clients, a lightweight login?

  • I can also patch the issue and submit a PR, though my cowboy coding may not be so welcome 🙂 Loop login until auth token is valid 🤠!

nrichards avatar Feb 23 '25 20:02 nrichards