Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can not login with Facebook on Safari #191

Closed
thebillkidy opened this issue Mar 3, 2016 · 31 comments
Closed

Can not login with Facebook on Safari #191

thebillkidy opened this issue Mar 3, 2016 · 31 comments
Labels
bug
Milestone

Comments

@thebillkidy
Copy link
Contributor

@thebillkidy thebillkidy commented Mar 3, 2016

Hi,

So when logging in with Facebook on safari I get the error message as stated below, now when I try this in other browsers it works:

Error: Missing facebook request token cookie
at Object.authenticate (/home/ubuntu/testproject/Backend/node_modules/bell/lib/oauth.js:191:31)
at /home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:324:34
at internals.Protect.run.finish [as run] (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/protect.js:64:5)
at execute (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:320:30)
at authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:306:21)
at internals.Auth.test.internals.Auth._authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:214:19)
at internals.Auth.test.internals.Auth.authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:202:17)
at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
at done (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:28:25)
at internals.state.next (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/route.js:364:16)
at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
at Object.exports.serial (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:39:9)
@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 3, 2016

After updating to the latest libraries and setting the correct cookie password length it still gives the same error:

Debug: auth, unauthenticated, error, facebook
    Error: Missing facebook request token cookie
    at Object.authenticate (/home/ubuntu/testproject/Backend/node_modules/bell/lib/oauth.js:201:31)
    at /home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:324:34
    at internals.Protect.run.finish [as run] (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/protect.js:64:5)
    at execute (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:320:30)
    at authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:306:21)
    at internals.Auth.test.internals.Auth._authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:214:19)
    at internals.Auth.test.internals.Auth.authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:202:17)
    at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at done (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:28:25)
    at internals.state.next (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/route.js:364:16)
    at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at Object.exports.serial (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:39:9)
    at internals.Request.internals.Request._execute.internals.Request._lifecycle.each [as _lifecycle] (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:386:11)
    at internals.Request.internals.Request._execute (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:301:21)
    at Domain.<anonymous> (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/connection.js:244:25)
    at Domain.run (domain.js:228:14)
    at internals.Protect.run.internals.Protect.enter (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/protect.js:80:17)
    at Server.<anonymous> (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/connection.js:242:30)
    at emitTwo (events.js:87:13)
    at Server.emit (events.js:172:7)
    at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:529:12)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:88:23)
@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 3, 2016

P.S. this is my configuration:

        server.auth.strategy('facebook', 'bell', {
            provider: providerName,
            password: 'cookie_encryption_password_test123123123123',
            clientId: config.social[providerName].clientId,
            clientSecret: config.social[providerName].clientSecret,
            isSecure: false     // Terrible idea but required if not using HTTPS
        });
@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 3, 2016

I got a bit further, so when I add the mode: 'try' option, and of course reply if we are not authenticated then it shows this in the url bar:

http://testproject.com/auth/facebook/login?code=AQCad9A_0WyCcahgjeeSWP35aHQ7cW_omTigyNMsIUb5RnaCeOssRzDxeiBDeXklLdwWgBl_00iQoSxJVYw_9SUww0MK7gAioLkpTkjFp4Gf0f6zduln3uoendkfn6g5psXFU1ASpJy1yWwHpAx5PYaOSoJTa_PxNuVBhUDzRY73h5kdeiOITpKOMOMt2wQV-xlBHnbBPqOFDCY_-EVTWdf4PxOgzKXrBNqAWDacAQ-G9TrsrR5gil_uPgUCN6r-iANhnUop2uFiepAzQ6UcpKA_tC6sDzFuXlbEPg&state=34CX-QUMKrdaTj7UpWBQCJ#_=_"
@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 4, 2016

@ldesplat could you maybe help with this? Seeing that this issue is currently blocking my production environment and I got a deadline coming up monday.

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Mar 4, 2016

Alright, looks like I can recreate the issue in Safari. Looks like it worked in Chrome & Firefox. Gotta figure out what changed in Safari and why it does not like our cookie to keep it around.

@ldesplat ldesplat added this to the 7.1.1 milestone Mar 4, 2016
@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Mar 4, 2016

I am using Safari v9.0.3, wonder if it worked on previous versions 8?

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 4, 2016

I will ask someone who still got an older safari to try and login using facebook, I'll let you know asap

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Mar 4, 2016

I've downgraded to Bell v6.3.0 and see the same issue. What's funny is that if it fails the first time, then re-enter the url and it will work.... :(
ie.
http://yoururl/login -> missing facebook request token cookie
http://yoururl/login -> works

seems to especially break when you have to explicitly login rather than being automatically redirected (when you are already logged in through facebook).

Re-created it through chrome once as well but cannot do it anymore. Cannot re-create with firefox at all (which sucks because it has best developer tools IMO)

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 4, 2016

Indeed, I have noticed that too. But it is kinda critical since a new user will encounter it. Could it have anything to do with Facebook? Since every time I try to login with fb it first shows a warning: Cookies not enabled, so I try again and get logged in on their site. Then I get the error of token not found in the backend.

Now maybe it has something to do with a failover storage of Facebook login? Maybe localstorage?? (not sure)

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 4, 2016

P.S. Just got word that it is not working on safari 5.1 either the first time, after that it works

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Mar 4, 2016

Just when I disabled my developer accounts with Google. Gotta check if it happens with another provider...

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Mar 4, 2016

I cannot recreate anymore, no matter how many times I clear all my cookies and storage. Did it get fixed?

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 4, 2016

It is not fixed yet, I can still replicate it (I do use incognito mode however every time I test it), since cookies do not always clear correctly + I think 302 redirects get cached

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 8, 2016

@ldesplat Any progress? Since I still couldn't find any solution for this :/ and I really need it working. @hueniverse do you have an idea what the cause of this problem could be?

@hueniverse

This comment has been minimized.

Copy link
Member

@hueniverse hueniverse commented Mar 8, 2016

No idea.

@tkh44

This comment has been minimized.

Copy link

@tkh44 tkh44 commented Mar 8, 2016

Safari has very strict content security policies so depending on how you are doing your redirect it will not submit the cookies. There are a couple of workarounds, the simplest of which is described here zotonic/zotonic#902 (comment).

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Mar 8, 2016

Thank you @tkh44 That makes a lot of sense. I'll probably look this over the weekend. If you need this earlier, I'll gladly accept a PR.

@declandewet

This comment has been minimized.

Copy link
Contributor

@declandewet declandewet commented Mar 10, 2016

Could this perhaps be related to the origin header issue with Safari? ref: http://craigbeck.io/blog/2015/10/27/safari-plus-hapi-dot-js-plus-cors-equals-404/

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 11, 2016

I Tried adding the Origin header but that didn't fix it :/ Also don't got the time right now to look into it deeper since I got a deadline coming up. If I have the time I'll look into it.

@ldesplat ldesplat modified the milestones: 7.2.1, 7.1.1 Mar 12, 2016
@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Mar 30, 2016

Any update? @ldesplat

@gouthamve

This comment has been minimized.

Copy link

@gouthamve gouthamve commented Apr 6, 2016

Hmm, this is a serious issue hurting us pretty bad. We are not able to add Fb login feature from several weeks only due to this issue. Could you please look into this?

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Apr 6, 2016

I am swamped at the moment, but I will be very happy to accept a PR from anybody in the community. The solution has been laid out earlier in the conversation. I'll get to it as I can for now but I will be very happy to make a new release with a contribution.

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Apr 10, 2016

@thebillkidy @gouthamve I've tried recreating it, and this time I really cannot anymore. I cleared all cookies, restarted browser, even using private sessions. I really am unable to re-create it.

If you are, then I suggest you try the following bug fix:
In this file in that block: https://github.com/hapijs/bell/blob/master/lib/oauth.js#L201

  1. reply with a html file that does a meta refresh https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta and make sure to pass the url with an extra query parameter (ie. refresh=1
  2. In that same code block, when refresh === 1 then show error
  3. Otherwize, do the refresh

That should fix it. But since I am unable to reproduce it with firefox/chrome/safari after deleting cookies and using private sessions, there's not much I can do to verify that it's working correctly.

It looks like a simple fix, so if you are able to constantly reproduce it. Please submit a PR with a fix that works! Thank you!

@ldesplat ldesplat removed this from the 7.5.1 milestone Apr 17, 2016
@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Apr 17, 2016

Can you confirm you cannot reproduce as well? I've tried again today and could not. If you are able to reproduce please contribute back a fix. Nothing I can do otherwise. I've described a potential solution so feel free to attempt and ask questions.

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Apr 18, 2016

Hi,

Sorry for the late response. This bug is still there and I am still unable to fix it. It happens in very rare cases and replicating it consistently is hard. Around 5% of the testers that I used (different people) still had this problem.

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Apr 18, 2016

Error:

160418/160709.555, [error], message: Missing facebook request token cookie stack: Error: Missing facebook request token cookie
    at Object.authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/bell/lib/oauth.js:201:31)
    at /home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:324:34
    at internals.Protect.run.finish [as run] (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/protect.js:64:5)
    at execute (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:320:30)
    at authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:306:21)
    at internals.Auth.test.internals.Auth._authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:214:19)
    at internals.Auth.test.internals.Auth.authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:202:17)
    at each (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at done (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:28:25)
    at internals.state.next (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/route.js:350:16)
    at each (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at Object.exports.serial (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:39:9)
    at internals.Request.internals.Request._execute.internals.Request._lifecycle.each [as _lifecycle] (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:386:11)
    at internals.Request.internals.Request._execute (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:301:21)
    at Domain.<anonymous> (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/connection.js:261:25)
    at Domain.run (domain.js:228:14)
    at internals.Protect.run.internals.Protect.enter (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/protect.js:80:17)
    at Server.<anonymous> (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/connection.js:259:30)
    at emitTwo (events.js:87:13)
    at Server.emit (events.js:172:7)
    at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:529:12)
@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented Apr 18, 2016

Ok current update, with this code it works in Safari and the problem can not be reproduced anymore. I will make a PR as soon as it has been tested for a bit.

if (!state) {
    if (request.query && request.query.refresh === 1) {
        return reply(Boom.internal('Missing ' + name + ' request token cookie'));
    } else {
        var url = request.connection.info.protocol + '://' + request.info.host + request.url.path + '&refresh=1';
        return reply('<html><head><meta http-equiv="refresh" content="0;URL=\'' + url + '\'"></head><body></body></html>');
    }
}
@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented Apr 30, 2016

Your fix is now in 7.6.1 with some modifications. Let me know if this does it. Thank you very much.

@thebillkidy

This comment has been minimized.

Copy link
Contributor Author

@thebillkidy thebillkidy commented May 2, 2016

Ok, so we tested it again on all major browsers, different operating system. The bug can not be reproduced now on where it appeared earlier, we however had some problems on a Windows Surface tablet, but this might be due to my implementation on the client side.

@ldesplat

This comment has been minimized.

Copy link
Contributor

@ldesplat ldesplat commented May 2, 2016

Thank you for all that effort!

@EvilJimJafar

This comment has been minimized.

Copy link

@EvilJimJafar EvilJimJafar commented Sep 5, 2019

We are experiencing this with Bell 10.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.