Can not login with Facebook on Safari

[thebillkidy]

Hi,

So when logging in with Facebook on safari I get the error message as stated below, now when I try this in other browsers it works:

Error: Missing facebook request token cookie
at Object.authenticate (/home/ubuntu/testproject/Backend/node_modules/bell/lib/oauth.js:191:31)
at /home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:324:34
at internals.Protect.run.finish [as run] (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/protect.js:64:5)
at execute (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:320:30)
at authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:306:21)
at internals.Auth.test.internals.Auth._authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:214:19)
at internals.Auth.test.internals.Auth.authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:202:17)
at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
at done (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:28:25)
at internals.state.next (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/route.js:364:16)
at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
at Object.exports.serial (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:39:9)

[thebillkidy]

After updating to the latest libraries and setting the correct cookie password length it still gives the same error:

Debug: auth, unauthenticated, error, facebook
    Error: Missing facebook request token cookie
    at Object.authenticate (/home/ubuntu/testproject/Backend/node_modules/bell/lib/oauth.js:201:31)
    at /home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:324:34
    at internals.Protect.run.finish [as run] (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/protect.js:64:5)
    at execute (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:320:30)
    at authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:306:21)
    at internals.Auth.test.internals.Auth._authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:214:19)
    at internals.Auth.test.internals.Auth.authenticate (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/auth.js:202:17)
    at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at done (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:28:25)
    at internals.state.next (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/route.js:364:16)
    at each (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at Object.exports.serial (/home/ubuntu/testproject/Backend/node_modules/hapi/node_modules/items/lib/index.js:39:9)
    at internals.Request.internals.Request._execute.internals.Request._lifecycle.each [as _lifecycle] (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:386:11)
    at internals.Request.internals.Request._execute (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/request.js:301:21)
    at Domain.<anonymous> (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/connection.js:244:25)
    at Domain.run (domain.js:228:14)
    at internals.Protect.run.internals.Protect.enter (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/protect.js:80:17)
    at Server.<anonymous> (/home/ubuntu/testproject/Backend/node_modules/hapi/lib/connection.js:242:30)
    at emitTwo (events.js:87:13)
    at Server.emit (events.js:172:7)
    at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:529:12)
    at HTTPParser.parserOnHeadersComplete (_http_common.js:88:23)

[thebillkidy]

P.S. this is my configuration:

        server.auth.strategy('facebook', 'bell', {
            provider: providerName,
            password: 'cookie_encryption_password_test123123123123',
            clientId: config.social[providerName].clientId,
            clientSecret: config.social[providerName].clientSecret,
            isSecure: false     // Terrible idea but required if not using HTTPS
        });

[thebillkidy]

I got a bit further, so when I add the mode: 'try' option, and of course reply if we are not authenticated then it shows this in the url bar:

http://testproject.com/auth/facebook/login?code=AQCad9A_0WyCcahgjeeSWP35aHQ7cW_omTigyNMsIUb5RnaCeOssRzDxeiBDeXklLdwWgBl_00iQoSxJVYw_9SUww0MK7gAioLkpTkjFp4Gf0f6zduln3uoendkfn6g5psXFU1ASpJy1yWwHpAx5PYaOSoJTa_PxNuVBhUDzRY73h5kdeiOITpKOMOMt2wQV-xlBHnbBPqOFDCY_-EVTWdf4PxOgzKXrBNqAWDacAQ-G9TrsrR5gil_uPgUCN6r-iANhnUop2uFiepAzQ6UcpKA_tC6sDzFuXlbEPg&state=34CX-QUMKrdaTj7UpWBQCJ#_=_"

[thebillkidy]

@ldesplat could you maybe help with this? Seeing that this issue is currently blocking my production environment and I got a deadline coming up monday.

[ldesplat]

Alright, looks like I can recreate the issue in Safari. Looks like it worked in Chrome & Firefox. Gotta figure out what changed in Safari and why it does not like our cookie to keep it around.

[ldesplat]

I am using Safari v9.0.3, wonder if it worked on previous versions 8?

[thebillkidy]

I will ask someone who still got an older safari to try and login using facebook, I'll let you know asap

[ldesplat]

I've downgraded to Bell v6.3.0 and see the same issue. What's funny is that if it fails the first time, then re-enter the url and it will work.... :(
ie.
http://yoururl/login -> missing facebook request token cookie
http://yoururl/login -> works

seems to especially break when you have to explicitly login rather than being automatically redirected (when you are already logged in through facebook).

Re-created it through chrome once as well but cannot do it anymore. Cannot re-create with firefox at all (which sucks because it has best developer tools IMO)

[thebillkidy]

Indeed, I have noticed that too. But it is kinda critical since a new user will encounter it. Could it have anything to do with Facebook? Since every time I try to login with fb it first shows a warning: Cookies not enabled, so I try again and get logged in on their site. Then I get the error of token not found in the backend.

Now maybe it has something to do with a failover storage of Facebook login? Maybe localstorage?? (not sure)

[thebillkidy]

P.S. Just got word that it is not working on safari 5.1 either the first time, after that it works

[ldesplat]

Just when I disabled my developer accounts with Google. Gotta check if it happens with another provider...

[ldesplat]

I cannot recreate anymore, no matter how many times I clear all my cookies and storage. Did it get fixed?

[thebillkidy]

It is not fixed yet, I can still replicate it (I do use incognito mode however every time I test it), since cookies do not always clear correctly + I think 302 redirects get cached

[thebillkidy]

@ldesplat Any progress? Since I still couldn't find any solution for this :/ and I really need it working. @hueniverse do you have an idea what the cause of this problem could be?

[hueniverse]

No idea.

[tkh44]

Safari has very strict content security policies so depending on how you are doing your redirect it will not submit the cookies. There are a couple of workarounds, the simplest of which is described here zotonic/zotonic#902 (comment).

[ldesplat]

Thank you @tkh44 That makes a lot of sense. I'll probably look this over the weekend. If you need this earlier, I'll gladly accept a PR.

[declandewet]

Could this perhaps be related to the origin header issue with Safari? ref: http://craigbeck.io/blog/2015/10/27/safari-plus-hapi-dot-js-plus-cors-equals-404/

[thebillkidy]

I Tried adding the Origin header but that didn't fix it :/ Also don't got the time right now to look into it deeper since I got a deadline coming up. If I have the time I'll look into it.

[thebillkidy]

Any update? @ldesplat

[gouthamve]

Hmm, this is a serious issue hurting us pretty bad. We are not able to add Fb login feature from several weeks only due to this issue. Could you please look into this?

[ldesplat]

I am swamped at the moment, but I will be very happy to accept a PR from anybody in the community. The solution has been laid out earlier in the conversation. I'll get to it as I can for now but I will be very happy to make a new release with a contribution.

[ldesplat]

@thebillkidy @gouthamve I've tried recreating it, and this time I really cannot anymore. I cleared all cookies, restarted browser, even using private sessions. I really am unable to re-create it.

If you are, then I suggest you try the following bug fix:
In this file in that block: https://github.com/hapijs/bell/blob/master/lib/oauth.js#L201

1. reply with a html file that does a meta refresh https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta and make sure to pass the url with an extra query parameter (ie. refresh=1
2. In that same code block, when refresh === 1 then show error
3. Otherwize, do the refresh

That should fix it. But since I am unable to reproduce it with firefox/chrome/safari after deleting cookies and using private sessions, there's not much I can do to verify that it's working correctly.

It looks like a simple fix, so if you are able to constantly reproduce it. Please submit a PR with a fix that works! Thank you!

[ldesplat]

Can you confirm you cannot reproduce as well? I've tried again today and could not. If you are able to reproduce please contribute back a fix. Nothing I can do otherwise. I've described a potential solution so feel free to attempt and ask questions.

[thebillkidy]

Hi,

Sorry for the late response. This bug is still there and I am still unable to fix it. It happens in very rare cases and replicating it consistently is hard. Around 5% of the testers that I used (different people) still had this problem.

[thebillkidy]

Error:

160418/160709.555, [error], message: Missing facebook request token cookie stack: Error: Missing facebook request token cookie
    at Object.authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/bell/lib/oauth.js:201:31)
    at /home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:324:34
    at internals.Protect.run.finish [as run] (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/protect.js:64:5)
    at execute (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:320:30)
    at authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:306:21)
    at internals.Auth.test.internals.Auth._authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:214:19)
    at internals.Auth.test.internals.Auth.authenticate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/auth.js:202:17)
    at each (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at done (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:28:25)
    at internals.state.next (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/route.js:350:16)
    at each (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:383:16)
    at iterate (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:36:13)
    at Object.exports.serial (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/node_modules/items/lib/index.js:39:9)
    at internals.Request.internals.Request._execute.internals.Request._lifecycle.each [as _lifecycle] (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:386:11)
    at internals.Request.internals.Request._execute (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/request.js:301:21)
    at Domain.<anonymous> (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/connection.js:261:25)
    at Domain.run (domain.js:228:14)
    at internals.Protect.run.internals.Protect.enter (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/protect.js:80:17)
    at Server.<anonymous> (/home/ubuntu/unnamed-src/Backend/node_modules/hapi/lib/connection.js:259:30)
    at emitTwo (events.js:87:13)
    at Server.emit (events.js:172:7)
    at HTTPParser.parserOnIncoming [as onIncoming] (_http_server.js:529:12)

[thebillkidy]

Ok current update, with this code it works in Safari and the problem can not be reproduced anymore. I will make a PR as soon as it has been tested for a bit.

if (!state) {
    if (request.query && request.query.refresh === 1) {
        return reply(Boom.internal('Missing ' + name + ' request token cookie'));
    } else {
        var url = request.connection.info.protocol + '://' + request.info.host + request.url.path + '&refresh=1';
        return reply('<html><head><meta http-equiv="refresh" content="0;URL=\'' + url + '\'"></head><body></body></html>');
    }
}

[ldesplat]

Your fix is now in 7.6.1 with some modifications. Let me know if this does it. Thank you very much.

[thebillkidy]

Ok, so we tested it again on all major browsers, different operating system. The bug can not be reproduced now on where it appeared earlier, we however had some problems on a Windows Surface tablet, but this might be due to my implementation on the client side.

[ldesplat]

Thank you for all that effort!

[EvilJimJafar]

We are experiencing this with Bell 10.0.0