"Access denied" error logging into apps - Githubissues

ministryofjustice / analytics-platform

Parent repository for the MOJ Analytics Platform

MIT License

14 stars 1 forks source link

"Access denied" error logging into apps #98

Closed davidread closed 5 years ago

davidread commented 5 years ago

This has happened with 2 quantum users.

User sees this during app login:

Screen Shot 2019-03-26 at 15 47 59

In auth0 logs it says: Cannot read property 'toLowerCase' of null

Screen Shot 2019-03-26 at 15 47 03

Screen Shot 2019-03-26 at 15 45 26

r4vi commented 5 years ago

happens when the passwordless user has been created in auth0 without a username field. You can't set this afterwards. You can fix it be deleting the user and when try attempt to login again they will be recreated with a username

calumabarnett commented 5 years ago

Another user has experienced this issue with the CCMA-Gold-Scorecard-App. @r4vi can this be fixed by deleting and re-adding the user in control panel alone or does the user need to be deleted in Auth0 as well?

r4vi commented 5 years ago

@calumabarnett which user? (send me a message) I'll need to check in auth0 and see if they don't have username set. If they don't then the only remedy is to delete and re-add

r4vi commented 5 years ago

I think this line needs to explicitly set nickname https://github.com/ministryofjustice/analytics-platform-control-panel/blob/ee6159cf8855c3a6da319bcabced18d73fc168e5/controlpanel/api/auth0.py#L157

andyhd commented 5 years ago

I can only find one email user associated with the toLowerCase error message. They have a nickname set, so I assume the user was recreated? @r4vi do you have any idea why they didn't have one originally? I can't see what makes them different from any of the other email users that work. Where is the code that calls toLowerCase?

r4vi commented 5 years ago

yeah they've all probably been recreated... @andyhd this is the rule: https://manage.auth0.com/dashboard/eu/alpha-analytics-moj/rules/rul_xMy5gTXg43c5wYla

r4vi commented 5 years ago

which comes from: https://github.com/ministryofjustice/analytics-platform-auth0/blob/alpha/rules/Lowercase-the-user-nickname.js

r4vi commented 5 years ago

@andyhd no idea why they didn't have one but it seems to be random

andyhd commented 5 years ago

I think the fix is best applied in the rule - we don't use nicknames for passwordless users

r4vi commented 5 years ago

That's a quick fix... but what if we did start relying on it? Or an app did (we now expose the user profile to webapps). We should do the other fix too

davidread commented 5 years ago

Fixed in https://github.com/ministryofjustice/analytics-platform-control-panel/pull/720 we think