Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User with multiple providers gets invalid login credential except the latest provider he/she registered. #298

Closed
Permagate opened this issue Jul 9, 2015 · 2 comments

Comments

@Permagate
Copy link

Here is the scenario (I'm using ng-token-auth):

  1. User A registers to my site with a standard email/password registration. In the database, User A is created with 'email' provider.
  2. Then, User A tries to login to my site with a custom OAuth provider (with doorkeeper). In the database, User A is now created again with 'mydoorkeeper' provider.
  3. Now, everytime User A logins with OAuth provider, it will work. Then when the user refresh browser, it still work too (basically, it passes the token validation check).
  4. If User A logins normally without OAuth, it will work. But if the user refresh the browser, the token validation check fails because invalid login credentials.

Do you have any idea why this is happening?

EDIT: Some additional information.

Version:

  • 0.1.31 for devise token auth
  • ~0.0.25 for ng-token-auth

Request headers: (for validate token in Step 4)

GET /jojo/api/v1/tenant/tenant_auth/validate_token HTTP/1.1
Host: localhost:3000
Connection: keep-alive
Cache-Control: max-age=0
Origin: http://localhost:4444
access-token: 3O4TZOcGmlBQZQ1la6A3KQ
client: BdypeJIyQjvV5EwJhXOoMQ
uid: [email protected]
Accept: application/json, text/plain, */*
expiry: 1437633667
If-Modified-Since: Mon, 26 Jul 1997 05:00:00 GMT
token-type: Bearer
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Referer: http://localhost:4444/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

Response headers: (for validate token in Step 4)

HTTP/1.1 401 Unauthorized
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: http://localhost:4444
Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT
Access-Control-Expose-Headers: access-token, expiry, token-type, uid, client
Access-Control-Max-Age: 1728000
Access-Control-Allow-Credentials: true
Vary: Origin
Cache-Control: no-cache
X-Request-Id: 21ba5dbe-6b85-4c5e-9afb-03650008c66b
X-Runtime: 0.037124
Transfer-Encoding: chunked

Rails Stacktrace

Started GET "/jojo/api/v1/tenant/tenant_auth/validate_token" for 10.0.2.2 at 2015-07-09 13:41:10 +0700
Cannot render console from 10.0.2.2! Allowed networks: 127.0.0.1, ::1, 127.0.0.0/127.255.255.255
CURRENT SCHEMA: jojo
Processing by DeviseTokenAuth::TokenValidationsController#validate_token as HTML
  Parameters: {"subdomain"=>"jojo"}
  ^[[1m^[[35mTenantUser Load (0.6ms)^[[0m  SELECT  "tenant_users".* FROM "tenant_users" WHERE "tenant_users"."uid" = $1 LIMIT 1  [["uid", "[email protected]"]]
Completed 401 Unauthorized in 4ms (Views: 0.3ms | ActiveRecord: 0.6ms)

fyi, there are 2 tenant_users with uid = [email protected] in the database. But the provider column is different.

Environmental Info

  • I'm using Rails as the API with AngularJS for the frontend. They are served by different web servers.
  • The OAuth provider is a custom one built with Doorkeeper.
  • The routing is pretty weird since I have to implement multi-tenancy without relying on subdomain, but the routing should not be a problem.
  • I'm using ng-token-auth.
  • The database is PostgreSQL.

Let me know if you need anything else.

@konpa
Copy link

konpa commented Apr 6, 2016

Same problem here. Did you manage to find the cause?

@zachfeldman
Copy link
Contributor

Hi there @Permagate ,

In an effort to cleanup this project and prioritize a bit, we're marking issues that haven't had any activity in a while with a "close-in-7-days" label. If we don't hear from you in about a week, we'll be closing this issue. Obviously feel free to re-open it at any time if it's the right time or this was done in error!

If you are still having the issue (especially if it's a bug report) please refer to our new Issue Template to provide some more details to help us solve it.

Hope all is well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants