theodi / open-data-certificate

The mark of quality and trust for open data
https://certificates.theodi.org/
MIT License
46 stars 39 forks source link

Login / Authentication failure for valid user/password pairs #1686

Open olivierthereaux opened 6 years ago

olivierthereaux commented 6 years ago

Summary: authentication/login appears to fail for some users but not all, with no obvious difference between working and failing accounts, no useful error message, and no useable trace in the logs. This prevents users from logging in.

This issue is made worse by the fact that some users respond to the issue by trying a password reset, which has been broken for months: https://github.com/theodi/open-data-certificate/issues/1680.

Expected Behaviour

Current Behaviour (for problems)

A number of users, when submitting username and password, get an error message in the UI saying "a server error occurred".

screenshot 2018-08-15 14 11 54

This is different from the error message shown when trying to log in with a non-existent username, or an existing username and the wrong password.

screenshot 2018-08-15 14 11 38

Your Environment

This error happens to me both on staging and production environments, as well as a number of other reported cases from other users.

The issue does not appear to be related to a specific client-side environment, as I have been able to create a new account and log in with it.

I have however seen an instance where creating a new account worked for a while, then failed. I do not remember after how long. This may point to the fact that the authentication/user management library used in Certificates (Devise) has a flag for "confirming" users: https://github.com/theodi/open-data-certificate/blob/staging/app/models/user.rb

I was not able to confirm this hypothesis yet.

Other notes

I was not able to retrieve any additional info from logs yet. The only difference in logs between successful and unsuccessful login attempts are in the returned status code:

Failed:

2018-08-15T12:44:45.561051+00:00 app[web.1]: {"method":"POST","path":"/users/sign_in","format":"js","controller":"sessions","action":"create","status":0,"duration":162.5,"@timestamp":"2018-08-15T12:44:45Z","@version":"1","message":"[0] POST /users/sign_in (sessions#create)"}

Passed:

018-08-15T12:42:45.785567+00:00 app[web.1]: {"method":"POST","path":"/users/sign_in","format":"js","controller":"sessions","action":"create","status":200,"duration":241.06,"view":29.08,"db":72.26,"@timestamp":"2018-08-15T12:42:45Z","@version":"1","message":"[200] POST /users/sign_in (sessions#create)"}