Opened 4 years ago

Closed 4 years ago

#16893 closed defect (fixed)

ADINA15 Registration Error

Reported by: poly Owned by: hellais
Priority: Medium Milestone:
Component: Archived/Ooni Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On attempting to sign up for the 'Network Meter' group, after filling in my data, I received an error message saying 'Authorization Required' or something similar. Now when I try to sign up, I get the error message:

The oonitarian instance is not valid. Details: username User already exists (value: "poly"); email Email already exists (value: "poly@…").

Also, the counter for users registered to the project has not incremented.

Steps to reproduce:

  1. visit https://ooni.torproject.org/event/adina15/ with Tor Browser 5.0.1 (tor enabled)
  2. attempt to sign up to 'network meter' project

Child Tickets

Attachments (2)

adina-bug.png (118.1 KB) - added by poly 4 years ago.
TorBrowser-enabled-third-party-cookies.png (216.4 KB) - added by hellais 4 years ago.
How to enable third party cookies in Tor Browser (Firefox)

Download all attachments as: .zip

Change History (13)

comment:1 Changed 4 years ago by hellais

I looked at the database and see a "oonitarian" with the email poly@..., but it's not associated to a team. I suspect this may be due to some networking error in the team joining phase that lead to this inconsistent state.

If you tell me exactly what you did or try again now and collect javascript console logs (open the inspector and look at the network monitor) I can perhaps figure out a way to avoid this happening in the future.

In theory you should now be able to join a team.

If that is not the case, please re-open and update this ticket.

Thanks for reporting this.

comment:2 Changed 4 years ago by hellais

Resolution: fixed
Status: newclosed

comment:3 Changed 4 years ago by poly

Resolution: fixed
Status: closedreopened

Changed 4 years ago by poly

Attachment: adina-bug.png added

comment:4 Changed 4 years ago by poly

See error messages and network logs in screenshot

comment:5 Changed 4 years ago by hellais

Can you provide me with the content of the last failing request?

Ideally I would like to have the content of all the requests and responses as well as the output of the JS console (be sure to remove your password from the network logs).

comment:6 Changed 4 years ago by hellais

So I have figured out what is going on here. This bug is something that only happens when the browser is configured to disallow third-party cookies (this is the case in Tor Browser Firefox, but not the default in most browser settings).

Given the fact that we want to have SSL on the endpoint accepting the XHR request and given the fact that we can't host dynamic content on ooni.torproject.org we have two options to overcome this:

1) Suggest TBB users to do the registration after having temporarily re-enabled third-party cookies (see attached screenshot for details on how to do that)

2) Implement an alternative method for authentication that does not rely on cookies. There is some documentation for strongloop on how to do this (https://docs.strongloop.com/display/public/LB/Making+authenticated+requests#Makingauthenticatedrequests-Makingauthenticatedrequestswithaccesstokens) and we have implemented this in the past in GlobaLeaks with angular.js so it should be possible to implement this.

Pull requests implementing either the informative text explaining how to workaround the issue or one implementing header based authentication are more than welcome.

I don't think I can commit to implementing either of these any time soon though.

Changed 4 years ago by hellais

How to enable third party cookies in Tor Browser (Firefox)

comment:7 Changed 4 years ago by hellais

I implemented a quick fix for this issue that doesn't actually check to see if the problem is related to cookies, but at least provides some more information as to what is going on when an authentication error is triggered:

https://github.com/TheTorProject/ooni-web/commit/874c700854fc5dec7eaef6cc38efa325cdb33446

comment:8 Changed 4 years ago by sbs

With this diff committed in my testing system I was able to login from the Tor browser configured to reject any kind of cookies (and related means of storage such as sessionStorage and/or localStorage):

https://github.com/TheTorProject/ooni-web/pull/22

comment:9 Changed 4 years ago by poly

@sbs on Tor Browser 5.0.2, with the following privacy settings:

[ ] always use private browsing
[ ] remember history
[ ] remember search/form history
[x] accept cookies from sites
accept third party: never
keep until: they expire

the patch does *not* work. I still get an error message saying 'authorization required'.

comment:10 Changed 4 years ago by poly

Updated patch fixes the bug on TB 5.0.2.

Thanks!

comment:11 Changed 4 years ago by anadahz

Resolution: fixed
Severity: Normal
Status: reopenedclosed
Note: See TracTickets for help on using tickets.