Unauthorized 401 Error Prevents Complete Security Reset (Security Settings -> Complete Security)

[rumz26]

Steps to reproduce

1. Where are you starting? What can you see? I navigate to the Settings section and then select Security. From here, I can see the Complete Security option.

2. What do you click? I click on the Reset button under the Complete Security section.

3. More steps… After clicking Reset, an alert appears with the error message: "Request failed, unauthorized 401."

Outcome

What did you expect?

I expected the reset process under Complete Security to complete successfully without any errors.

What hap

https://github.com/user-attachments/assets/f9b5da97-7d63-42c8-9d9b-4a11c2912f16

pened instead? Instead, I received an alert with the error message: "Request failed, unauthorized 401."

Your phone model

iPhone 14

Operating system version

17.5

Application version

1.11.17

Homeserver

matrix.org

Will you send logs?

No

[NicolasBuquet]

In fact, the process is composed of 2 HTTP requests:

• 1st request without any keys awaits for a return info about the authentication state of the client
  • no info: the client is authenticated and can process
  • JSON info about the authentication flows supported: the client must reauthenticate
• 2nd request: the real request with the keys in the params parameter.

The reauthentication takes place if necessary between the 2 requests.

Actually, the backend responds to the 1st request with a success code 200 but without any payload in JSONResponse about the authentication flows, telling the client that it can process without reauthenticating.

When the client try the real request, the backend rejects it with an error 401 and with a payload containing the available authentication flows:

[MXHTTPClient] Request 0x600001753040 failed for path: _matrix/client/unstable/keys/device_signing/upload - HTTP code: 401. Error: Error Domain=com.alamofire.error.serialization.response Code=-1011 "Request failed: unauthorized (401)" UserInfo={NSLocalizedDescription=Request failed: unauthorized (401), NSErrorFailingURLKey=https://matrix.<domain>/_matrix/client/unstable/keys/device_signing/upload, com.alamofire.serialization.response.error.data={length = 92, bytes = 0x7b227365 7373696f 6e223a22 767a534b ... 616d7322 3a7b7d7d }, com.alamofire.serialization.response.error.response=<NSHTTPURLResponse: 0x600000329e40> { URL: https://matrix.<domain>/_matrix/client/unstable/keys/device_signing/upload } { Status Code: 401, Headers {
    "Access-Control-Allow-Headers" =     (
        "X-Requested-With, Content-Type, Authorization, Date"
    );
    "Access-Control-Allow-Methods" =     (
        "GET, HEAD, POST, PUT, DELETE, OPTIONS"
    );
    "Access-Control-Allow-Origin" =     (
[MXHTTPClient] Error JSONResponse: {
    flows =     (
                {
            stages =             (
                "m.login.password"
            );
        }
    );
    params =     {
    };
    session = <...>;
}

Can the bad answer from the 1st request be linked to this backend issue: https://github.com/element-hq/synapse/pull/16943 ?

@giomfo @stefanceriu