Misleading IP address mismatch error message?

[gclayburg]

I am working on server side SQRL support using angular/typescript. While doing this I sometimes get this error message:

I think what is really going on here is that I pressed the back button in the browser and clicked the SQRL login button again. This is taking the old nut that was already used before. I can fix my server side code to reduce the likelihood of this happening, but it seems that the error message coming from this plugin could be more descriptive as to the actual problem. The IP address has nothing to do with the problem. Maybe something like this instead:

Authentication failed. This session has already been used. To sign in again, please follow the complete sign in procedures from the application you are using.

[gclayburg]

Ok, some more information. It looks like I'm only able to reproduce this error if the SQRL server is misconfigured to send the authenticated user to an unrelated site. So if my website is running at http://localhost:8080, the sqrl login button on that page uses "sqrl:" protocol to trigger this browser extension for sqrl authentication. The backend sqrl server is sending the webServerAuthURL of http://somewhereelse. This browser extension is correctly sending the browser to this address. Obviously, the authentication cannot continue to start the cps session from this https://somewhereelse server. However, if I hit the back button, my original page from http://localhost:8080 loads. The page does get attempt to get a new nut from the server, but the nut is the same as before. The error message appears from this browser plugin (under chrome) when I click the sql login button again on my web page and then click the login button from this browser extension. Maybe the server should be sending me a fresh nut in this case?

In any case, the error message talks about the IP address of the website visitor and the IP address of the sqrl client. These do not appear to be different in this case, but rather there is a server misconfiguration issue.

As a side note, after messing with this issue for a while, I notice that I have somehow put this browser extension into a state where it can no longer respond to any login attempt. I'll see about filling a separte issue for this. I am using version 0.0.55

[Jaaap]

Which SQRL server(s) are you using? If it is Steve/GRC's server: this is a known (to me) bug that has been reported to Steve but no answer yet.

[gclayburg]

yes, I am using Steve's VM with his IIS express server. BTW, your browser plugin is quite slick. It handles the CPS session quite nicely.

[gclayburg]

Ok, I found more information about how to crash this plugin. My app is messed up and it is allowing a URL like sqrl://sqrl.steve.com/cli.sqrl?nut=3YVeTIuaZn6r&can=aHR0cDovL2xvY2FsaG9zdDo5MDAwLw

to be sent to your plugin more than once. The second time, I get the error message posted above followed by a plugin crash. It no longer responds to any clicks or any sqrl: requests. The workaround I have found is to just restart chrome.

[Jaaap]

Do you have a (public) site where i can reproduce that? If not, what steps do i have to take to reproduce this?

[gclayburg]

Unfortunately, I don't. I do know that I saw it after these steps.

1. start chrome
2. click on the button in my app that launches sqrl://sqrl.steve.com/cli.sqrl?nut=3YVeTIuaZn6r&can=aHR0cDovL2xvY2FsaG9zdDo5MDAwLw
3. authenticate as normal through your plugin. It did prompt for a password since it was the first time.
4. again click on the same button that had the same nut: sqrl://sqrl.steve.com/cli.sqrl?nut=3YVeTIuaZn6r&can=aHR0cDovL2xvY2FsaG9zdDo5MDAwLw

For me, that was enough to see the pop up error message. At that point the plugin was unresponsive. Is there an error log somewhere I could give you?

[Jaaap]

Trying to reproduce... What do you mean by "At that point the plugin was unresponsive."? What happens when you open the webextension from the active tab, What happens when you open the webextension from another tab?

[gclayburg]

Ok, it seems I left out a few steps. After step 4 above, do not dismiss the error message. Instead, click on the SQRL icon in the chrome toolbar. Both the error message window and the blue window with the login button disappear. At that point the plugin is not responsive in any tab. Chrome must be restarted for it to function again.

[Jaaap]

Ah yes that does ring a bell: https://stackoverflow.com/questions/45112286/javascript-confirm-prompt-crashes-chrome-extension-on-mac Which OS/platform are you on? I'll try to reproduce and file a bugreport with Chrome if appropriate.

[gclayburg]

I use Ubuntu Linux 16.04