Sign in, signout and then sign in again gets stuck at parse auth

aws-samples / cloudfront-authorization-at-edge

Protect downloads of your content hosted on CloudFront with Cognito authentication using cookies and Lambda@Edge

https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-using-cookies-protect-your-amazon-cloudfront-content-from-being-downloaded-by-unauthenticated-users/

MIT No Attribution

477 stars 156 forks source link

Sign in, signout and then sign in again gets stuck at parse auth #278

Closed yashsharma04 closed 2 months ago

yashsharma04 commented 3 months ago

Seeing a bit of an issue on my chrome browser when I sign in, signout which calls /signout and then sign in again Checked the logs and it gives Nonce mismatch Error in parse auth lambda.

2024-06-23T02:53:10.423Z    46a37afe-01c7-4dc6-ba55-24696ea9f416    ERROR   400 error - Request failed for /parseauth: Error: Nonce mismatch Error: Nonce mismatch
    at Runtime.t.handler (/var/task/bundle.js:2:39622)
    at Runtime.handleOnceNonStreaming (file:///var/runtime/index.mjs:1173:29)

Surprisingly it doesn't happen on firefox.

ottokruse commented 3 months ago

Hi mate.

Couple of questions:

What version of auth@edge you on?
How did you deploy? What CloudFormation parameter values did you use? (notably: CookieSettings)
If it's possible please provide a HAR file of this request flow, together with the Lambda@Edge logs about the same requests.

ottokruse commented 2 months ago

Any update mate ?

yashsharma04 commented 2 months ago

Sorry missed this - So I checked it and our codebase took complete reference from this package about 2 years ago and are not directly using this. So apologies, we can close the ticket. But do lmk if you have seen the above issue before and what could be the possible fixes One more weird thing was - that its happening on chrome but not firefox.

ottokruse commented 2 months ago

Haven't seen the issue from the top of my head, although we have made many fixes and improvements over the years so I suggest you rebase.

Will close this issue. Feel free to reach out once you're back on latest version

yashsharma04 commented 1 month ago

Hi @ottokruse https://github.com/aws-samples/cloudfront-authorization-at-edge/blob/2d1143c9413c339b690d544895920aa264a39ccc/src/lambda-edge/parse-auth/index.ts#L231 This is the error what we see throw new common.RequiresConfirmationError( "Nonce mismatch. This can happen if you start multiple authentication attempts in parallel (e.g. in separate tabs)" ); And as its mentioned here, I am able to reproduce this with multiple tabs. Our users are possibly keeping website in multiple tabs and every morning login with any of those tabs which is causing this issue occurance even more.

ottokruse commented 1 month ago

Not sure what the best way forward is.

The nonce matching is a security feature--but it seems overly tight for these cases.

The auth@edge UI does offer an easy button that the user can click no? If they do they'll be signed in without issue ? But that page still scares off users ?

yashsharma04 commented 1 month ago

Yeah, they are greeted with that error so it always looks like something has gone wrong with the login. And surprisingly they keep multiple tabs very often.

ottokruse commented 1 month ago

Guess the answer is the error page should not be an error but simply say eg "Hi! Are you trying to sign in with us?"

Then it doesn't look like an error but simply just a double check of the users intent. Which is what we are after in this case

yashsharma04 commented 1 month ago

Yeah for now we enabled auto redirect to landing page which fixes the token. Might as well add a better page which comes up intermediate. Thanks though!