search

mastodon / mastodon-ios

Official iOS app for Mastodon
https://app.joinmastodon.org/ios
GNU General Public License v3.0
2k stars 247 forks source link

Verification failed when conecting over Tor #346

Open k0gen opened 2 years ago

k0gen commented 2 years ago

Connecting with my .onion mastodon works just fine but I'm unable to login.

IMG_4178

MainasuK commented 2 years ago

Related: https://github.com/mastodon/mastodon-ios/issues/334#issuecomment-1056848588

Is the issue reproduced every time sign in on your onion server? That's the webpage is system standard authentication control. I have occurred the same error pages before. But retry again is works.

k0gen commented 2 years ago

Yes the issue is reproduced every time. I'm installing another test instance for You to debug this issue. I'll send credentials via email soon.

Gargron commented 2 years ago

Could it be clock related, somehow? Either on your phone or on the server?

k0gen commented 2 years ago

Could it be clock related, somehow? Either on your phone or on the server?

Both are NTP synced so I doubt.

I have a fresh Mastodon .onion instance ready and open for you guys to test and debug against.

MainasuK commented 2 years ago

I received your onion site address and test it with Orbot app. I belive the Mastodon app and Tor browser cannot sign in it neither. Thanks the Orbot app. You can use the Safari app to open any onion website. For example, the DuckDuckGo: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/.

Then I try open the onion Mastodon server in Safari and it's failed with the same issue.

@Gargron Any idea? Maybe this issue needs transfer to Mastodon repo.

k0gen commented 2 years ago

I received your onion site address and test it with Orbot app. I belive the Mastodon app and Tor browser cannot sign in it neither. Thanks the Orbot app. You can use the Safari app to open any onion website. For example, the DuckDuckGo: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/.

I normally don't use Tor Browser but I have just tested it out and I was able to sign in and login with no problem on my Linux Desktop.

MainasuK commented 2 years ago

I test the Safari for iOS and Chrome for iOS with Orbot connection. Also, Firefox for macOS with SOCKS5 (force DNS) Tor proxy. The same Security verification failed. Are you blocking cookies? failure prompt for me.

The website inspect tell me the sign in query return HTTP 422 error code.

k0gen commented 2 years ago

I know that latest Firefox is having issues make sure you have:

dom.securecontext.allowlist_onions and dom.securecontext.whitelist_onions set to true In about:config

Gargron commented 2 years ago

What onion address can I test with?

k0gen commented 2 years ago

What onion address can I test with?

Check your e-mail.

dr-bonez commented 2 years ago

Tor Browser and Firefox (when properly configured) treat http onion addresses as secure contexts since the transport layer is encrypted and self-authenticated. Safari running in orbot has no way of knowing this, so it will see the http and assume that the domain is insecure, so it won't accept cookies with the Secure flag.