search

jackyzy823 / fxa-selfhosting

Selfhosting your own Firefox Accounts (FxA)!
Mozilla Public License 2.0
99 stars 13 forks source link

500 Error from firefox mobile #31

Closed MrLightningBlaze closed 2 months ago

MrLightningBlaze commented 2 months ago

Whenever I try to use the QR Code or email sign in on mobile, it just directs me to "500 error" page. Desktop works completely fine. I am using caddy as a reverse proxy. My friend who is using Traefik also has similar errors when not on their local network, but i get mine no matter what (local wifi or not). Neither of us can figure it out, nor seem to get any useful logs

redacted some stuff from below, not toally sure whats safe or not to share so played it a bit safe

Logs from my docker compose up (nginx logs) dont seem too helpful but will put them here anyway:

nginx-1                             | 172.23.0.14 - - [05/Sep/2024:17:08:30 +0000] "GET /authorization?action=email&response_type=code&entrypoint=home-menu&client_id=[redacted]&scope=profile+https%3A%2F%2Fidentity.mozilla.com%2Fapps%2Foldsync&state=[redacted]&code_challenge_method=S256&code_challenge=[redacted]&access_type=offline&keys_jwk=[redacted]&context=oauth_webchannel_v1 HTTP/1.1" 200 4065 "-" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0" "[redacted]"
nginx-1                             | 172.23.0.14 - - [05/Sep/2024:17:08:30 +0000] "GET /styles/tailwind/fonts/Metropolis-Bold.woff2?v=10.0.0 HTTP/1.1" 404 1401 "-" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0" "[redacted]"
nginx-1                             | 172.23.0.14 - - [05/Sep/2024:17:08:30 +0000] "GET /styles/tailwind/fonts/Metropolis-Bold.woff?v=10.0.0 HTTP/1.1" 404 1401 "-" "Mozilla/5.0 (Android 14; Mobile; rv:129.0) Gecko/129.0 Firefox/129.0" "[redacted]"

Here is my config.yml:

#! THIS FILE USING YTT(https://github.com/k14s/ytt/) FORMAT
#! this is a general config for all related stuffs
#@data/values
---
#! Once config.yml changed you should rerun ./init.sh to regenerate `dest`/docker-compose.yml

#! if PERSISTENCEPATH is relative, it relates to `dest`/docker-compose.yml
persistencepath: .
#! [WARNING] DO NOT DOWNGRADE WITHOUT A CLEAN DB SINCE SCHEMA CANNOT DOWNGRADE.

#! latest tested version is : v1.277.3

#! by default we use tested version , using latest at your own risk.
fxa_version: "v1.277.3"
option:
  sync:
    #! set true to keep all your sync items not expired
    neverexpire: true
  #! for device pairing
  channelserver:
    enable: true
  #! Since send is EOL , so use it at your own risk
  send:
    enable: false
    settings:
      #! settings are upperize to send ENV
      #! [TODO] send android , client_id 20f7931c9054d833
      fxa_client_id: "fced6b5e3f4c66b9"
      #![TODO] file_dir need volumes or not or ....
      max_file_size:
      #! for security and network bandwith/traffic sake , you'd better not  allow annoymous user to use your send in the internet
      #! see : https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/
      #! see https://portswigger.net/daily-swig/firefox-send-suspended-amid-concern-over-malware-abuse
      #! [NOTE] number 0 will be treated as false 
      anon_max_file_size: "0"
      #! expire_times_seconds array format "a,b,c"
      expire_times_seconds:
      default_expire_seconds:
      max_expire_seconds:
      anon_max_expire_seconds:
      max_downloads:
      anon_max_downloads:
      max_files_per_archive:
      max_archives_per_user:
      #! download_counts array format "a,b,c"
      download_counts:
  notes:
    enable: false
    settings:
      #! client_id is a must , depends on what you set in https://github.com/mozilla/notes/src/background.js
      #! client_id should equal to _init/auth/oauthserver-prod 
      client_id:
        webext: #! sample: "a3dbd8c5a6fd93e2"
        android: #! sample: "7f368c6886429f19"
  #!  According to https://blog.mozilla.org/addons/2020/07/09/changes-to-storage-sync-in-firefox-79/
  #!  since Firefox 79 ,it will use syncserver to replace kinto in webextension storage.sync API, so disabled by default
  #!  if you still want to use this , make about:config webextensions.storage.sync.kinto : true and webextensions.storage.sync.serverURL point to kinto domain name below
  webext_storagesync:
    enable: false
    settings:
      #! you shall not change this , "5882386c6d801776" means firefox
      client_id: "5882386c6d801776"
      #! [deprecated] fxa-oauth.clients.storagesync.client_id: "5882386c6d801776"
  #! last tested 13.6.3
  kinto_version: "latest"
  #! [TODO] intergate with kinto
  #! both with_notes and with_webext_storagesync need kinto server and it's postgres
  #! see kinto usage https://wiki.mozilla.org/Firefox/Kinto
  #! https://testpilot.settings.services.mozilla.com/v1/
  #! client_id 5882386c6d801776 == firefox
  #! https://webextensions.settings.services.mozilla.com/v1/
#! [TODO] make docker-compose.tmp.yml data.values.domain.name and etc reusable via define
#! domain name related stuff
domain:
  #! base name
  name: "[redacted]"
  #! for content-server
  content: "fxacontent"
  auth: "fxaapi"
  oauth: "fxaoauth"
  #! for profile server
  profile: "fxaprofile"
  #! for syncserver
  sync: "fxatoken"
  #! for graphql-api
  graphql: "fxagraphql"
  #! must if option.channelserver.enable == true
  channelserver: "fxachannelserver"
  #! for firefox send 
  #! must if option.send.enable == true
  send: "fxasend"
  #! for notes and webextension storage.sync
  kinto: "fxakinto"
nginx:
  #! port or ip/port or unix socket folder
  #! for those who want to reverse proxy ( and then we do not a host resolver ,because we just proxy_pass ip/port )
  #! can be a folder contains unix socket like "/var/run/fxa-selfhosing" with ssl = false and unix_socket = true-> socket filename is nginx.sock
  #! make sure your reverse proxy have permission to access the folder.
  listener: "127.0.0.1:6738"
  #! set to true is `listener` is a unix socket
  unix_socket: false
  #! if false certs are not required and another fxa_nossl.conf is used
  #! set to false is `listener` is a unix socket
  ssl: false
mail:
  #! types are  "localhelper" ,  "localrelay" ,"3rd"
  #! smtp_user/smtp_pass is required for "localrelay" and "3rd" (can be any non-null string) even not used.
  #! "localhelper" uses fxa-auth-local-mail-helper which self sending and receiving and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
  #!               mails are stored in memory , remeber to clean them (by DELETE api or restart container)
  #! "localrelay" use exim-sender  and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
  #! "3rd"  send mail to 3rd (like gmail etc)
  type: "3rd"
  #! for   "3rd": refer to your mail service provider
  smtp_host: [redacted]
  smtp_port: [redacted]
  smtp_user: [redacted]
  smtp_pass: [redacted]
  smtp_secure: [redacted]
  #! if smtp_sender empty use "Firefox Accounts <no-reply@domain.name>" default
  smtp_sender: [redacted]
  #! only for "localhelper"
  #! web api
  localhelper:
    web: "127.0.0.1:9001"
#! Here we can add some custom OAuth Client
#! for example we add a OAuth Client which can read / write your sync data after granted by you
oauth:
  clients:
  #! [NOTE] DO NOT ENABLE BELOW IF NOT USED
#!  - id: deadbeafdeadbeaf
#!    #! hex secret 0b2b91549678167e4870d76e2b94024b2954cb8605e4a2e8179ab80ecf40b287
#!    hashedSecret: b88d5613f75ed5362ecb8c263be5b918aafbb23aac39f817eac44cbe4df7cda3
#!    name: SyncManager
#!    imageUri: ''
#!    #! if generate_redirectUri will automatic generate redircturi : https://{content}.{domain_name}/oauth/success/{id}
#!    generate_redirectUri: true
#!    redirectUri: 
#!    trusted: true
#!    #! some explain https://github.com/mozilla/fxa/blob/96cbbccfaed1de93d556a2259554acfabeb4cbe5/packages/fxa-auth-server/lib/oauth/authorized_clients.js#L55
#!    canGrant: true
#!    publicClient: true
#!    #! redirecturi will be add to contetserver.prod.tmp.yml if scope matches
#!    #! allowedScopes is a space-seperated string
#!    allowedScopes: https://identity.mozilla.com/apps/oldsync

secrets:
  authsecret: "[redacted]"
  flowidkey: "[redacted]"
  profileserver_authsecret_bearertoken: "[redacted]"
debug:
  #! for register preverifed account , we need to set fxa-auth-server 's NODE_ENV  not to be `prod`
  #! see  fxa-auth-server/lib/routes/account.js `delete routes[0].options.validate.payload.preVerified;`
  auth_server_preverifed: false
  deps_logs: false
  #! make a e2e test compose file
  #! require mail.type == localhelper
  e2e_test:
    enable: false
    #! only used when full_self_sign_workaroud == true
    root_cert:
  #! workaroud for fxa-graphql-api with full self sign
  #! if you want fxa-graphql-api communicate with fxa-auth-server internally , turn this `true`
  #! [WARN] browserid-verifier will not work. Since BrowserID is deprecated, just do not use old browser or python `syncclient`
  full_self_sign_workaround: false
  #! Use a [python3 version syncserver](https://github.com/jackyzy823/syncserver3)
  use_syncserver3: false
MrLightningBlaze commented 2 months ago

I am sorry for my two issue reports now that ended up being my bad It turned out to be 2 separate config issues on my side First, was a simple messup on the oauth url in my proxy Second, was a access-control header problem with my setup, that I was unable to find out until loading the mobile sign in URL on my desktop and looking through the network tab, related to the content and the oauth urls It took me over an hour of fiddling to actually get it to work, but now it works flawlessly. Sorry again for the "my fault" issues