Activate time-limited tokens (beta): Invalid username or password

[ghost]

Hi, I am having issues with time-limited tokens on JavaScript XMPP Chat 4.2.1 and most recent commit of xmpp-cloud-auth

i think that with somewhat recent updates (sorry, I dont know which one) automatic logging in to the xmpp chat stopped working (?) and i don't expect any of my few users to bother logging in manually (asking for user id and domain which are both in session info) so I started to play with the time limited tokens, but without any success (I am 'troubleshooting' this via firefox's developer tools)

result from call (without content) bundle.js:25 to https://nextcloud.example.com/index.php/apps/ojsxc/settings

{"result":"success", 
"data":{"disabled":false,"xmpp":{"url":"https:\/\/nextcloud.example.com\/bosh",
"domain":"example.com","resource":"web","defaultDomain":"xmpp.example.com",
"node":"user","password":"<31 characters long string>"}, 
"loginForm":{"enable":false,"form":"#body-login 
form","jid":"#user","pass":"#password","preJid":"undefined","onConnecting":
"quiet","onConnected":"submit","onAuthFail":"submit","attachIfFound":true,
"ifFound":"force","startMinimized":false}, 
"priority":{"online":"9","chat":"10","away":"8","xa":"7","dnd":"-1"},"client":{
"lang":"cs"}}}

then POST request from jsxc.bundle.js:2 (usefull, right? :) to bosh

<body content="text/xml; charset=utf-8" hold="1" rid="666534419" to="example.com" ver="1.6" wait="60" xml:lang="en" xmlns="http://jabber.org/protocol/httpbind" xmlns:xmpp="urn:xmpp:xbosh" xmpp:version="1.0"/>

response:

<body xmpp:version='1.0' authid='4356426246084140209' xmlns='http://jabber.org/protocol/httpbind' sid='e80a165a80c7664c7efc646f80298dd5c76f7e24' wait='60' ver='1.11' polling='2' inactivity='30' hold='1' xmpp:restartlogic='true' requests='2' secure='true' maxpause='120' xmlns:xmpp='urn:xmpp:xbosh' xmlns:stream='http://etherx.jabber.org/streams' from='example.com'>
    <stream:features>
        <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
            <mechanism>PLAIN</mechanism>
            <mechanism>X-OAUTH2</mechanism>
        </mechanisms>
    </stream:features>
</body>

and last POST request from jsxc.bundle.js:2 (usefull, right? :) to bosh

<body rid="4028017525" sid="0199fa91156c174f2aaeb5f5d379d6377e23919e" xmlns="http://jabber.org/protocol/httpbind"><auth mechanism="PLAIN" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dXNlcjxzYW1lIDMxIGNoYXJhY3RlcnMgbG9uZyBzdHJpbmcsIHNvcnJ5IGZvciBtZXNzaW5nIHdpdGggdGhpcyA6KT4=</auth></body>

response:

<body xmlns='http://jabber.org/protocol/httpbind'><failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text xml:lang='en'>Invalid username or password</text></failure></body>

xcauth.log: (xcauth.err is definitelly no snitch - being empty)

2021-01-07 13:07:12,864 DEBUG: Receive operation auth
2021-01-07 13:07:12,865 WARNING: Token for user@example.com has invalid signature (possible attack attempt!)
2021-01-07 13:07:13,191 DEBUG: Resetting dropped connection: nextcloud.example.com
2021-01-07 13:07:13,973 DEBUG: https://nextcloud.example.com:443 "POST /index.php/apps/ojsxc/ajax/externalApi.php HTTP/1.1" 200 39
2021-01-07 13:07:13,974 INFO: FAILURE: Could not authenticate user user@example.com: noauth

[ghost]

i updated my ejabberd to 20.04, it works a bit better and video calls work straight out of the box, I tested the login with token several times, it did not work while login and password works without any problem.

[ghost]

I would call this is a deal-breaker - without it, the jsxc is practically useless for me - none of my nextcloud users won't bother login twice (most of them dont even know this exist), and so with completely empty roster, it is just a waste of bytes and pixels (albeit only few).

[sualko]

I'm sorry that you experienced trouble with this module. Can you ping us again in a week? Thanks for your patience.

[ghost]

Hi, sorry it took me a bit longer to get back to you again, i still hope that the behaviour can be changed so the login happens automatically and i can start using jsxc with my instance's other users, who are currently always offline.

[ghost]

I just noticed that login in jsxc started to work automatically after login with nextcloud 22.2.3 (snap version) while jsxc stays on 4.3.1 from last summer, which would suggest that the bug was not in jsxc code, sorry about this!

[ghost]

oh oh, my fault, i closed this thinking that the tokens started to work, that still doesn't work (i will try to retest this with newer ejabberd sometimes next week) what started to work is a single login to nextcloud and to xmpp.