Login issues after upgrading to 0.19.2

[poVoq]

Requirements

• This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
• Please check to see if this issue already exists.
• It's a single bug. Do not report multiple bugs in one issue.
• It's a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.

Summary

After upgrading from 0.18.5 to 0.19.2 all users with a login cookie are locked out of the page with an error message and the only way to fix this is to manually delete all site cookies, which is a bit hard to explain to users when they can't access the site.

I tried re-generating the jwt_secret in the database to forcefully log out users, but this had the opposite effect with the error re-appearing for users that had already removed their cookies, which lets me assume the problem might be that the ui doesn't recognize that the jwt secret changed. This would be a regression as this worked previously.

Steps to Reproduce

1. upgrade from 0.18.5 to 0.19.2
2. error appears

Technical Details

Official docker containers. Other instance admins seem to have the same issue.

Lemmy Instance Version

0.19.2

Lemmy Instance URL

https://slrpnk.net

[Nothing4You]

maybe related to #4321?

[Nothing4You]

reproduction steps, also work with lemmy.ml: set the jwt token to a value that is a jwt but is not accepted by lemmy, such as eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c, which is used as demo on https://jwt.io/.

[poVoq]

So I guess a work-around would be to temporarily down grade to lemmy-ui 0.19.1 until all users have their cookies reset?

Edit: hmm, its not entirely clear where this regression was introduced looking at the changes. Maybe it's even necessary to downgrade to 0.19.0?

[Nothing4You]

some people migrated straight from 0.18 to .1 and didn't report such issues, i'm pretty sure this is only since .2.

it looks like the only db migration is a unique constraint on site names being dropped, it should be easy to migrate back to .1, although you may want to check if you happened to have some non-unique sites in your db now: https://github.com/LemmyNet/lemmy/tree/0.19.2/migrations/2024-01-02-094916_site-name-not-unique

[poVoq]

Ah, so you think this also requires a downgrade of the back end? That would explain why I couldn't really find a relevant change in the frontend 🤔

[Nothing4You]

I suspect this was #4321, which was a backend change.

[Pseudochron]

Hexbear had this issue when they upgraded from 0.18.3 to 0.19.1. https://hexbear.net/post/1409259

[Nothing4You]

i'll try to repro this with going both from 0.18.5 to 0.19.1 and 0.18.5 to 0.19.2 to see where it breaks

[Nothing4You]

1. mm9km1.lem.rocks deployed with 0.18.5
2. logged in as admin
3. got cookie jwt with content eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6Im1tOWttMS5sZW0ucm9ja3MiLCJpYXQiOjE3MDUzNDY1MTV9.WgwC6o5PTr-_tYoAyXSvAlEn-i4VSoGrHV5g7Y4FEk8
4. updated to 0.19.1
5. lemmy-ui shows Error: incorrect_login but otherwise works
6. not logging in, sticking to 0.18.5 jwt cookie
7. updated to 0.19.2
8. lemmy-ui is broken

You can also reproduce this on some random 0.19.1 instances, just set an invalid jwt, such as the one in step 3 above for one of the following domains:

• lemmus.org
• lemmy.pt
• lemmy.wtf

Pick a random 0.19.2 instance, set the cookie, observe breakage, e.g.:

• lemmy.ml
• startrek.website
• feddit.de

Note that you might need to do a full reload (cmd+shift+r, ctrl+f5) in some cases to bypass the cache.

Warning

If you're testing this in your regular browser session you'll likely want to clear the invalid cookies afterwards, as this currently also breaks pictrs on those instances.

[Nothing4You]

details from hexbear's update to 0.19.1:
after the update, lemmy-ui displayed everything as if not logged in, showing the auth failure message.
clearing cookies however was necessary to be able to login again, as the login otherwise failed.

i'll see if i can find some time later or tomorrow to try to replicate this aspect, as i did not attempt to login in my previous tests.

there might be more than one problematic issue here, although i suspect both would likely be addressed if lemmy-ui discarded the auth cookie when it determines it's invalid.

[Nutomic]

Correct this is caused by #4321 which was released with Lemmy 0.19.1. Moving this to backend repo. Its fixed by #4380.

[Nothing4You]

It is still technically a lemmy-ui issue, isn't it?
Or, if you want to keep this in the lemmy repo for addressing the regression, a separate issue should be created in lemmy-ui (if one doesn't already exist) to cover the case of invalid auth cookies?

[aeharding]

The main issue is with lemmy-ui imho, where an invalid token causes the UI to become completely stuck, with the user unable to re-login.

Relevant: #4319 (comment)

[Nothing4You]

I just tested the scenario described for hexbear, although without actually doing an upgrade, and I can't reproduce it.

I've spun up a new 0.19.1 instance from scratch, set the same jwt cookie described above, which resulted in the invalid login messages.
It did however not prevent me from logging in and once I did the errors were (expectedly) gone.

To check whether this is different on an upgraded instance, I deleted the instance again and spun up yet another one.
On this instance, I first deployed 0.18.5, and logged in, then updated to 0.19.1 and tried to login, which also had the same behavior of not showing any issues.

[Nutomic]

There is 0.19.3-rc.1 available now which includes a fix for this. The PR is #4380.