search

nhost / hasura-auth

Authentication for Hasura.
https://nhost.io
MIT License
386 stars 114 forks source link

Hasura-auth doesn't check/capture invalid locale when using Oauth #158

Closed alveshelio closed 2 years ago

alveshelio commented 2 years ago

When logging or signing up with a social network it hangs on the callback. The request to https://www.linkedin.com/oauth/v2/authorization-submit?app_id=... goes through, however, the request to http://localhost:1337/v1/auth/signin/provider/linkedin/callback?code=...&state=... hangs.

elitan commented 2 years ago

Do you see anything strange in the logs while doing this request?

docker logs -f nhost_auth
alveshelio commented 2 years ago

Hi @elitan,

I actually don't have any logs since this is happening in production. I though this was solved with the help of Nuno but what we've worked on had not effect on this one.

I'd need to make a request and you guys take a look at the logs and see what's the problem. After a while the request just terminates with a 500 error.

I've tested on another Nhost app, I've created a new app, pushed to main and the problem is still there, so I don't think this is a problem with my permissions or anything.

There are the logs @nunopato provided me with

{"level":50,"time":1652220486670,"pid":20,"hostname":"nhost-stack-6d6649f99f-dqsdd","msg":"Unable to retrieve access token: appid/redirect uri/code verifier does not match authorization code. Or authorization code expired. Or external member binding exists"}
{"level":30,"time":1652220486670,"pid":20,"hostname":"nhost-stack-6d6649f99f-dqsdd","req":{"id":55238,"method":"GET","url":"/signin/provider/linkedin/callback?code=AQTQ9Hht3lp0bF-55lGsEUMYiXtglBVcm3VnYaVUfuBhXAFa9MbL33pKghqSdo-Mm7w2zOFg6f6zYgGtBO9zA3EtTFoXVQ2G7I-a37J6bCi4jujpF1pG0SFyoolowx3VZSoYQV7rIUD-w5ZzD4z0z9fCE0oj43Q7jZSCnJCRVK29tCbiLzpLvtB-Lclgul04YGmzgskFUlZ-KsS0D9E&state=7f6a5b6f-b065-47d2-b816-f9d70fecafff","query":{"code":"AQTQ9Hht3lp0bF-55lGsEUMYiXtglBVcm3VnYaVUfuBhXAFa9MbL33pKghqSdo-Mm7w2zOFg6f6zYgGtBO9zA3EtTFoXVQ2G7I-a37J6bCi4jujpF1pG0SFyoolowx3VZSoYQV7rIUD-w5ZzD4z0z9fCE0oj43Q7jZSCnJCRVK29tCbiLzpLvtB-Lclgul04YGmzgskFUlZ-KsS0D9E","state":"7f6a5b6f-b065-47d2-b816-f9d70fecafff"},"params":{},"headers":{"host":"fkxqztcepombfuibkyom.nhost.run","x-request-id":"9e19391883d8679438320cdba5d87941","x-real-ip":"10.119.18.215","x-forwarded-for":"10.119.18.215","x-forwarded-host":"fkxqztcepombfuibkyom.nhost.run","x-forwarded-port":"80","x-forwarded-proto":"http","x-forwarded-scheme":"http","x-scheme":"http","user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-language":"en-US,en;q=0.5","accept-encoding":"gzip, deflate, br","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"none","sec-fetch-user":"?1"},"remoteAddress":"::ffff:10.119.1.66","remotePort":46008},"res":{"statusCode":500,"headers":{"x-dns-prefetch-control":"off","x-frame-options":"SAMEORIGIN","strict-transport-security":"max-age=15552000; includeSubDomains","x-download-options":"noopen","x-content-type-options":"nosniff","x-xss-protection":"1; mode=block","access-control-allow-origin":"*","surrogate-control":"no-store","cache-control":"no-store, no-cache, must-revalidate, proxy-revalidate","pragma":"no-cache","expires":"0"}},"err":{"type":"Error","message":"failed with status code 500","stack":"Error: failed with status code 500\n    at ServerResponse.onResFinished (/app/node_modules/.pnpm/pino-http@5.8.0/node_modules/pino-http/logger.js:77:38)\n    at ServerResponse.emit (events.js:412:35)\n    at onFinish (_http_outgoing.js:792:10)\n    at afterWrite (internal/streams/writable.js:466:5)\n    at afterWriteTick (internal/streams/writable.js:453:10)\n    at processTicksAndRejections (internal/process/task_queues.js:81:21)"},"responseTime":235,"msg":"request errored"}

Looking at the error bellow, we can see that it is unable to create a user because it is not sending the id which is normal since the column id has a default value gen_random_uuid(), What's even stranger is that this works fine when signing up through email/password.

This is the mutation that is failing:

fragment userFields on users {
    id
    createdAt
    disabled
    displayName
    avatarUrl
    email
    passwordHash
    emailVerified
    phoneNumber
    phoneNumberVerified
    defaultRole
    isAnonymous
    ticket
    otpHash
    totpSecret
    activeMfaType
    newEmail
    locale
    metadata
    roles {
        role
    }
}

mutation insertUser($user: users_insert_input!) {
    insertUser(object: $user) { ...userFields }
}
variables:{
user:{
    disabled:false,
    displayName:"My Name",
    avatarUrl:"https://s.gravatar.com/avatar/....",
    email:"myEmail@gmail.com",
    passwordHash:"mypasswordhash",
    ticket:"verifyEmail:311e455f-3a77-40b4-b5fd-f98033a9d50c",
    ticketExpiresAt:"2022-06-09T18:11:40.945Z",
    emailVerified:"false",
    locale:"en",
    defaultRole: "user",
    roles:{
        data:[{role:"user"},{role:"me"}]},
        metadata:{}
    }
}

"msg": "Not-NULL violation. null value in column \"id\" of relation \"users\" violates not-null constraint: {\"response\":{\"errors\":[{\"extensions\":{\"path\":\"$.selectionSet.insertUser.args.object[0]\",\"code\":\"constraint-violation\"},\"message\":\"Not-NULL violation. null value in column \\"id\\" of relation \\"users\\" violates not-null constraint\"}],\"status\":200,\"headers\":{}},\"request\":{\"query\":\"mutation insertUser($user: users_insert_input!) {\n insertUser(object: $user) {\n ...userFields\n }\n}\n\nfragment userFields on users {\n id\n createdAt\n disabled\n displayName\n avatarUrl\n email\n passwordHash\n emailVerified\n phoneNumber\n phoneNumberVerified\n defaultRole\n isAnonymous\n ticket\n otpHash\n totpSecret\n activeMfaType\n newEmail\n locale\n metadata\n roles {\n role\n }\n}\",\"variables\":{\"user\":{\"disabled\":false,\"displayName\":\"My Name\",\"avatarUrl\":\"https://s.gravatar.com/avatar/...\",\"email\":\"myemail@gmail.com\",\"passwordHash\":\"mypasswordhash",\"ticket\":\"verifyEmail:311e455f-3a77-40b4-b5fd-f98033a9d50c\",\"ticketExpiresAt\":\"2022-06-09T18:11:40.945Z\",\"emailVerified\":false,\"locale\":\"en\",\"defaultRole\":\"user\",\"roles\":{\"data\":[{\"role\":\"user\"},{\"role\":\"me\"}]},\"metadata\":{}}}}}"

plmercereau commented 2 years ago

Hasura-auth stores the locale as a two-characters string. More than two characters will make the authentication fail. See https://github.com/nhost/hasura-auth/issues/44

Moving this issue to the hasura-auth repo, an renaming the title

nunopato commented 2 years ago

I am closing this issue in favor of https://github.com/nhost/hasura-auth/issues/44