Logging in via OAUTH returns to login

[hinstef]

General:

• Firefly iii server running docker release-4.7.10
• server runs behind nginx reverse proxy with SSL
• App version 1.2.3
• Galaxy S9 Android 9

Issue: Logging in via OAUTH returns to app login page after web page authorization

Steps to reproduce:

• Login with OAUTH
• Set OAUTH Redirect URL in firefly iii server either to http://emtpy or https://emtpy
• login via app
• authorize in chrome (or firefox) browser
• after authorization, app returns to OAUTH login page (initial state)

[emansih]

Are you able to give me access to your firefly instance?

[Ryonez]

I'm also getting this same issue, expect I'm using Samsung's browser.

Sorry, I won't be giving access as my instance is connected to an auth system I'm not comfortable giving access to. I can however go through logs and the like for you.

Firefly sees the following connections after being sent the auth token:

172.17.0.1 - - [10/Feb/2019:16:38:09 +1300] "GET /oauth/clients HTTP/1.1" 200 2343 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:38:27 +1300] "GET /oauth/authorize?client_id=51&redirect_uri=http://empty&scope=&response_type=code&state= HTTP/1.1" 200 3045 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:38:27 +1300] "GET /favicon.ico HTTP/1.1" 200 12261 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:38:39 +1300] "POST /oauth/authorize HTTP/1.1" 302 2151 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:38:47 +1300] "GET /oauth/authorize?client_id=51&redirect_uri=http://empty&scope=&response_type=code&state= HTTP/1.1" 200 3047 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:38:49 +1300] "POST /oauth/authorize HTTP/1.1" 302 2151 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:39:52 +1300] "GET /oauth/authorize?client_id=51&redirect_uri=http://empty&scope=&response_type=code&state= HTTP/1.1" 200 3047 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"
172.17.0.1 - - [10/Feb/2019:16:39:54 +1300] "POST /oauth/authorize HTTP/1.1" 302 2151 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2

[emansih]

@Ryonez can you tell me what's your base url?

192.168.1.1
192.168.1.1:123
192.168.1.1/
192.168.1.1:123/
192.168.1.1/firefly
192.168.1.1:123/firefly
192.168.1.1/firefly/
192.168.1.1:123/firefly/
https://192.1688.1.1
https://192.1688.1.1/firefly
https://192.1688.1.1/firefly/

[Ryonez]

I host this at https://finace.alteria.xyz

[emansih]

I just tried Samsung browser on my SM-G950FD(Galaxy S8), I have no issues though. I have tried demo.firefly-iii.org and my own personal instance. I assume you are running on sandstorm?

[Ryonez]

What is sandstorm?

[emansih]

Firefly III can be deployed to a variety of systems. Sandstorm is one of them. Since you asked "What is sandstorm?", I assumed(again) that you are not running on sandstorm. Can i assume you are using composer hosted on a server that you own?

[Ryonez]

I'm not using that, no. I'm self hosting via docker on an unraid system.

[Ryonez]

demo.firefly-iii.org works for me as well.

Tried with a personal access token, and it pops up with a Authentication Failed before opening the web browser.

[emansih]

OK...I can replicate the personal access token bug. I have no idea about the OAuth bug though.

[Ryonez]

Tried it in firefox and this was returned via the browser: {"error":"invalid_client","message":"Client authentication failed"}

[Ryonez]

Maybe this is related to firefly-iii/firefly-iii#1920?

[hinstef]

Unfortunately I can't give you access either, I'm hosting the docker image on a local server which is only accessible via VPN. I'll check my logs and see if there is anything relevant and will also dig into the issue you linked.

[emansih]

hmm...When the redirect URI is https://empty, I will be shown invalid client in my browser, http://empty works fine.

[emansih]

@hinstef and @Ryonez are you both able to authenticate using this app? https://github.com/mconway/firefly-app

[Ryonez]

After loging on with that app, the authorize url returns a connection refused.

I tested it in postman using it's details, and it worked.

[Ryonez]

Decided to test with the info your app expects in postman, and that worked as well.

[Ryonez]

Working auth run:

[emansih]

Hmm...I am not sure what is happening without having access to a test account....

[emansih]

@Ryonez

Maybe this is related to firefly-iii/firefly-iii#1920?

This issue was fixed in Firefly 4.7.11 https://github.com/firefly-iii/firefly-iii/issues/1995

[emansih]

or maybe you could use some sort of proxy and intercept the requests between your device and server. That way I can look at what's happening in between

[Ryonez]

This issue was fixed in Firefly 4.7.11

That docker image also has a major issue: firefly-iii/firefly-iii#2076

And I'm sorry, I can't give you a test account.

You saying it's working for you, are you using docker and a reverse proxy?

And postman is causing some confusion, as it can login without issue with the same urls and data the app should be using.

[emansih]

I'm not using docker or reverse proxy. I pulled Firefly III from master branch on GitHub.

[Ryonez]

Might I suggest trying that then? When diagnosing issues users are having, it's helpful to be as close to their environment as possible.

Heck, I'd even just try connection to the docker of firefly on the local network first. We might get lucky and replicated the failure without the proxy.

I'm still trying to poke at this as much I can, but the logs aren't really showing me much at all. This is the last line I see of the app and firefly talking, and then I'm returned to the oauth page on the app:

172.17.0.1 - - [13/Feb/2019:05:05:52 +1300] "GET /oauth/authorize?client_id=51&redirect_uri=http://empty&scope=&response_type=code&state= HTTP/1.1" 302 2752 "-" "Mozilla/5.0 (Linux; Android 8.0.0; SAMSUNG SM-G935F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/8.2 Chrome/63.0.3239.111 Mobile Safari/537.36"

[emansih]

Yes I have tried Firefly III with Docker on a VM a couple of days ago. This is my config(v4.7.10 same as you)

Debug information generated at 2019-02-10 07:48:15 Europe/Amsterdam for Firefly III version 4.7.10.

Variable	Content
FF version	4.7.10
FF API version	0.9.1
App environment	local
App debug mode	''
App cache driver	file
App logging	, stdout
PHP version	7.2.14
Display errors	Off
Session start	2019-02-01 00:00:00
Session end	2019-02-28 23:59:59
Session first	2019-02-10 00:00:00
Error reporting	ALL errors
Host	Linux
Interface	apache2handler
UserID	1
Attempt at "en"	false
Attempt at "English"	false
Attempt at "en_US.utf8"	'en_US.utf8'
Attempt at "en_US.UTF-8"	'en_US.UTF-8'
DB drivers	mysql, pgsql, sqlite
Current driver	pgsql
Login provider
Storage disks	local-upload
Using Sandstorm?	no
Is Sandstorm (.env)	false
Is Docker (.env)	true
bunq uses sandbox	false
Trusted proxies (.env)
User agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Loaded extensions	Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, session, posix, Reflection, standard, SimpleXML, pdo_sqlite, Phar, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, bcmath, gd, intl, ldap, memcached, pdo_mysql, pdo_pgsql, sodium, zip, Zend OPcache

[emansih]

Can you try this APK? https://drive.google.com/file/d/1B5rOeYQmb-wE91jBxnKH8a3g6wl2rbQp/view?usp=sharing

Built from b34883d7cdacd322798fb632deb23ec6a29e3ab9

[Ryonez]

Here's my debug info from my instance:

Debug information generated at 2019-02-14 03:37:58 Pacific/Auckland for Firefly III version 4.7.10.

Variable	Content
FF version	4.7.10
FF API version	0.9.1
App environment	local
App debug mode	false
App cache driver	file
App logging	, syslog
PHP version	7.2.14
Display errors	Off
Session start	2019-02-01 00:00:00
Session end	2019-02-28 23:59:59
Session first	2019-02-10 00:00:00
Error reporting	ALL errors
Host	Linux
Interface	apache2handler
UserID	1
Attempt at "en"	false
Attempt at "English"	false
Attempt at "en_US.utf8"	'en_US.utf8'
Attempt at "en_US.UTF-8"	'en_US.UTF-8'
DB drivers	mysql, pgsql, sqlite
Current driver	pgsql
Login provider
Storage disks	local-upload
Using Sandstorm?	no
Is Sandstorm (.env)	false
Is Docker (.env)	true
bunq uses sandbox	false
Trusted proxies (.env)	**
User agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Loaded extensions	Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, session, posix, Reflection, standard, SimpleXML, pdo_sqlite, Phar, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, bcmath, gd, intl, ldap, memcached, pdo_mysql, pdo_pgsql, sodium, zip, Zend OPcache

I've tried that apk build for you. I tried the info the first time, and all I got was a spinning light blue part circle. As an extra step, I cleared the storage from the app and retried, and I believe I saw my browser flash up for a moment before disappearing and the part circle started spinning again.

I am signed in to firefly in the browser, so I guess the old auth was still valid.

[emansih]

how about PAT?

[Ryonez]

PAT worked, though it seems slow. Like there's information that take a bit before it's there.

I'll note as well, I saw two authorized applications in the settings page. They weren't there before I tried the new apk.

[emansih]

I saw two authorized applications in the settings page

It means authorization works :). I have a theory on what is happening.

The reason you don't get pass the auth screen is because there was a race condition. I am on a relatively fast network(heh :P), therefore I did not have to wait for the loading circle since everything happens almost instantaneously.

[Ryonez]

I see. Progress, yays!

So the next thing to hammer out is the never ending loading? While the oauth is provisned out, it seems the app trips up once it has it.

[emansih]

is the never ending loading?

How does that happen?

[Ryonez]

The blue part circle just sits there spinning if you use oauth.

[emansih]

Ok, delete all app authorization in your profile page and try OAuth again. Does it add a new entry?

[Ryonez]

Nope, no entry was made.

Maybe they had come from my postman tests and I forgot to clear them. If so I'm really sorry.

[emansih]

Well,since PAT works for you, use that for now

[Ryonez]

PAT works. Is this method less secure? And does it slow things down, because some of the account info isn't matching.

[emansih]

Is this method less secure

In Firefly III case, there's no difference. I will give you a overview on both authentication.

OAuth

1. Key in details in app
2. open browser
3. key in login details in browser
4. Firefly III returns an access token
5. App retrieves token and authenticate against your server

PAT The token you see when you create an entry is an access token already. All I do is verify that the access token is valid by retrieving your Firefly III accounts(asset/revenue/liability).

And does it slow things down, because some of the account info isn't matching.

You should open another issue for this

[Ryonez]

Got it, thank you for the explanation.