[BUG] Mobile android app won't work after update to 1.59.0 and so on , now on 1.59.1

[nameless-one]

The bug

Completely unable to work after update. On old clients - just auto logout On new client 1.59.0 - error 500 and nothing at login.

immich_server container log on every request:

[Nest] 1  - 05/30/2023, 6:37:49 PM   ERROR [ExceptionsHandler] connect ECONNREFUSED 127.0.0.1:443
Error: connect ECONNREFUSED 127.0.0.1:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1494:16)

The OS that Immich Server is running on

Android 12

Version of Immich Server

v1.59.1

Version of Immich Mobile App

v1.59.0

Platform with the issue

• [X] Server
• [ ] Web
• [X] Mobile

Your docker-compose.yml content

[nothing changed except passwords]

Your .env content

[nothing changed except API external url and it's worked before]

Reproduction steps

Upgrade to 1.59.0/1.59.1
Mobile client not working anymore

Additional information

No response

[nameless-one]

CONTAINER ID   IMAGE                                                COMMAND                  CREATED         STATUS         PORTS                                       NAMES
34a61328c028   ghcr.io/immich-app/immich-proxy:release              "/docker-entrypoint.…"   8 minutes ago   Up 8 minutes   0.0.0.0:2283->8080/tcp, :::2283->8080/tcp   immich_proxy
8ca4bccc3a72   ghcr.io/immich-app/immich-server:release             "/bin/sh start-micro…"   8 minutes ago   Up 8 minutes   3001/tcp                                    immich_microservices
22f51d7122ae   ghcr.io/immich-app/immich-server:release             "/bin/sh start-serve…"   8 minutes ago   Up 8 minutes   3001/tcp                                    immich_server
9ee6b067ec3f   ghcr.io/immich-app/immich-machine-learning:release   "python src/main.py"     8 minutes ago   Up 8 minutes                                               immich_machine_learning
51f45701fa9f   redis:6.2                                            "docker-entrypoint.s…"   8 minutes ago   Up 8 minutes   6379/tcp                                    immich_redis
1e824c865e98   ghcr.io/immich-app/immich-web:release                "/bin/sh entrypoint.…"   8 minutes ago   Up 8 minutes   3000/tcp                                    immich_web
0c3c88878067   postgres:14                                          "docker-entrypoint.s…"   8 minutes ago   Up 8 minutes   5432/tcp                                    immich_postgres
deeba846c015   typesense/typesense:0.24.0                           "/opt/typesense-serv…"   8 minutes ago   Up 8 minutes   8108/tcp                                    immich_typesense

It's never exposed port 443 in docker and inside of comm. schema and this port never mentioned in any config

External nginx publication(again, worked fine before 1.59.0)

server {

    listen       2283 ssl http2;
    server_name  johnf.static.corbina.com;

    access_log  /var/log/nginx/ssl_immich_access.log  main;

    ssl_certificate     /etc/letsencrypt/live/johnf.static.corbina.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/johnf.static.corbina.com/privkey.pem;
    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    proxy_connect_timeout       500s;
    proxy_send_timeout          700s;
    proxy_read_timeout          500s;
    send_timeout                700s;

    proxy_ssl_verify              off;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;

    location / {
      proxy_pass       http://localhost:2283;
      proxy_set_header Host      johnf.static.corbina.com;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

    }

}

[alextran1502]

Can you access the instance with your local IP?

[nameless-one]

No, same 500. Web works fine from any place. Trying to point API EXTERNAL URL to something insane also gives content from this address, so it's probably right.

[alextran1502]

Can you please include your .env and docker-compose?

[nameless-one]

It's unchanged, the only changed string except passwords:

IMMICH_API_URL_EXTERNAL=https://johnf.static.corbina.com:2283/api

[alextran1502]

[nothing changed except API external url and it's worked before]

IMMICH_API_URL_EXTERNAL should not be changed if you use the stock docker-compose file. Please comment it out and restart your stack

[nameless-one]

It's already done, nothing changed.

[alextran1502]

So you have something like this

#IMMICH_API_URL_EXTERNAL=http://localhost:3001

Then you perform docker compose down and then docker compose up and nothing changes?

[nameless-one]

Yes. Already tried it before.

[nameless-one]

Processed for passwords compose and env

version: "3.8"

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:release
    command: ["start-server.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:release
    command: ["start-microservices.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:release
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - model-cache:/cache
    env_file:
      - .env
    restart: always

  immich-web:
    container_name: immich_web
    image: ghcr.io/immich-app/immich-web:release
    env_file:
      - .env
    restart: always

  typesense:
    container_name: immich_typesense
    image: typesense/typesense:0.24.0
    environment:
      - TYPESENSE_API_KEY=${TYPESENSE_API_KEY}
      - TYPESENSE_DATA_DIR=/data
    logging:
      driver: none
    volumes:
      - tsdata:/data
    restart: always

  redis:
    container_name: immich_redis
    image: redis:6.2
    restart: always

  database:
    container_name: immich_postgres
    image: postgres:14
    env_file:
      - .env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      PG_DATA: /var/lib/postgresql/data
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

  immich-proxy:
    container_name: immich_proxy
    image: ghcr.io/immich-app/immich-proxy:release
    environment:
      # Make sure these values get passed through from the env file
      - IMMICH_SERVER_URL
      - IMMICH_WEB_URL
    ports:
      - 2283:8080
    depends_on:
      - immich-server
    restart: always

volumes:
  pgdata:
  model-cache:
  tsdata:

###################################################################################
# Database
###################################################################################

# NOTE: The following four database variables support Docker secrets by adding a *_FILE suffix to the variable name
# See the docker-compose documentation on secrets for additional details: https://docs.docker.com/compose/compose-file/compose-file-v3/#secrets
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_PASSWORD=xxxxxxxxxx
DB_DATABASE_NAME=immich

# Optional Database settings:
# DB_PORT=5432

###################################################################################
# Redis
###################################################################################

REDIS_HOSTNAME=immich_redis

# REDIS_URL will be used to pass custom options to ioredis.
# Example for Sentinel
# {"sentinels":[{"host":"redis-sentinel-node-0","port":26379},{"host":"redis-sentinel-node-1","port":26379},{"host":"redis-sentinel-node-2","port":26379}],"name":"redis-sentinel"}
# REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJyZWRpcy1zZW50aW5lbDEiLCJwb3J0IjoyNjM3OX0seyJob3N0IjoicmVkaXMtc2VudGluZWwyIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6Im15bWFzdGVyIn0=

# Optional Redis settings:

# Note: these parameters are not automatically passed to the Redis Container
# to do so, please edit the docker-compose.yml file as well. Redis is not configured
# via environment variables, only redis.conf or the command line

# REDIS_PORT=6379
# REDIS_DBINDEX=0
# REDIS_USERNAME=
# REDIS_PASSWORD=
# REDIS_SOCKET=

###################################################################################
# Upload File Location
#
# This is the location where uploaded files are stored.
###################################################################################

UPLOAD_LOCATION=/data/immich

###################################################################################
# Typesense
###################################################################################
TYPESENSE_API_KEY=faouinf0817fb10fuipasoasf
# TYPESENSE_ENABLED=false
# TYPESENSE_URL uses base64 encoding for the nodes json.
# Example JSON that was used:
# [
#      { 'host': 'typesense-1.example.net', 'port': '443', 'protocol': 'https' },
#      { 'host': 'typesense-2.example.net', 'port': '443', 'protocol': 'https' },
#      { 'host': 'typesense-3.example.net', 'port': '443', 'protocol': 'https' },
#  ]
# TYPESENSE_URL=ha://WwogICAgeyAnaG9zdCc6ICd0eXBlc2Vuc2UtMS5leGFtcGxlLm5ldCcsICdwb3J0JzogJzQ0MycsICdwcm90b2NvbCc6ICdodHRwcycgfSwKICAgIHsgJ2hvc3QnOiAndHlwZXNlbnNlLTIuZXhhbXBsZS5uZXQnLCAncG9ydCc6ICc0NDMnLCAncHJvdG9jb2wnOiAnaHR0cHMnIH0sCiAgICB7ICdob3N0JzogJ3R5cGVzZW5zZS0zLmV4YW1wbGUubmV0JywgJ3BvcnQnOiAnNDQzJywgJ3Byb3RvY29sJzogJ2h0dHBzJyB9LApd

###################################################################################
# Reverse Geocoding
#
# Reverse geocoding is done locally which has a small impact on memory usage
# This memory usage can be altered by changing the REVERSE_GEOCODING_PRECISION variable
# This ranges from 0-3 with 3 being the most precise
# 3 - Cities > 500 population: ~200MB RAM
# 2 - Cities > 1000 population: ~150MB RAM
# 1 - Cities > 5000 population: ~80MB RAM
# 0 - Cities > 15000 population: ~40MB RAM
####################################################################################

# DISABLE_REVERSE_GEOCODING=false
# REVERSE_GEOCODING_PRECISION=3

####################################################################################
# WEB - Optional
#
# Custom message on the login page, should be written in HTML form.
# For example:
# PUBLIC_LOGIN_PAGE_MESSAGE="This is a demo instance of Immich.<br><br>Email: <i>demo@demo.de</i><br>Password: <i>demo</i>"
####################################################################################

PUBLIC_LOGIN_PAGE_MESSAGE=

####################################################################################
# Alternative Service Addresses - Optional
#
# This is an advanced feature for users who may be running their immich services on different hosts.
# It will not change which address or port that services bind to within their containers, but it will change where other services look for their peers.
# Note: immich-microservices is bound to 3002, but no references are made
####################################################################################

IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

####################################################################################
# Alternative API's External Address - Optional
#
# This is an advanced feature used to control the public server endpoint returned to clients during Well-known discovery.
# You should only use this if you want mobile apps to access the immich API over a custom URL. Do not include trailing slash.
# NOTE: At this time, the web app will not be affected by this setting and will continue to use the relative path: /api
# Examples: http://localhost:3001, http://immich-api.example.com, etc
####################################################################################

#IMMICH_API_URL_EXTERNAL=https://johnf.static.corbina.com:22283/api

[alextran1502]

Can you try it again without the IMMICH_API_URL_EXTERNAL in effect? I am asking you to try this because I cannot reproduce this on my end, and I think there is somehow an issue with the instance's setup. Maybe good to provide the content of your current docker-compose, .env and detailing the exact commands, steps that you tried

[nameless-one]

Already did it.

[nameless-one]

How it's looks like in frontend access log

189.179.125.130 - - [30/May/2023:22:00:09 +0300] "GET /.well-known/immich HTTP/1.1" 200 27 "-" "Dart/3.0 (dart:io)" "-" 189.179.125.130 - - [30/May/2023:22:00:09 +0300] "POST /api/oauth/config HTTP/1.1" 500 52 "-" "Dart/3.0 (dart:io)" "-" 189.179.125.130 - - [30/May/2023:22:00:10 +0300] "GET /.well-known/immich HTTP/1.1" 200 27 "-" "Dart/3.0 (dart:io)" "-" 189.179.125.130 - - [30/May/2023:22:00:10 +0300] "POST /api/oauth/config HTTP/1.1" 500 52 "-" "Dart/3.0 (dart:io)" "-"

But i've disabled OAUTH day ago. Let's check

[alextran1502]

Can you try to connect to the demo instance at

https://demo.immich.app/

Email: demo@immich.app Password: demo

[nameless-one]

Well, after upgrade it's enabled OAUTH itself, and stored OAUTH credentials now isnt valid(was unsuccessful experiment). Thats the real bug. Disabled oauth back and everything is working fine now.

[nameless-one]

And 127.0.0.1:443 means my local hostname from oauth url(strange, why not hostname as written in config) using hosts cause it's mapped as 127.0.0.1 there to avoid router binat through ISP.

[alextran1502]

Has anything changed with your OAuth provider?

[nameless-one]

Nothing, it's non functional for now. Before upgrade OAUTH was turned off. After upgrade became turned on without my intervention and NOTHING changed in web UI as proposed(oauth can't be used for only mobile),i'm still fine with local logins. But after examining logs above i've checked everything about OAUTH, and OAUTH was checked On in settings and as you can see above - strange behavior only with mobile app.

[alextran1502]

I am closing this issue because it seems to be related to the OAuth issue; we have users that use OAuth but are not running into it, so this will require you to look into your setup further. Thank you for reporting