Cannot authenticate any application

[ngeojiajun]

Recently I have run into a very weird problem in which prevented me from logging in to any app.

What happened:

1. Open the auth lobby after a long time (a month) not accessing it. It logs me out
2. I linked using my android phone
3. Attempted to authenticate the https://quotes.fission.app/ it fails with Failed to update data root 😰
4. Logged out and linked using my fission cli
5. Repeated step 3 it also failed with same message

Additional Information Console log revealed the HTTP error 400 is thrown by the https://runfission.com/v2/api/user/data/<cid> endpoint for the step 3 and HTTP error 422 is thrown by the similar endpoint for the step 5

[icidasset]

Hey there! Thanks for creating an issue, couple questions:

1. I assume you've migrated your filesystem? Seeing you've posted an issue on the migration repo as well. Or did that not work out for you?
2. Could you get us the "response data" in the dev console from the failed requests you've mentioned above? 🙏
3. The auth lobby should never log you out automatically. The apps however do after a month. Did you mean to say "opened the app" instead of "opened the auth lobby"? Just checking to be sure.
4. If you open an incognito window (in a chromium browser preferably), link your account there and try to authenticate an app. Does that work?

[ngeojiajun]

1. Yes because I can use Fission Drives.
2. It do not returns anything but there are cid missing and CBOR decoding error which reported from another issue before this happened
3. I am not certain on this but i did never log that out based on what i know
4. No

The thing i can observe is the server rejected all newly created UCANs while accepting the ones which the currently logged in one have 　

[ngeojiajun]

Update: after testing with the currently logged in devices, I founded out that the authorization from the devices which are already logged in before is success. The issue only appear on the newly linked device.

Invalid UCAN got transfered during linking ? idk

[icidasset]

We found the problem, we've got an issue in our CLI. It creates a UCAN where the expire time is greater than that of the UCAN it is a proof of, which shouldn't happen.

We'll release a fix soon and from then on we'll validate incoming UCANs as well.

Couple of options for you where to go from here:

• Wait for our fix and then relink from CLI → web
• Sign out everywhere, except the browser you've originally signed up with (if you still have access to that) and then relink from there.
• If you don't have access to your "root device", trace it back as far as possible, and try relinking (let us know, maybe we can get it fixed together)
• Create a new account on the CLI and link to web from there. This is usually the safest bet, since you can backup the keys, and there's no UCAN chain (ie. clean UCAN chain)

[ngeojiajun]

is the recovery key works here?

[matheus23]

is the recovery key works here?

Yeah. That's an option.

1. Log out of apps and the auth lobby only on the device you want to run the recovery
2. Recover your account (at https://dashboard.fission.codes/recover/). As part of that you'll link with your auth lobby on that device. More on the recovery process itself at https://guide.fission.codes/accounts/account-signup/account-recovery#recover-your-account
3. Log out of all other devices and link them again.

I recommend linking web -> CLI at least once, too. However, keep in mind linking CLI -> web might create invalid UCANs.

We'll let you know when we've got a fix.

[ngeojiajun]

@matheus23 i dont think the web->cli works in my case because server reject the ucans in both both situation. moreover the effected browser are the one that i used to create the account.

[matheus23]

i dont think the web->cli works in my case because server reject the ucans in both both situation

Even after recovering your account using the recovery kit? I expect it to work after you've gone through the three steps I've posted above, but not before.

[ngeojiajun]

@matheus23 it succeeded. will this will make all existing UCANs invalidated?

[matheus23]

Yes

[ngeojiajun]

So for now, whatever i do just dont link from the cli because of the bug then i am safe already?

[matheus23]

Yep, we think so. Remember to log out of devices on which you were still logged in with the UCAN that is now invalid and re-link them with the device that now has the valid UCAN.

[ngeojiajun]

Noted with thanks