meedan / montage

A collaborative video annotation app
https://montage.meedan.com
Other
8 stars 3 forks source link

Some users can't login #7

Closed infojunkie closed 6 years ago

infojunkie commented 6 years ago

We have received reports that some users aren't able to login. This issue is to track those occurrences.

caiosba commented 6 years ago

That's how I was able to reproduce it:

caiosba commented 6 years ago

Actually I was able to reproduce in a simpler way now...

caiosba commented 6 years ago

Maybe related to this error: Refused to execute script from 'https://accounts.google.com/o/oauth2/revoke?token=...&callback=angular.callbacks._0' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.

caiosba commented 6 years ago

So, this is the problem:

I can confirm that this happens because no HTTP request is made to get a fresh token during the interval in which the token should be valid. Also, it works well in an incognito window. Need to find out where the token is cached (and it keeps cached even if the page is reloaded): I already verified it's not on localStorage or cookies.

caiosba commented 6 years ago

I tried hard and for hours to be able to continue using gapi.auth.authorize for authentication, although this method is not encouraged by Google (from https://developers.google.com/identity/sign-in/web/reference#gapiauth2authorizeparams-callback):

Warning: do not use this method alongside the recommended gapi.auth2.init and signIn flow. These are two distinct behaviors (Authorization for gapi.auth2.authorize vs Authentication for gapi.auth2.init/signIn) and will have unexpected issues if used within the same application.

Basically, the code was using for authentication something that is for authorization only. I tried many hacks to make it work for a real authentication flow, but didn't work.

I replaced the auth.authorize method by auth2.signIn for login and the manual way of logout (which is call the REST API revoke endpoint manually) by auth2.signOut. I didn't change the library version. Now everything works well. I pushed the code to a new branch. I'll test a little more, record a screencast, merge to develop and close this issue.

caiosba commented 6 years ago

Merged. The fix is available on develop. This video shows the problem: https://www.youtube.com/watch?v=hnDDQkRmNXY. After we logout and refresh the page, we are still logged in for some seconds. Another refresh, and we are at the login page. But if we try to login, we can't, and we get a "Invalid token" error message. This other video shows that the flow works after the fix: https://www.youtube.com/watch?v=a5xnIAxihTk.

infojunkie commented 6 years ago

I confirm that:

caiosba commented 6 years ago

Labeled as pending test deployment. Will close as soon as this is deployed to the test server and verified by QA people.

caiosba commented 6 years ago

Deployed to QA, please verify.

wafaaheikal commented 6 years ago

Verified

caiosba commented 6 years ago

Verified on live :heavy_check_mark: