search

myrunes / backend

REST API backend and database bindings for myrunes.com - crafted with Go
https://myrunes.com
Other
9 stars 1 forks source link

Login error: "context deadline exceeded" #28

Closed vnedyavila closed 3 years ago

vnedyavila commented 3 years ago

Screenshot attached. myruneserror

Here's the login request:

curl "https://myrunes.com/api/login" ^
  -H "authority: myrunes.com" ^
  -H "accept: application/json" ^
  -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36" ^
  -H "content-type: application/json" ^
  -H "origin: https://myrunes.com" ^
  -H "sec-fetch-site: same-origin" ^
  -H "sec-fetch-mode: cors" ^
  -H "sec-fetch-dest: empty" ^
  -H "referer: https://myrunes.com/login" ^
  -H "accept-language: en-US,en;q=0.9" ^
  -H "cookie: jwt_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MTQ5MDgwMjIsImlhdCI6MTYxMjMxNjAyMiwic3ViIjoiMTM1Njc3Nzg1MjIzODE4NDQ0OCJ9.CELFUbTHkfUhVyF8vXBR4EhMBQ-eQsoaENjZf3E5eOU" ^
  --data-raw "^{^\^"username^\^":^\^"jkidd999^\^",^\^"password^\^":^\^"WHY_IS_MY_PASSWORD_BEING_PASSED_AS_RAW_DATA_IN_A_POST_REQUEST? ARE YOU KIDDING?^\^",^\^"remember^\^":false^}" ^
  --compressed

Here's the login response:

{
  "code": 500,
  "message": "context deadline exceeded"
}
zekroTJA commented 3 years ago

First of all, because this issue is related to an API error, I've transfered it to the backend repository.

The shown error was actually a database connection failure. I figured out, that my mongodb instance crashed after update to 4.4. I've reverted back to mongo 4.2 and now the db is up and logins are operational again. I guess, I need to get a deeper look on how to migrate my current dataset to mongo 4.4.

And by the way, login post request always contain clear text credentials. That is totally fine as long as the credentials itself are not stored on the client side and you have a valid encrypted HTTPS connection to the server. HTTPS/TLS encrypts all communication between the client and the server (REST API) using the server's TLS certificate. After the login, the server checks the passed password and username against an Argon2ID hash, which is stored in the database. Only a JWT session cookie is saved on the client side to authenticate requests, which is signed by the API server.