ADINA15 Registration Error
On attempting to sign up for the 'Network Meter' group, after filling in my data, I received an error message saying 'Authorization Required' or something similar. Now when I try to sign up, I get the error message:
The
oonitarianinstance is not valid. Details:usernameUser already exists (value: "poly");
Also, the counter for users registered to the project has not incremented.
Steps to reproduce:
- visit https://ooni.torproject.org/event/adina15/ with Tor Browser 5.0.1 (tor enabled)
- attempt to sign up to 'network meter' project
Trac:
Username: poly
Activity
I looked at the database and see a "oonitarian" with the email poly@..., but it's not associated to a team. I suspect this may be due to some networking error in the team joining phase that lead to this inconsistent state.
If you tell me exactly what you did or try again now and collect javascript console logs (open the inspector and look at the network monitor) I can perhaps figure out a way to avoid this happening in the future.
In theory you should now be able to join a team.
If that is not the case, please re-open and update this ticket.
Thanks for reporting this.
-
So I have figured out what is going on here. This bug is something that only happens when the browser is configured to disallow third-party cookies (this is the case in Tor Browser Firefox, but not the default in most browser settings).
Given the fact that we want to have SSL on the endpoint accepting the XHR request and given the fact that we can't host dynamic content on ooni.torproject.org we have two options to overcome this:
-
Suggest TBB users to do the registration after having temporarily re-enabled third-party cookies (see attached screenshot for details on how to do that)
-
Implement an alternative method for authentication that does not rely on cookies. There is some documentation for strongloop on how to do this (https://docs.strongloop.com/display/public/LB/Making+authenticated+requests#Makingauthenticatedrequests-Makingauthenticatedrequestswithaccesstokens) and we have implemented this in the past in GlobaLeaks with angular.js so it should be possible to implement this.
Pull requests implementing either the informative text explaining how to workaround the issue or one implementing header based authentication are more than welcome.
I don't think I can commit to implementing either of these any time soon though.
-
-
I implemented a quick fix for this issue that doesn't actually check to see if the problem is related to cookies, but at least provides some more information as to what is going on when an authentication error is triggered:
https://github.com/TheTorProject/ooni-web/commit/874c700854fc5dec7eaef6cc38efa325cdb33446
With this diff committed in my testing system I was able to login from the Tor browser configured to reject any kind of cookies (and related means of storage such as sessionStorage and/or localStorage):
https://github.com/TheTorProject/ooni-web/pull/22
Trac:
Username: sbs-
@sbs on Tor Browser 5.0.2, with the following privacy settings:
[ ] always use private browsing [ ] remember history [ ] remember search/form history [x] accept cookies from sites accept third party: never keep until: they expire
the patch does not work. I still get an error message saying 'authorization required'.
Trac:
Username: poly
