search

mozilla / fxa

Monorepo for Mozilla Accounts (formerly Firefox Accounts)
https://mozilla.github.io/ecosystem-platform/
Mozilla Public License 2.0
602 stars 210 forks source link

Login error on Tomato Clock campaign: Invalid parameter: state #6703

Closed ItsIgnacioPortal closed 4 years ago

ItsIgnacioPortal commented 4 years ago

Description

When logging in to accounts.firefox.com, I get the error Invalid parameter: state

Steps to reproduce

  1. Open new tab
  2. Click the "Tomato Clock" link on the little section (campaign?) at the bottom
  3. On the newly opened tab, click Register or Log-in
  4. Now click Sign in

Expected result

Log-in correctly

Actual result

The log-in refuses to go on, with the error "Invalid parameter: state" in a red box (email censored for privacy reasons): screenshot

Environment

Windows 10 19041.508 Firefox 81.0.2 (64-bit) (Logged-in to Firefox-Sync)

┆Issue is synchronized with this Jira Bug ┆Issue Number: FXA-2623

dannycoates commented 4 years ago

Thanks for reporting this @PinkDev1

dannycoates commented 4 years ago

@clouserw this must have come from snippets. who should we contact about changing their link?

clouserw commented 4 years ago

I'll get in touch with them, but what should the link be? Looking at the link I don't see anything wrong.

I looked at the new tab page in my browser also and got a slightly different link:

https://addons.mozilla.org/firefox/addon/tomato-clock/?utm_source=desktop-snippet&utm_medium=snippet&utm_campaign=tomato-clock-addon-oct2020&utm_term=24237&utm_content=BETA_DEV_NIGHTLY

Neither link gives me an error when I follow the steps to reproduce though. Are you able to reproduce?

dannycoates commented 4 years ago

This is a problem with how AMO is redirecting to fxa.

The signin link on amo:

https://addons.mozilla.org/api/v4/accounts/login/start/?config=amo&to=%2Fen-US%2Ffirefox%2Faddon%2Ftomato-clock%2F%3Futm_source%3Ddesktop-snippet%26utm_medium%3Dsnippet%26utm_campaign%3Dtomato-clock-addon-oct2020%26utm_term%3D24234%26utm_content%3DREL

returns a 302 to fxa oauth (line breaks added)

Location: https://oauth.accounts.firefox.com/v1/authorization
?client_id=a4907de5fa9d78fc
&scope=profile+openid
&state=6dc20c34fedaf5d772c6b5498d8b34ddc5fb1838c8a2d53a02e33d5b96c05fee%3AL2VuLVVTL2ZpcmVmb3gvYWRkb24vdG9tYXRvLWNsb2NrLz91dG1fc291cmNlPWRlc2t0b3Atc25pcHBldCZ1dG1fbWVkaXVtPXNuaXBwZXQmdXRtX2NhbXBhaWduPXRvbWF0by1jbG9jay1hZGRvbi1vY3QyMDIwJnV0bV90ZXJtPTI0MjM0JnV0bV9jb250ZW50PVJFTA
&action=signin

The problem here is that state is 266 characters but our validation is set to a maximum size of 256. We should probably just increase this limit.

clouserw commented 4 years ago

Nice find. I looked online for a length in an RFC or something and didn't see one. Seems like most sites just pick a value. [I see you put in a patch to make it 512. wfm]

We could return an HTTP 414 URI TOO LONG instead of a user error in the form, but that's not quite the same and probably doesn't really matter. Thanks for the patch.