search

msupply-foundation / open-msupply

Open mSupply represents our most recent advancement in the Logistics Management Information System (LMIS), expanding on more than two decades of development inherited from the well-established legacy of the original mSupply.
https://msupply.foundation/open-msupply/
Other
23 stars 15 forks source link

Able to login on browser despite the site being attached to a hardware ID (desktop app) #3517

Closed regotaina closed 6 months ago

regotaina commented 7 months ago

What went wrong? 😲

During a few tests with @roxy-dao we were able to login on browser despite the site being attached to a hardware ID (desktop app) Screenshot 2024-04-03 at 1 56 07 PM Screenshot 2024-04-03 at 1 57 01 PM

Expected behaviour 🤔

If a site is attached ot a hardware ID you cannot login into browser

How to Reproduce 🔨

Choose a site that is attached to a hardware Id. Login to browser using credentials for a user that has access to this site.

Your environment 🌱

roxy-dao commented 7 months ago

Update: You can't sync, but can still view all data that was synced beforehand

clemens-msupply commented 7 months ago

Could you provide more details about your exact setup?

Do you have an omSupply remote site and log into this server using chrome? And then you change the hardware id on the central server? This means sync fails, but remote site is still running.

I would say this is expected behaviour. However, question is if we should kill/stop the remote server if this hardware id mismatch is detected? However, the damage might already be done, e.g. if changes have been made on the remote site, these changes will be lost if a different remote server is taking over permanently.

regotaina commented 7 months ago

Could you provide more details about your exact setup?

Do you have an omSupply remote site and log into this server using chrome? And then you change the hardware id on the central server? This means sync fails, but remote site is still running.

I would say this is expected behaviour. However, question is if we should kill/stop the remote server if this hardware id mismatch is detected? However, the damage might already be done, e.g. if changes have been made on the remote site, these changes will be lost if a different remote server is taking over permanently.

Basically I connected the site to desktop app first. Then logged using my username on the browser. It opened the site that was on desktop app. I didn't change the hardware ID at all, the server kept the 1st one from desktop app.

I was able to see transactions on browser and even create an inbound shipment. However I could not sync, creating the situation you described, of transactions being lost.

clemens-msupply commented 7 months ago

You mean you used omSupply desktop connected to a local remote server (standalone installer)? What is the url you connect to in the browser? to the one for the local remote server?

Its sounds like you have two remote server running somewhere?

Chris-Petty commented 6 months ago

@regotaina I think we still need more reproduction steps, as we're still not 100% sure what you mean:

During a few tests with @roxy-dao we were able to login on browser despite the site being attached to a hardware ID

User login in the OMS app to a remote server (via browser or app) is a completely separate authorisation to the remote server sync authentication to the central server, the latter being what the hardware ID matters in.

If a site is attached ot a hardware ID you cannot login into browser

Thus this expected behaviour doesn't really make sense leading to confusion here. HardwareID has nothing to do with user login.

If you're sure you didn't change the hardware ID on the central server, then perhaps an explanation is that somehow in your steps OMS changed what it thought its hardware ID was, I don't think there is any mechanism for this though.

I'm aware a month or so ago that many people were having confusion when using the desktop app on cloud servers as it was very easy to be connected to the wrong "remote" server on cloud VPS. Is it possible your browser was connected to "taina.msupply.org" but your desktop app was connected to a different remote server on CloudVPS that was working correctly?

If it's been too long since you had the issue and you don't have it anymore, it might be easier to close this issue until you see the problem again.

mark-prins commented 6 months ago

echoing Chris's comments - can we close the issue? I'm still not clear on the scenario - but generally, having multiple clients login to a server is acceptable.

regotaina commented 6 months ago

Ok, @Chris-Petty clarified! @roxy-dao and I thought that once you're logged on Desktop app, if you attempt to login on browser, it should lock you out.

However, the expected behaviour in this case is that the browser acts like a client, therefore, there's no problem on being logged on 2 devices at the same time. The hardware ID should not stop users to login on browser.

The good thing is that we picked up another minor bug with sync and timezones... but that's another story for another issue. Thanks team! 👍🏾

Closing this issue now.