Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

debug: cypress failure on upload / CSRF / Session failure with 401 #4350

Closed
wants to merge 11 commits into from
Closed

debug: cypress failure on upload / CSRF / Session failure with 401 #4350

wants to merge 11 commits into from

Conversation

juliushaertl
Copy link
Member

Signed-off-by: Julius Härtl jus@bitgrid.net

📝 Summary

  • Resolves: #

🖼️ Screenshots

🏚️ Before 🏡 After
B A

🚧 TODO

  • ...

🏁 Checklist

  • Code is properly formatted (npm run lint / npm run stylelint / composer run cs:check)
  • Sign-off message is added to all commits
  • Tests (unit, integration and/or end-to-end) passing and the changes are covered with tests
  • Documentation (README or documentation) has been updated or is not required

@cypress
Copy link

cypress bot commented Jun 23, 2023
edited

Passing run #10766 ↗︎

0 146 1 0 Flakiness 0

Details:

debug: cypress failure on upload
Project: Text Commit: 6e2751779b
Status: Passed Duration: 03:50 💡
Started: Jun 28, 2023 6:55 PM Ended: Jun 28, 2023 6:59 PM

This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.

juliushaertl
juliushaertl commented Jun 23, 2023
View reviewed changes
cypress/support/commands.js Outdated
.then(requesttoken => {
cy.request('/csrftoken')
.then(({ body }) => {
const requesttoken = body.token
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the duplicate then might cause timing issues, but no idea why, so far test runs on CI seem promising

@juliushaertl juliushaertl force-pushed the cypress/debug branch 6 times, most recently from a6bf7e3 to 08441b7 Compare June 24, 2023 07:53
@juliushaertl juliushaertl mentioned this pull request Jun 24, 2023
Merged
@juliushaertl juliushaertl force-pushed the cypress/debug branch 4 times, most recently from d8df69f to 7878c70 Compare June 25, 2023 17:55
@juliushaertl juliushaertl mentioned this pull request Jun 25, 2023
Merged
@juliushaertl
Copy link
Member Author

juliushaertl commented Jun 26, 2023
edited

Suspicious from the logs, the service worker request after login (possibly from an older context) does generate a new csrf token and fails with no user session
out.log

[
  "/index.php/login",
  "Ivtec0d1ZilXSDG2QviO",
  "2023-06-26T14:30:46+00:00",
  "CsrfTokenManager::refreshToken ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
[
  "/index.php/apps/files",
  "iKfWgZLmkIfZ3nZnfb9B",
  "2023-06-26T14:30:47+00:00",
  "CsrfTokenManager::getToken from session ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
// Some requests follow like this
[
  "/index.php/apps/theming/theme/light.css?plain=1&v=16ac97b0",
  "tLPlYmFcowDh07KdE7Hv",
  "2023-06-26T14:30:47+00:00",
  "CsrfTokenManager::getToken from session ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "Auo9QxA9hrZy2P6TDuRa",
  "2023-06-26T14:30:48+00:00",
  "CsrfTokenManager::getToken generate session HdLHWDvGZX1juFkOCzOJywiuOPMUSOJG"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "Auo9QxA9hrZy2P6TDuRa",
  "2023-06-26T14:30:48+00:00",
  "Current user is not logged in"
]
[
  "/index.php/apps/theming/theme/dark-highcontrast.css?plain=0&v=16ac97b0",
  "XJc1OUZLxuZakU8uC1Um",
  "2023-06-26T14:30:48+00:00",
  "CsrfTokenManager::getToken from session ob+PqyUvJAw7YLMbR04SAhbXIBWcAVwH"
]
// A bit later requests switch over to the new token:
[
  "/index.php/apps/theming/theme/dark.css?plain=1&v=16ac97b0",
  "bJQQWQuTRkYEnDzoGI7z",
  "2023-06-26T14:30:49+00:00",
  "CsrfTokenManager::getToken from session HdLHWDvGZX1juFkOCzOJywiuOPMUSOJG"
]

Possibly related cypress-io/cypress#16192

@juliushaertl
Copy link
Member Author

juliushaertl commented Jun 26, 2023
edited

Another interesting log trace:

  • Seems we somehow hit brute force protection
  • service worker is still requested somewhere between user creation and login
  • login triggers logout so we may still send previous session information
[
  "/ocs/v2.php/cloud/users?format=json",
  "1oOQY0r9gMUR6wyv2It9",
  "Successful addUser call with userid: xojrqg"
]
[
  "/index.php/csrftoken",
  "p49937LSej2lyNmaDQLN",
  "CsrfTokenManager::getToken generate session HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "7vxu9QaG5KOfIICYVSF3",
  "CsrfTokenManager::getToken generate session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::isTokenValid ehp8t3or2tkw35zniioqt2rbNJO2z+NH - HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "UserSession::logout"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "Bruteforce attempt from \"127.0.0.1\" detected for action \"login\"."
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "IP address throttled because it reached the attempts limit in the last 30 minutes [action: login, delay: 200, ip: 127.0.0.1]"
]
[
  "/index.php/apps/files",
  "mS42ijELIn1JHl39pj8I",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/apps/files",
  "mS42ijELIn1JHl39pj8I",
  "Current user is not logged in"
]

nextcloud 19.log

This case also still involves preview-service-worker.js

[
  "/index.php/csrftoken",
  "p49937LSej2lyNmaDQLN",
  "CsrfTokenManager::getToken generate session HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/apps/files/preview-service-worker.js",
  "7vxu9QaG5KOfIICYVSF3",
  "CsrfTokenManager::getToken generate session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]
[
  "/index.php/login",
  "V1zL48EdfBVv0SNEkmQq",
  "CsrfTokenManager::isTokenValid ehp8t3or2tkw35zniioqt2rbNJO2z+NH - HW2eEjyPc9RNEMe/EzFWnuS1Sot0PTuA"
]
[
  "/index.php/apps/files",
  "mS42ijELIn1JHl39pj8I",
  "CsrfTokenManager::getToken from session ehp8t3or2tkw35zniioqt2rbNJO2z+NH"
]

@juliushaertl
Copy link
Member Author

Another related one cypress-io/cypress#702

The workarounds to disable service workers in cypress doesn't seem to to the trick, but patched out the service worker part in the server seems promising for todays pushes: https://github.com/nextcloud/text/actions/workflows/cypress.yml?query=branch%3Acypress%2Fdebug

@juliushaertl
tmp: remove cancel
849bb62 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
debug: log level 0
33fc249 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
ci(cypress): Update config
24fcfdf 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
debug: use server debugging branch
d52ac3e 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
ci(cypress): Use cron
42ac3f4 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
fix: disable service workers
5eb6b5a 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
Try to intercept service worker
a77b579 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
attempt 1687965725
bf3c787 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
fix file type
f8c2a3e 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
attempt 1687977507
603ea41 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl
attempt 1687978387
6e27517 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
@juliushaertl juliushaertl changed the title debug: cypress failure on upload debug: cypress failure on upload / CSRF / Session failure with 401 Jul 21, 2023
@juliushaertl
Copy link
Member Author

Closing as tests seem more stable now

@juliushaertl juliushaertl mentioned this pull request Aug 29, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@juliushaertl