API-Code Issue

[ghost]

Hello there,

i configured everything like its mentioned in the Documentation. My Bosh URL is working and i can reach it in my browser and its also available in Nextcloud. But i cant login to the XMPP Server in Nextcloud. When i try to do a Test-Login via commandline, im getting the following output:

2018-02-14 11:08:41,679 DEBUG: Start external auth script 1.0.0 for prosody with endpoint: https://cloud.sise-it.com/index.php/apps/ojsxc/ajax/externalApi.php
2018-02-14 11:08:41,680 DEBUG: Token is too short: 5 != 23 (maybe not a token?)
2018-02-14 11:08:41,684 DEBUG: Starting new HTTPS connection (1): cloud.sise-it.com
2018-02-14 11:08:46,949 DEBUG: https://cloud.sise-it.com:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 44
2018-02-14 11:08:46,951 INFO: SUCCESS: Cloud says password for hannes@sise-it.com is valid
True

So it seems like the passwort is correct, but its not getting the correct API Key? But i checked the secret key mutliple times. I've got the xcauth.conf at /etc/ and also at /opt/xmpp-cloud-auth/ (i thought maybe it doesnt get the location of the .conf file in /etc/.

What else do i need to check? Could it be an issue with the API-Secret Codes? PS: I am running Nextcloud 13 Stable with the newest Version of JSXC.

Greetings

[MarcelWaldvogel]

If you get the SUCCESS message, the API token is correct (otherwise, you would get a invalid API token response or similar).

Can you connect with another client, e.g. Pidgin, to the BOSH URL?

Did you enable time-limited tokens?

[ghost]

Time-limited Tokens are disabled. I thought they just can be enabled if everything worked before. It doesnt even work over Pidgin or Conversations.

[MarcelWaldvogel]

Can you tell me more about /etc/xcauth.conf and especially the log files in /var/log/xcauth? (Please edit out API secrets and other information you do not want to be public)

Did you create the directories with the right permissions, e.g. by running ./install.sh?

Is an xcauth.py process running at all? Which mechanism are you using to communicate between Prosody and xcauth?

Which lpty version do you use? Did you apply any of the lpty patches?

[ghost]

• Content of /etc/xcauth.conf:

  
  # Example xcauth.py configuration file
  #
  # Preferably put this in /etc,
  # and make it readable only for the user the XMPP server is running under

Type: ejabberd or prosody

#

type=ejabberd

type=prosody

Secret: API token

Shown in the Nextcloud JSXC administration settings

#

:warning: The real secret must not fall into the wrong hands!

Anyone knowing it can authenticate as any user to the XMPP server.

# secret=anonymized

URL: Where JSXC for Nextcloud (>=3.2.0) can be queried

Shown in the Nextcloud JSXC administration settings

# url=https://.com/index.php/apps/ojsxc/ajax/externalApi.php

Request timeout

The timeout to apply for both the connection setup and awaiting

a response, each.

# timeout=5

Dynamic database of additional domains

Only necessary if you plan dynamically host additional domains.

If this is unset, dynamic domain support is disabled.

Please ensure that the containing directory is writable by the xcauth user.

#

domain-db=/var/lib/xcauth/dynamic-domains.db

Log: Log directory

In this directory, xcauth.{log,err} will be created

#

log=/var/log/ejabberd

log=/var/log/prosody

log=/var/log/xcauth

User caching: Cache database location

Where to store a cache database to avoid queries.

If this is unset, the user cache is disabled.

Please ensure that the containing directory is writable by the xcauth user.

#

cache-db=/var/cache/xcauth/user-cache.db

User caching: TTL since last query

Use cache entry if most recent query is not older than this timespan

Time is measured in seconds, unless s, m, h, d, w is used

as a suffix (seconds, minutes, hours, days, weeks, respectively).

# cache-query-ttl=4h

User caching: TTL since last verification

Use cache entry if most recent verification against the backend is

not older than this and has been queried at least once every

cache-query-ttl. Time is measured as for cache-query-ttl

# cache-verification-ttl=1d

User caching: TTL when backend unreachable

Use cache entry if the request to the backend files for a reason

other than "password invalid". Then, independent of the other TTLs above,

any verification younger than this time will be considered valid.

Time is measured as for cache-query-ttl.

cache-unreachable-ttl=1w

User caching: Password hashing complexity

Hash passwords with 2^cache-bcrypt-rounds before storing (i.e., every

increasing this parameter results in twice as much computation time,

both for XMPP cloud auth and an attacker).

#

The current default as of Summer 2017 is 12.

#

cache-bcrypt-rounds=12

Shared roster: ejabberdctl path

Which ejabberdctl to use, and whether to use an ejabberctl at all.

Default: none

#

ejabberdctl=/opt/ejabberd/bin/ejabberdctl

Shared roster: Database to consult

Default: none

#

shared-roster-db=/var/lib/xcauth/shared-roster.db

Debug: Log more

# debug

* cat /var/log/xcauth/xcauth.log brings out:

2018-02-15 19:00:50,093 DEBUG: Start external auth script 1.0.0 for prosody with endpoint: https://.com/index.php/apps/ojsxc/ajax/externalApi.php 2018-02-15 19:00:50,094 DEBUG: Receive operation auth 2018-02-15 19:00:50,094 DEBUG: Token is too short: 5 != 23 (maybe not a token?) 2018-02-15 19:00:50,105 DEBUG: Starting new HTTPS connection (1): .com 2018-02-15 19:00:55,414 DEBUG: https://.com:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 44 2018-02-15 19:00:55,417 INFO: SUCCESS: Cloud says password for anonymous>@<anonymized.com is valid 2018-02-15 19:00:59,184 DEBUG: Receive operation auth 2018-02-15 19:00:59,184 DEBUG: Token is too short: 5 != 23 (maybe not a token?) 2018-02-15 19:00:59,366 DEBUG: https://:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 44 2018-02-15 19:00:59,367 INFO: SUCCESS: Cloud says password for anonymous>@<anonymized.com is valid 2018-02-15 19:01:04,702 DEBUG: Receive operation auth 2018-02-15 19:01:04,703 DEBUG: Token is too short: 5 != 23 (maybe not a token?) 2018-02-15 19:01:04,705 DEBUG: Resetting dropped connection:.com 2018-02-15 19:01:09,977 DEBUG: https://.com:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 44 2018-02-15 19:01:09,978 INFO: SUCCESS: Cloud says password for anonymous>@<anonymized.com is valid

* The xcauth.err is empty.
* Content of prosody.cfg.lua: (Don't wonder about the commented-out sql-settings (anonymized o.c.) i ran this as a seperate XMPP server before) & Sorry for the Comments in the configuration, i did use a template and just changed the values to my wanted.

plugin_paths = { "/opt/xmpp-cloud-auth/prosody-modules" } -- non-standard plugin path so we can keep them up to date with mercurial --/etc/prosody/prosody.cfg.lua

admins = { "anonymous>@<anonymized.com" }

modules_enabled = { "roster"; -- Allow users to have a roster. Recommended ;) "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. "tls"; -- Add support for secure TLS on c2s/s2s connections "dialback"; -- s2s dialback support "disco"; -- Service discovery "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. "private"; -- Private XML storage (for room bookmarks, etc.) "vcard"; -- Allow users to set vCards "compression"; -- Stream compression (requires the lua-zlib package installed) "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "register"; --Allows clients to register an account on your server "pep"; -- Enables users to publish their mood, activity, playing music and more "carbons"; -- XEP-0280: Message Carbons, synchronize messages accross devices "smacks"; -- XEP-0198: Stream Management, keep chatting even when the network drops for a few seconds "mam"; -- XEP-0313: Message Archive Management, allows to retrieve chat history from server "csi"; -- XEP-0352: Client State Indication "http"; -- mod_http needed for XEP-363 "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands "blocking"; -- XEP-0198 blocking of users "watchregistrations"; "register_web"; "bosh"; --"cloud_notify"; -- Support for XEP-0357 Push Notifications for compatibility with ChatSecure/iOS. -- iOS typically end the connection when an app runs in the background and requires use of Apple's Push servers to wake up and receive a message. Enabling this module allows your server to do that for your contacts on iOS. -- However we leave it commented out as it is another example of vertically integrated cloud platforms at odds with federation, with all the meta-data-based surveillance consequences that that might have. };

cross_domain_bosh = true consider_bosh_secure = true

allow_registration = false -- Enable to allow people to register accounts on your server from their clients, for more information see http://prosody.im/doc/creating_accounts

-- These are the SSL/TLS-related settings. ssl = { certificate = "/etc/prosody/certs/fullchain.pem"; key = "/etc/prosody/certs/privkey.pem"; }

c2s_require_encryption = true -- Force clients to use encrypted connections

-- Force certificate authentication for server-to-server connections? -- This provides ideal security, but requires servers you communicate -- with to support encryption AND present valid, trusted certificates. -- NOTE: Your version of LuaSec must support certificate verification! -- For more information see http://prosody.im/doc/s2s#security

s2s_secure_auth = true

daemonize = false pidfile = "/var/run/prosody/prosody.pid"

--authentication = "internal_hashed" authentication = "external" external_auth_command = "/opt/xmpp-cloud-auth/xcauth.py"

storage = "sql"

-- Make sure to change the password --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "anonymized", host = "localhost" }

log = { info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging error = "/var/log/prosody/prosody.err"; "*syslog"; }

VirtualHost "anonymized"

--enable http_upload to allow image sharing across multiple devices and clients Component "dump.anonymized.com" "http_upload"

---Set up a MUC (multi-user chat) room server on conference.example.com: Component "conference.anonymized.com" "muc"

compression_level = 9

--http_ports = { 5280 } --http_interfaces = { "*" }

https_ports = { 5281 } https_interfaces = { "*" }

* I did re-run the ./install.sh to make shure everything is in place & with the right permissions.
* I can't find the Process xcauth via the search function of htop and also there is no service "xcauth". Shouldn't this be started automatically or do i need to create the service manually?
* apt-search lpty brings out: lua-lpty/xenial,now 1.0.1-1 amd64 [installed]

[MarcelWaldvogel]

• xcauth process: It may well be that Prosody starts it only on first use (ejabberd starts it on startup). According to xcauth.log, it has been started on the first request. So everything seems to be fine there.
• The problem does not seem to be related to the API token, as the title suggests. But I'll leave it here for now, unless we have more clues.
• Assuming these are the three logins you were trying to make (or three retries of one login), xcauth and Nextcloud/JSXC seem to work as they should.

That leaves Prosody: Can you try to log in again and provide xcauth.log and prosody.log for that period?

[ghost]

When i looked into the prosody.log i needed to diable a few plugins, maybe thats because of the different Plugin path from xmpp-cloud-auth? Can i just copy the plugins from the old plugins folder or are they not compatble? Which modules are required for xmpp-cloud-auth?, maybe that could be a problem...

Anyway heres the prosody.log:

Feb 19 10:44:25 general info    Hello and welcome to Prosody version 0.9.10
Feb 19 10:44:25 general info    Prosody is using the select backend for connection handling
Feb 19 10:44:25 sise-it.com:auth_external   info    External auth with pty command /opt/xmpp-cloud-auth/xcauth.py
Feb 19 10:44:25 portmanager info    Activated service 'http' on [::]:5280, [*]:5280
Feb 19 10:44:25 portmanager info    Activated service 'https' on [::]:5281, [*]:5281
Feb 19 10:44:25 portmanager info    Activated service 'c2s' on [::]:5222, [*]:5222
Feb 19 10:44:25 portmanager info    Activated service 'legacy_ssl' on no ports
Feb 19 10:44:25 modulemanager   error   Unable to load module 'mam': /usr/lib/prosody/modules/mod_mam.lua: No such file or directory
Feb 19 10:44:25 portmanager info    Activated service 's2s' on [::]:5269, [*]:5269
Feb 19 10:44:25 modulemanager   error   Unable to load module 'http_upload': /usr/lib/prosody/modules/mod_http_upload.lua: No such file or directory
Feb 19 10:44:25 hostmanager warn    conference.sise-it.com: Option 'https_ports' has no effect for virtual hosts - put it in the server-wide section instead
Feb 19 10:48:15 mod_bosh    info    New BOSH session, assigned it sid '3c33637a-3c9c-4b5e-b5a8-a45f20b0c93b'
Feb 19 10:48:15 sise-it.com:auth_external   warn    Unable to interpret data from auth process, [35 bytes]

And here the xcauth.log:

2018-02-19 10:48:15,736 DEBUG: Start external auth script 1.0.0 for prosody with endpoint: https://anonymized/index.php/apps/ojsxc/ajax/externalApi.php
2018-02-19 10:48:15,738 DEBUG: Receive operation auth
2018-02-19 10:48:15,738 DEBUG: Token is too short: 5 != 23 (maybe not a token?)
2018-02-19 10:48:15,741 DEBUG: Starting new HTTPS connection (1): anonymized.com
2018-02-19 10:48:15,980 DEBUG: https://anonymized:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 44
2018-02-19 10:48:15,983 INFO: SUCCESS: Cloud says password for anonymous@anonymized.com is valid

On more thing: My cloud is running on cloud,mydomain.com while prosody ist running directly on mydomain.com but its resulting on the same IP-Adress so that couldnt be the problem, right?

[ghost]

Ok, now its getting weird... I can login now, but only on second try after the login in my Cloud. Thats reflected by the prosody.log too:

Feb 19 11:02:30 mod_bosh    info    New BOSH session, assigned it sid '3aacf3ba-544e-4ecb-9509-42fd7049ee2a'
Feb 19 11:02:36 sise-it.com:auth_external   warn    Error while waiting for result from auth process: unknown error
Feb 19 11:02:40 mod_bosh    info    New BOSH session, assigned it sid 'd3513069-08ff-4df0-921a-375690ffbd37'
Feb 19 11:02:40 boshd3513069-08ff-4df0-921a-375690ffbd37    info    Authenticated as hannes@anonymized.com
Feb 19 11:03:21 mod_bosh    info    New BOSH session, assigned it sid '921fb10b-c52a-47d9-9e51-37c44b1f50af'
Feb 19 11:03:26 sise-it.com:auth_external   warn    Error while waiting for result from auth process: unknown error
Feb 19 11:03:28 mod_bosh    info    New BOSH session, assigned it sid 'efad2674-58b1-454c-af99-36011e5da35b'
Feb 19 11:03:29 boshefad2674-58b1-454c-af99-36011e5da35b    info    Authenticated as hannes@anonymized.com
Feb 19 11:03:55 sise-it.com:auth_external   warn    Error while waiting for result from auth process: unknown error
Feb 19 11:04:06 sise-it.com:auth_external   warn    Error while waiting for result from auth process: unknown error
Feb 19 11:04:16 c2s212d320  info    Client connected
Feb 19 11:04:25 c2s212d320  info    Client disconnected: closed
Feb 19 11:04:49 mod_bosh    info    New BOSH session, assigned it sid 'd9756fdb-10fd-4b97-b2e3-cb11e717351f'
Feb 19 11:04:54 sise-it.com:auth_external   warn    Error while waiting for result from auth process: unknown error
Feb 19 11:05:11 mod_bosh    info    New BOSH session, assigned it sid 'd6e6f129-8415-4cc9-ae01-4f9c4f278293'
Feb 19 11:05:17 sise-it.com:auth_external   warn    Error while waiting for result from auth process: unknown error
Feb 19 11:05:19 mod_bosh    info    New BOSH session, assigned it sid 'c6dcf7e9-6684-42db-ae5c-a16491add5c2'
Feb 19 11:05:20 boshc6dcf7e9-6684-42db-ae5c-a16491add5c2    info    Authenticated as hannes@anonymized.com

Now thats very interesting... When i got a login, i could also add a contact and write a message... But why is it working only on second try. I cant login via Conversations.

Update: I did create a Test User for the Nextcloud for testing the message transfer. Its working. Now i also can login on first try... Can i re-enable my modules such as http_upload for example when copying them to the plugin folder? Is there a list of supported plugins for xmpp-cloud-auth?

Update 2: The Authentification does now work in 99% of tries. I think the Problem was at least the old plugins, which were not present in the new Plugin Folder. Last thing remaining is the question if i can use my plugins from the old plugin path by copying them into the new folder provided by xmpp-cloud-auth.

[MarcelWaldvogel]

Ah, then it's probably the lpty bug and thus a duplicate of #45 and #21. This has been reported (with patches) to the Prosody team almost a year ago. I am sorry to hear that people are still bitten by it.

As a workaround, use the mod_auth_external.lua from the ./prosody-modules/ subdirectory.

Do you have a suggestion where from we should reference that part of ./doc/Installation.md, so that you would have stumbled over it?

[ghost]

Oh... i think the mention in the installation guide is enough but i didnt know that its that issue, because the logs werent telling me that. I will try the workaround :) But anyways it seems to work without that most oft the time too, so we can close this issue. (shall i?) Thanks very much for your help :)