OWA: Outlook.com: Login success not detected

[benbucksch]

Reproduction

1. Set up @outlook.com email address
2. Choose OWA as protocol
3. -> Login window opens
4. Login in
5. Do not remember login, Do not remember this decition

Actual result

• The OWA webmail frontend shows in the login window
• Login window stays open
• When closing the window, the login fails
• on startupdata.ashx call, there is a X-OWA-CANARY session cookie, on the /owa/0/ path (!), on host outlook.live.com.

Expected result

• Login success is detected
• Window closes
• Setup finishes
• Emails fetch into Mustang

Cause

• The /owa/0/ path? We have specific code in Owl login code to handle that for hotmail.

[benbucksch]

Look at the Owl source code, search for /owa/0/, and use the same code logic in Mustang. It doesn't hardcode /owa/0/ (because there could be 1 etc.), but checks the URL path on the cookie that the server sets when setting the cookie.

[jermy-c]

I ported the code from Owl and I'm getting an error here, even when there's a cookie for X-OWA-CANARY with the path owa/0/ and hostname outlook.live.com:

https://github.com/mustang-im/mustang/blob/c17c9918c6bd652150729b2efb3c40f6fe433b5e/backend/owa.ts#L36

And finish() doesn't run and close the window because of it.

[benbucksch]

Yes, because we need to adapt url to have the /owa/0/. Given that the canary is limited to that path, if url is not adapted, the correct cookie won't be sent by the browser, because the path does not match. The Owl source contains the solution.

[jermy-c]

The login is now detected and it closes the window with some errors, so we're still not able to success add the new account:

The response is a code 200 but the response.json is it has problems.

SyntaxError: Unexpected end of JSON input
    at JSON.parse (<anonymous>)
    at parseJSONFromBytes (node:internal/deps/undici/undici:5472:19)
    at successSteps (node:internal/deps/undici/undici:5454:27)
    at fullyReadBody (node:internal/deps/undici/undici:4381:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async consumeBody (node:internal/deps/undici/undici:5463:7)
    at async fetchJSON (file:///Users/jeremyc/Documents/GitHub/mustang/e2/out/main/index.js:126248:17)
    at async JPCWebSocket.callListener (file:///Users/jeremyc/Documents/GitHub/mustang/e2/out/main/index.js:45973:16)
    at async WSCall._incomingMessage (file:///Users/jeremyc/Documents/GitHub/mustang/e2/out/main/index.js:45556:20)
    at async WebSocket.<anonymous> (file:///Users/jeremyc/Documents/GitHub/mustang/e2/out/main/index.js:45650:9)

Error: Unexpected end of JSON input
    at message.js:153:16
    at new Promise (<anonymous>)
    at WSCall.makeCall (message.js:148:12)
    at JPCWebSocket.callRemote (protocol.js:161:31)
    at Object.fetchJSON (obj.js:198:55)
    at OWAAccount.callOWA (OWAAccount.ts:152:50)
    at OWAAddressbook.listContacts (OWAAddressbook.ts:25:39)
    at OWAAccount.login (OWAAccount.ts:79:23)
    at async OWAAccount.verifyLogin (Account.ts:66:5)
    at async checkConfig (checkConfig.ts:8:5)

[benbucksch]

@jermy-c I noticed that when logging in to the @bexchange.net test account, the URL is changed to https://exchange2019.ionos.de/owa/auth.owa (instead of https://exchange2019.ionos.de/owa/ ). After login, it seems to be OK again. This looks fishy to me. I am concerned that the change here is breaking on-premise Exchange logins.

[jermy-c]

I occasionally get Cannot read properties of null (reading 'ParentFolder') in the following cases:

1. After a successful login during setup and clicking next
2. On startup and clicking the connect button next to the account

[benbucksch]

@jermy-c Can you please find out the exact condition under which this happens, file a new bug about it (reference this bug here), and maybe even fix it?