New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

instagram signup is buggy #809

Closed
snarfed opened this Issue Apr 11, 2018 · 26 comments

Comments

Projects
None yet
4 participants
@snarfed
Owner

snarfed commented Apr 11, 2018

at least two problems:

  1. indieauth fails for @Zegnat because he uses his own auth endpoint, https://vanderven.se/martijn/auth/ , which we somewhat handle ok, but its verification response doesn't return me, which we don't handle ok. IRC discussions, snarfed/oauth-dropins@d65d415, snarfed/oauth-dropins@f8ff52e.
  2. when i try to log in, indieauth works ok, but then the IG profile page fetch gets rate limited, which breaks badly with an IG-rendered error page 😂 😭.

apologies @Zegnat, but i may deprioritize 1 until if/when you actually use bridgy. 😆 2, though, i should look at.

cc @aaronpk

@snarfed snarfed added the now label Apr 11, 2018

@snarfed

This comment has been minimized.

Owner

snarfed commented Apr 11, 2018

alternative: drop instagram, with a vengeance. so tempted.

@aaronpk

This comment has been minimized.

Contributor

aaronpk commented Apr 11, 2018

I am curious about tracking down that IndieAuth error though. I'm not sure why the verification response didn't return me, since that's how IndieAuth works. Could be an error on Zegnat's endpoint with something. Maybe the right answer is to better surface or log the error responses during that part of the flow so this is easier to troubleshoot. Now that Wordpress is about to get its own built-in IndieAuth endpoint, people using Bridgy will be getting this IndieAuth response from a lot more different sites than just indieauth.com soon.

@snarfed

This comment has been minimized.

Owner

snarfed commented Apr 11, 2018

we debugged more and determined that i'm not sending an Accept header or otherwise doing conneg in the code verification request, but i'm expecting a form-encoded response, and @Zegnat's endpoint is returning JSON: {"me":"https:\/\/vanderven.se\/martijn\/"}. the spec also says the response is JSON.

@Zegnat says his endpoint should default to form-encoded though, not JSON: https://gist.github.com/Zegnat/4ad87603bcabbf8e095363df99845e50 . the plot thickens.

@snarfed

This comment has been minimized.

Owner

snarfed commented Apr 11, 2018

@Zegnat added logging and reported that i'm sending Accept */* (maybe added by app engine urlfetch), which triggers him to return json. got it. thanks for the sleuthing @Zegnat!

@snarfed

This comment has been minimized.

Owner

snarfed commented Apr 18, 2018

i updated the signup profile fetch to ignore rate limiting.

snarfed added a commit to snarfed/webutil that referenced this issue Apr 29, 2018

snarfed added a commit to snarfed/webutil that referenced this issue Apr 29, 2018

@snarfed

This comment has been minimized.

Owner

snarfed commented Apr 29, 2018

@Zegnat i think this is fixed, so your auth endpoint should work now. feel free to try!

@skddc

This comment has been minimized.

skddc commented Jun 27, 2018

I also have issues authorizing my site. The error message I see after the redirect is:

HTTP Error 400: 400 Bad Request The server could not comply with the request since it is either malformed or otherwise incorrect. IndieAuth verification failed: error=Invalid+auth+code

The URL looks fine to me (includes code=123abc), and the state param is being accepted (i.e. I see an error about invalid state when I change anything about it, but otherwise not).

@snarfed

This comment has been minimized.

Owner

snarfed commented Jun 28, 2018

thanks for reporting @skddc, and sorry for the trouble! I'll look into it.

@snarfed

This comment has been minimized.

Owner

snarfed commented Jul 1, 2018

looking at the log from one of your indieauth callback requests (link is just for me 😁):

GET /instagram/callback?code=CODE&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&me=https%3A%2F%2Fupdates.kip.pe%2Fprofile%2Fbasti

decoding state "%7B%22endpoint%22%3A%22https%3A%2F%2Fupdates.kip.pe%2Findieauth%2Fauth%22%2C%22me%22%3A%22https%3A%2F%2Fupdates.kip.pe%22%7D"
requests.post https://updates.kip.pe/indieauth/auth {'data': {'me': u'https://updates.kip.pe', 'state': '', 'code': u'CODE, 'client_id': 'https://brid.gy/', 'redirect_uri': 'https://brid.gy/instagram/callback'}}
Error 400, response body: u'400 Bad Request\n\nThe server could not comply with the request since it is either malformed or otherwise incorrect.\n\n IndieAuth verification failed: error=Invalid+auth+code '

...auth code and me do indeed look fine.

@snarfed

This comment has been minimized.

Owner

snarfed commented Jul 1, 2018

@skddc here's the auth code verification request bridgy makes, as a curl command:

$ curl -v -d 'me=https%3A%2F%2Fupdates.kip.pe&state=&code=CODE&client_id=https%3A%2F%2Fbrid.gy%2F&redirect_uri=https%3A%2F%2Fbrid.gy%2Finstagram%2Fcallback' https://updates.kip.pe/indieauth/auth
...
< HTTP/1.1 400 Bad Request
...
error=Invalid+auth+code

here's a simplified, more readable version, without the non-standard me and state parameters. same result:

curl -v -d 'code=CODE&client_id=https://brid.gy/&redirect_uri=https://brid.gy/instagram/callback' https://updates.kip.pe/indieauth/auth

i'm replacing CODE with an auth code bridgy got from the callback above from your auth endpoint, 2018-06-27 16:53:32 UTC. this failure may be because the code expired, though, so maybe i can catch you in person to debug together.

@snarfed

This comment has been minimized.

Owner

snarfed commented Jul 1, 2018

looks like this may be a bug in known, or at least a bad interaction between it and bridgy. @rikmendes had the same problem with https://rmendes.net/ , also on known.

hey @mapkyca, any tips on how we could debug this? known users are having trouble logging into bridgy (instagram) with their sites' indieauth. details above.

@mapkyca

This comment has been minimized.

mapkyca commented Jul 3, 2018

Hmm... do we have a record of what's sent to known / getting from known? (I've not got a public instagram, so not tried to replicate)

@skddc

This comment has been minimized.

skddc commented Jul 3, 2018

I could retry it and tell you the exact time and URL of the request if that helps.

@snarfed

This comment has been minimized.

Owner

snarfed commented Jul 3, 2018

@mapkyca thanks for looking! you don't actually need an instagram account to repro on https://brid.gy/ , just click the instagram button and then try to log in with indieauth.

the initial redirect from bridgy to known looks like this:

https://updates.kip.pe/indieauth/auth?me=https%3A%2F%2Fupdates.kip.pe&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&redirect_uri=https%3A%2F%2Fbrid.gy%2Finstagram%2Fcallback&client_id=https%3A%2F%2Fbrid.gy%2F

known then redirects back to bridgy with an auth code:

https://brid.gy/instagram/callback?code=CODE&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&me=https%3A%2F%2Fupdates.kip.pe%2Fprofile%2Fbasti

bridgy then tries to verify the auth code - details above in #809 (comment) - which known 400s.

@mapkyca

This comment has been minimized.

mapkyca commented Jul 4, 2018

Hmm... bridgy seems to not like private accounts. I'll see if I can create a new instagram and try again...

@snarfed

This comment has been minimized.

Owner

snarfed commented Jul 4, 2018

@mapkyca true, but this bug happens during indieauth, before bridgy looks at your Instagram account at all. if you were able to indieauth with known successfully, then you didn't reproduce the bug. maybe you're on a newer known version that fixed it?

@skddc

This comment has been minimized.

skddc commented Jul 4, 2018

I'm on ec0752d (June 18), if that helps.

@mapkyca

This comment has been minimized.

mapkyca commented Jul 5, 2018

I wonder if it makes a difference between single user install / multi user installs.. e.g. it'll be hard to auth a single user on a mulituser install if you enter https://example.com/ instead of https://example.com/profile/me

@skddc

This comment has been minimized.

skddc commented Jul 5, 2018

Oh, that actually works. So maybe that's how I did it back when setting it up the first time. Thanks!

Would be nice if people with single-user instances could just use their domain name, of course. My profile does appear on the frontpage, too.

@mapkyca

This comment has been minimized.

mapkyca commented Jul 5, 2018

If you have a single user install you can use the domain, but you have to explicitly set "single user" mode. This is because that mode puts the user header on the top of the front page, which has all the rel=me links that IndieAuth uses...

@skddc

This comment has been minimized.

skddc commented Jul 5, 2018

That's what I have, and yet it doesn't work.

@mapkyca

This comment has been minimized.

mapkyca commented Jul 5, 2018

Interesting... so you're saying that https://yoursite.com/profile/skddc works but https://yoursite.com doesn't?

@snarfed snarfed reopened this Jul 5, 2018

@skddc

This comment has been minimized.

skddc commented Jul 5, 2018

Yes, see my original comment: #809 (comment)

@mapkyca

This comment has been minimized.

mapkyca commented Jul 9, 2018

Latest code has some more logging, might want to give it a try...

@skddc

This comment has been minimized.

skddc commented Jul 23, 2018

I found out what broke it. See my last comment in the linked Known issue. Thanks again for helping!

@snarfed

This comment has been minimized.

Owner

snarfed commented Jul 23, 2018

glad you figured it out!

@snarfed snarfed closed this Jul 23, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment