search

teslamate-org / teslamate

A self-hosted data logger for your Tesla 🚘
https://docs.teslamate.org
MIT License
6.01k stars 749 forks source link

Impossible to reauthenticate to Tesla API when token is revoked #736

Closed GaPhi closed 4 years ago

GaPhi commented 4 years ago

Describe the bug Impossible to reauthenticate to Tesla API when token is revoked. The /sign_in page reloads indefinitely.

Expected behavior Be able to log in again giving a new token or login/password, without losing any recordset for the car(s).

How to reproduce it (as minimally and precisely as possible):

Relevant entries from the logs

00:00:06.746 [warn] Token refresh failed: %TeslaApi.Error{
  env: %Mojito.Response{
    body: %{
      "error" => "invalid_grant",
      "error_description" => "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
    },
    complete: true,
    headers: [
      {"server", "nginx"},
      {"date", "Wed, 20 May 2020 22:00:06 GMT"},
      {"content-type", "application/json; charset=utf-8"},
      {"transfer-encoding", "chunked"},
      {"connection", "keep-alive"},
      {"x-frame-options", "SAMEORIGIN"},
      {"x-xss-protection", "1; mode=block"},
      {"x-content-type-options", "nosniff"},
      {"cache-control", "no-store"},
      {"pragma", "no-cache"},
      {"www-authenticate",
       "Bearer realm=\"Doorkeeper\", error=\"invalid_grant\", error_description=\"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.\""},
      {"x-request-id", "a530c806943b044a59e17189248830ff"},
      {"x-runtime", "0.008710"}
    ],
    status_code: 401
  },
  message: "Failed to authenticate.",
  reason: :authentication_failure
}

Screenshots None.

Data

Environment

GaPhi commented 4 years ago

To be able to use it again, I

  1. generated a new token pair:

    curl -X POST -H "Cache-Control: no-cache" \
-F "grant_type=password" \
-F "client_id=81527cff06843c8634fdc09e8ac0abefb46ac849f38fe1e431c2ef2106796384" \
-F "client_secret=c7257eb71a564034f9419ee651c7d0e5f7aa6bfbd18bafb5c5c033b093bb2fa3" \
-F "email=xxx@xxx.com" \
-F "password=xxxxxx" \
"https://owner-api.teslamotors.com/oauth/token"
{
"access_token": "xxxxxx",
"token_type": "bearer",
"expires_in": 3888000,
"refresh_token": "yyyyyy",
"created_at": 1590011950
}

  2. and updated the database:

    docker exec -ti root_database_1 psql -U teslamate
update public.tokens set access='xxxxxx',refresh='yyyyyy';
quit

If it can help someone else...

adriankumpf commented 4 years ago

I cannot reproduce the described behaviour. If the token is revoked, you will be prompted to sign in again. After submitting the login form, everything should work as expected.

Have you noticed any errors in the browser console? What is logged (I would expect to see [info] GET /sign_in etc.)?

GaPhi commented 4 years ago

May be you can alter a character of the refresh/access tokens to reproduce it.

Here is the part of the log I have:

23:35:13.043 [info] Already up
23:36:35.181 [info] Version: 1.19.3
23:36:36.595 [warn] Token refresh failed: %TeslaApi.Error{
  env: %Mojito.Response{
    body: %{
      "error" => "invalid_grant",
      "error_description" => "The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."
    },
    complete: true,
    headers: [
      {"server", "nginx"},
      {"date", "Wed, 20 May 2020 21:36:36 GMT"},
      {"content-type", "application/json; charset=utf-8"},
      {"transfer-encoding", "chunked"},
      {"connection", "keep-alive"},
      {"x-frame-options", "SAMEORIGIN"},
      {"x-xss-protection", "1; mode=block"},
      {"x-content-type-options", "nosniff"},
      {"cache-control", "no-store"},
      {"pragma", "no-cache"},
      {"www-authenticate",
       "Bearer realm=\"Doorkeeper\", error=\"invalid_grant\", error_description=\"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.\""},
      {"x-request-id", "0fd5c84a02d50faed8dca68326ccea7e"},
      {"x-runtime", "0.005608"}
    ],
    status_code: 401
  },
  message: "Failed to authenticate.",
  reason: :authentication_failure
}
23:36:36.621 [info] Running TeslaMateWeb.Endpoint with cowboy 2.7.0 at :::4000 (http)
23:36:36.630 [info] Access TeslaMateWeb.Endpoint at http://localhost
23:36:36.659 [warn] Using fallback vehicles:

[
  %TeslaApi.Vehicle{
    api_version: nil,
    backseat_token: nil,
    backseat_token_updated_at: nil,
    calendar_enabled: nil,
    charge_state: nil,
    climate_state: nil,
    color: nil,
    display_name: "Road Runner",
    drive_state: nil,
    gui_settings: nil,
    id: XXXXXXXXX,
    in_service: false,
    option_codes: [],
    state: "unknown",
    tokens: [],
    vehicle_config: nil,
    vehicle_id: XXXXXXXXXX,
    vehicle_state: nil,
    vin: "XXXXXXXXXXX"
  }
]
23:36:36.660 [info] Starting logger for 'Road Runner'
23:36:36.713 [error] Error / unauthorized
23:37:34.425 [info] [alarm_handler: {:set, {TeslaMate.Vehicles.Vehicle_1_api_error, :fuse_blown}}]
23:48:12.013 [info] GET /
23:48:12.151 [info] Sent 302 in 137ms
23:48:12.186 [info] GET /sign_in
23:48:12.275 [info] Sent 200 in 88ms
23:48:13.842 [info] GET /sign_in
23:48:13.878 [info] Sent 200 in 34ms
23:48:15.160 [info] GET /sign_in
23:48:15.188 [info] Sent 200 in 27ms
23:48:16.972 [info] GET /sign_in
23:48:17.004 [info] Sent 200 in 31ms
23:48:20.065 [info] GET /sign_in
23:48:20.090 [info] Sent 200 in 18ms
23:48:22.394 [info] GET /sign_in
23:48:22.410 [info] Sent 200 in 14ms
23:48:24.305 [info] GET /sign_in
23:48:24.340 [info] Sent 200 in 33ms
23:48:26.761 [info] GET /sign_in
23:48:26.797 [info] Sent 200 in 30ms
23:48:28.132 [info] GET /sign_in
23:48:28.150 [info] Sent 200 in 18ms
23:48:29.734 [info] GET /sign_in
23:48:29.758 [info] Sent 200 in 22ms
23:48:31.900 [info] GET /sign_in
23:48:31.924 [info] Sent 200 in 23ms
23:48:33.743 [info] GET /sign_in
23:48:33.764 [info] Sent 200 in 20ms
23:49:04.077 [info] GET /sign_in
23:49:04.111 [info] Sent 200 in 33ms
23:49:24.627 [info] GET /sign_in
23:49:24.682 [info] Sent 200 in 54ms
23:49:27.036 [info] GET /sign_in
23:49:27.065 [info] Sent 200 in 28ms
23:49:28.928 [info] GET /sign_in
23:49:28.971 [info] Sent 200 in 43ms
23:49:30.813 [info] GET /settings
23:49:30.901 [info] Sent 200 in 87ms
23:49:32.205 [info] GET /settings
23:49:32.287 [info] Sent 200 in 81ms
23:49:35.017 [info] GET /settings
23:49:35.087 [info] Sent 200 in 69ms
23:49:37.575 [info] GET /settings
23:49:37.635 [info] Sent 200 in 55ms
23:49:39.530 [info] GET /settings
23:49:39.607 [info] Sent 200 in 73ms
23:49:42.270 [info] GET /settings
23:49:42.327 [info] Sent 200 in 56ms
23:49:45.041 [info] GET /settings
23:49:45.119 [info] Sent 200 in 75ms
23:49:45.545 [info] GET /sign_in
23:49:45.569 [info] Sent 200 in 22ms
23:49:48.508 [info] GET /sign_in
23:49:48.546 [info] Sent 200 in 37ms
23:50:25.207 [info] GET /
23:50:25.246 [info] Sent 302 in 38ms
23:50:25.261 [info] GET /sign_in
23:50:25.285 [info] Sent 200 in 23ms
23:50:26.926 [info] GET /sign_in
23:50:26.958 [info] Sent 200 in 32ms
23:50:28.326 [info] GET /sign_in
23:50:28.351 [info] Sent 200 in 24ms
23:50:31.497 [info] GET /sign_in
23:50:31.519 [info] Sent 200 in 21ms
23:50:34.636 [info] GET /sign_in
23:50:34.665 [info] Sent 200 in 28ms
23:50:36.310 [info] GET /sign_in
23:50:36.347 [info] Sent 200 in 36ms
23:50:38.151 [info] GET /sign_in
23:50:38.210 [info] Sent 200 in 59ms
23:50:42.016 [info] GET /sign_in
23:50:42.036 [info] Sent 200 in 20ms
23:50:49.437 [info] GET /
23:50:49.462 [info] Sent 302 in 25ms
23:50:50.614 [info] GET /sign_in
23:50:50.643 [info] Sent 200 in 28ms
23:51:21.264 [info] GET /sign_in
23:51:21.288 [info] Sent 200 in 23ms
23:51:51.510 [info] GET /sign_in
23:51:51.537 [info] Sent 200 in 25ms
23:52:21.754 [info] GET /sign_in
23:52:21.778 [info] Sent 200 in 17ms
23:52:51.978 [info] GET /sign_in
23:52:52.004 [info] Sent 200 in 24ms
23:53:19.924 [info] GET /sign_in
23:53:19.945 [info] Sent 200 in 17ms
23:53:50.141 [info] GET /sign_in
23:53:50.158 [info] Sent 200 in 16ms
23:54:16.011 [info] SIGTERM received - shutting down
shagberg commented 4 years ago

I had this same issue as well. And like robbertverheij mentions in this thread: Issue 597 it resolved itself on its own. I'm wondering if the cause of the problem is with Tesla's API servers.

cadir commented 4 years ago

I've seen this issue. It appears that something can trigger lockout of a an account and then the initial access using email/password no longer works. Only process I've seen to recover is to do a forgot password / reset on the tesla site. Unclear what triggers the lockout.

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.