Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth0: don't ask users to re-login everyday #765

Open
adrienjoly opened this issue Mar 9, 2024 · 6 comments
Open

Auth0: don't ask users to re-login everyday #765

adrienjoly opened this issue Mar 9, 2024 · 6 comments
Assignees
@adrienjoly
Labels
bug

Comments

@adrienjoly
Copy link
Member

adrienjoly commented Mar 9, 2024
edited

Describe the bug
Since we migrated authentication to auth0 (cf PR #705), users need to re-login everyday. Which is especially annoying when it happens on the downloadable electron app, because it's not possible to use the browser's password manager.
@adrienjoly adrienjoly added the bug label Mar 9, 2024
@adrienjoly adrienjoly self-assigned this Mar 9, 2024
@adrienjoly
Copy link
Member Author

adrienjoly commented Mar 9, 2024
edited

First (failed) attempt

I tried fixed this problem by adding attemptSilentLogin: true to Auth0 init settings, but had to revert it immediately because trying to play a YouTube video after that would result in a checks.state argument is missing error in the player's area:

Capture d’écran 2024-03-09 à 14 44 12

@adrienjoly
Copy link
Member Author

adrienjoly commented Mar 9, 2024
edited

Root cause analysis

That error was visible in server logs, whenever I tried to play a YouTube track, even after reverting the commit, resetting cookie and re-logging:

❌ Error -- Sat, 09 Mar 2024 13:43:31 GMT BadRequestError: checks.state argument is missing
    at ResponseContext.callback (/home/adrien/openwhyd/node_modules/express-openid-connect/lib/context.js:347:15)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

I found that it could be triggered directly by opening the iframe's target of the YouTube embed:

Capture d’écran 2024-03-09 à 15 16 14

@adrienjoly
Copy link
Member Author

Resolution

After reverting the commit, invalidating cloudfront's cache for that file solved the issue.

image

@adrienjoly
Copy link
Member Author

Related links:

@adrienjoly
Copy link
Member Author

Post mortem

Hypothesis:

  • assuming that auth0's session is checked even for public assets, including https://openwhyd.org/html/YoutubePlayerIframe.html
  • for some reason, adding attemptSilentLogin: true made cloudfront-cached /html/YoutubePlayerIframe.html page call openwhyd.org/callback with missing (but expected) auth cookies, causing the checks.state argument is missing error

@adrienjoly
Copy link
Member Author

adrienjoly commented Mar 9, 2024
edited

Second attempt

From https://manage.auth0.com/dashboard/eu/openwhyd/applications/2bQPQT4zHVg2mKYR0uqk8rf5ItisvSWx/settings, set ID Token expiration from 36000 seconds (= 10 hours) to 1 week == 7243600 == 604800 seconds

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adrienjoly adrienjoly

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@adrienjoly