Crash on "edited products" screen

[teolemon]

What

A user reports :

"there are a lot of bugs. When trying to see the ""edited products"" I get the following error :

FormatException: Unexpected character (at character 1)
<!-- start templates/web/common/site_layout.tt.html -->
^

To Reproduce

use smoothie and open edited products from your personal account in settings

Expected behavior

No API error

Part of

• server side issues

[stephanegigandet]

Moving to the app repo. What query is done to get the edited products? It is using the search API? (and not website URLs with .json at the end)

[simonbengtsson]

I got this as well, but found that it worked after I removed the username and password from the request parameters. It didn't matter if the user/password was correct or not. Knowing that it was an issue with username/password I tried logging out and then it started to work again.

[monsieurtanuki]

I could not reproduce it:

• it works with my login/password - I see products I edited
• it does NOT work with my email/password - the result page is empty but no crash

Therefore:

• I wish I could reproduce the bug
• we have a general problem with login vs. email - most of our code works with login but not when users connect with their email - we need somehow to retrieve the login from the email - is there a server side API for that?
• anyway we should politely say "an error happened" instead of crashing the app (or better handle the typical <!-- start templates/web/common/site_layout.tt.html --> header)

[monsieurtanuki]

@stephanegigandet The query for the products I edited is a POST:

• uri: https://world.openfoodfacts.org/api/v2/search
• params: {
  • lc: en
  • fields: product_name,brands,code,nutrition_grade_fr,image_small_url,image_front_small_url,image_front_url,image_ingredients_url,image_nutrition_url,image_packaging_url,selected_images,quantity,serving_size,stores,product_quantity,packaging,packaging_tags,packaging_text_en,packaging_text_languages,no_nutrition_data,nutriments,nutrient_levels,nutriment_energy_unit,additives_tags,ingredients_analysis_tags,ingredients_text,labels_tags,labels_tags_en,environment_impact_level_tags,compared_to_category,categories_tags,categories_tags_en,lang,attribute_groups,states_tags,ecoscore_data,ecoscore_grade,ecoscore_score,knowledge_panels,countries,countries_tags,countries_tags_en,emb_codes,origins
  • page: 1
  • page_size: 25
  • informers_tags: monsieurtanuki
• }

[simonbengtsson]

Here is an example request that highlights the issue that I experienced. Note that if the user_id and password fields are removed the requests succeeds and returns expected json result. Also note that this is a minimal example of the post request that the app made that still has the issue. It was many other fields added to the app but these were not necessary to reproduce the issue.

var response = await http.post(
    Uri.parse('https://world.openfoodfacts.org/cgi/search.pl'), 
    body: {
      'json': '1',
      'search_terms': '',
      'fields': 'code',
      'user_id': 'simongbe',
      'password': '<password>', // doesn't matter if I use the wrong or correct password
    },
);

print(response.body); // prints html from website instead of expected result json (which will cause the Unexpected character error when the app tries to decode it with json.decode())

It could be something wrong with my simongbe account (which is a couple of years old). When I created a new one everything was working including when I use the app without being logged in. The issue keeps happening on the simongbe account despite that I logout and login.

Should also note that I'm not seeing a crash, only in app error message (screen recording below).

https://user-images.githubusercontent.com/3586691/184890622-4d63be2d-667f-49f7-885b-ff1b9346ff34.mov

[monsieurtanuki]

@simonbengtsson What you're displaying is interesting, but perhaps a bit off topic: the OP was more specifically about the "edited products" search.

That said, that may mean that some users are either deprecated or wrong.

The following query will land on the "Incorrect user name or password." off page: https://world.openfoodfacts.org/cgi/search.pl?json=1&search_terms=&fields=code&user_id=simongbe&password=password

If I don't put the password it's OK: https://world.openfoodfacts.org/cgi/search.pl?json=1&search_terms=&fields=code&user_id=simongbe

If I don't put the user id either it's OK too: https://world.openfoodfacts.org/cgi/search.pl?json=1&search_terms=&fields=code

That said, we should probably be more explicit and detect different use cases like "wrong password" or "server down".

[stephanegigandet]

• we have a general problem with login vs. email - most of our code works with login but not when users connect with their email - we need somehow to retrieve the login from the email - is there a server side API for that?

@monsieurtanuki we don't have an API for that right now, but you could retrieve the user_id from the session cookie that is set when you login:

session=user_session&[session id]&user_id&stephane; domain=.openfoodfacts.org; path=/; expires=Sun, 15-Aug-2032 08:28:56 GMT

[stephanegigandet]

Note that search queries do not need user credentials.

If user credentials are supplied, then they will be verified, and if they are incorrect, then the server will return a HTML page.

What I could do is to change the status code to 403 for API requests that have an incorrect login / password. In that case, the dart package would know that the userid/password are incorrect, and it would not try to parse the response (because it's HTML and not the JSON structure it expects).

[stephanegigandet]

      'password': '<password>', // doesn't matter if I use the wrong or correct password

@simonbengtsson That's strange, the error you get is from an invalid password, but I don't see anything wrong with the simongbe account.

[simonbengtsson]

Despite triple checking the password when I created the simplified example above I still managed to include the wrong password... The repro steps in the simple example above is therefore invalid. I did get the error in the app after signing in for the first time in an iOS simulator. I cannot reproduce it now however. I will try some more and report back if I can reproduce it again.

[monsieurtanuki]

we don't have an API for that right now, but you could retrieve the user_id from the session cookie that is set when you login

@stephanegigandet I'm a bit puzzled: I don't think we actually manage sessions or cookies with our API calls, this is not the website. That said, I'm not an expert on cookies. Not my favorite food either, btw, but that's another story.

[monsieurtanuki]

@simonbengtsson Actually we do not send the password for each search query, only the user (if available).

[stephanegigandet]

@monsieurtanuki session cookies are returned by API calls too. When an API query (any type: login, search, product edit etc.) has an userid + password, the server will check those, and the response will include a session cookie that contains the username.

[monsieurtanuki]

@stephanegigandet Please provide a curl example, or someone else join on this issue, because cookies, sessions and curls are not my cup of tea.

[monsieurtanuki]

What I could do is to change the status code to 403 for API requests that have an incorrect login / password. In that case, the dart package would know that the userid/password are incorrect, and it would not try to parse the response (because it's HTML and not the JSON structure it expects).

@stephanegigandet That would be great!

[teolemon]

• 2915 is a dupe

[M123-dev]

We don't add credentials to product queries anymore so this should be fixed, right @monsieurtanuki ?

Do you still have that problem @simonbengtsson ?

If it isn't fixed please reopen

[simonbengtsson]

I never found a way to reliably reproduce it and have not seen the error since 👍