Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: "Failed to validate AccessToken, please re-check your token or backend URL" #256

Closed
paulcalabro opened this issue Feb 26, 2024 · 8 comments
Closed

Bug: "Failed to validate AccessToken, please re-check your token or backend URL" #256

paulcalabro opened this issue Feb 26, 2024 · 8 comments
Assignees
@victorbalssa
Labels
bug Something isn't working
Milestone
0.13.0

Comments

@paulcalabro
Copy link

Describe the bug
Receiving the following error message when logging in using a Personal Access Token:

Failed to validate AccessToken, please re-check your token or backend URL

To Reproduce
Steps to reproduce the behavior:

  1. Go to "Credentials" -> "Add Credential"
  2. Fill in URL, select "User Personal Access Token"
  3. Enter access token
  4. See error

Expected behavior
Arrive at landing page

Screenshots
N/A

Smartphone (please complete the following information):

  • Device: iPhone 11
  • OS: iOS 17.4
  • Version 0.12.4

Additional context
N/A
@paulcalabro paulcalabro added the bug Something isn't working label Feb 26, 2024
@paulcalabro
Copy link
Author

abacus/src/components/Screens/CredentialCreateScreen.tsx

Line 91 in 8e1ca67

translate('oauth_wrong_token_error_description'),

@victorbalssa victorbalssa added this to the 0.13.0 milestone Feb 27, 2024
@victorbalssa
Copy link
Owner

victorbalssa commented Mar 2, 2024
edited
Loading

Hey @paulcalabro,

Was PAT working before 0.12.4? can you retry with a new PAT again?

I'm also trying to narrow down the login issues others can have (#257): Can you try to connect to this demo instance: https://demo.firefly-iii.org/ ? it will help me determine if it's really Abacus 0.12.4 with some iPhone configurations.

Do you use the latest FireflyIII version? (6.1.9)

Last thing, if you have access to an android, (if you can you replicate the same error on android)?

Thanks

@paulcalabro
Copy link
Author

paulcalabro commented Mar 4, 2024
edited
Loading

Hey @victorbalssa,

Here's the answers to your questions

  • It was working before 0.12.4.
  • IIRC, I could only use PAT because I use Authelia.
  • I tried several times with a new PAT and it did not work.
  • I tested and was able to log into https://demo.firefly-iii.org/ with a new PAT.
  • Yep, I'm on 6.1.9.
  • Unfortunately, I don't have an Android phone to test with.

I set up Burp Suite to act as a Proxy in between my phone and Firefly III.
I noticed if I clicked on "Create a new Personal Access token on OAuth tab, here: <URL>" I saw traffic to the proxy.
If I clicked on "Log in" (same URL, with a PAT), I saw no traffic to the proxy.
If I used an IP address and a NC listener, I saw traffic.

@victorbalssa
Copy link
Owner

Thank you @paulcalabro, it will help me a lot, I suspect the last build to block some specific LAN traffic on IOS.
I will replicate it on a raspberry pi, and keep you posted.

@paulcalabro
Copy link
Author

paulcalabro commented Mar 4, 2024
edited
Loading

@victorbalssa

You're welcome!

Given I could send traffic to a netcat listener (e.g. 192.168.68.123 on port 1234") and see traffic, I don't think it's necessarily blocking LAN traffic.

e.g.

  • Spin up a NC listener:
$ docker run -p 1234:1234 -it --rm alpine /bin/sh -c "nc -l -p 1234"
  • Click the "Login" button.
  • Review traffic at listener or in Burp Suite:
GET /api/v1/about/user HTTP/1.1
Host: 192.168.68.123:1234
Connection: keep-alive
Accept: application/json, text/plain, */*
User-Agent: Abacus/0.12.4 CFNetwork/1494.0.6 Darwin/23.4.0
Accept-Language: en-US,en;q=0.9
Authorization: Bearer fake123
Accept-Encoding: gzip, deflate

Initially, I was thinking what was happening and what could explain for the difference in behavior is name resolution:

  • Scenario 1: 192.168.68.123 as a server requires no DNS lookup
  • Scenario 2: my-server.home.arpa is resolved locally using a local DNS resolver (e.g. Pi-hole)
  • Scenario 3: demo.firefly-iii.org is resolved recursively using upstream DNS resolvers (e.g. 8.8.8.8)

As I started to examining the DNS logs on my Pi-hole, I noticed something interesting: I couldn't see DNS queries being made for HTTP traffic:

signal-2024-03-04-161640_002

signal-2024-03-04-161640_003

Screenshot 2024-03-04 161443

Maybe something expects TLS and is silently failing?

@paulcalabro
Copy link
Author

paulcalabro commented Mar 5, 2024
edited
Loading

@victorbalssa

Okay, I was able to resolve my issue! 🥳
It looks like it is related to TLS.

For those experiencing the same issue, the tl;dr is I created a local CA, created a cert issued by that CA, and deployed the CA cert to my phone and computer. I then configured Traefik to use the cert issued by the CA.

Helpful resources:

Sample v3.ext:

extendedKeyUsage = serverAuth
subjectAltName   = DNS:<FQDN>

Things that the first link doesn't cover OTB:

  • the required SAN
  • the ExtendedKeyUsage extension
  • make sure the validity period is 825 days or fewer

So I think what's broken is the ability to NOT use TLS.

@paulcalabro paulcalabro mentioned this issue Mar 5, 2024
Closed
@victorbalssa
Copy link
Owner

victorbalssa commented Mar 5, 2024
edited
Loading

This makes a lot more sense to me! 🎉

I will create a new version with the ability to use TLS AND unsecured http,

Thanks again @paulcalabro 💯

@victorbalssa victorbalssa mentioned this issue Mar 9, 2024
Merged
@victorbalssa
Copy link
Owner

Done in 0.13.2.
Let me know if there is still an issue with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@victorbalssa victorbalssa

Labels
bug Something isn't working
Projects
Abacus
Status: Done
Milestone
0.13.0
Development

No branches or pull requests
2 participants
@paulcalabro @victorbalssa