work notes

the user who can't login to my app got my e-mail and tried logging in again. I found this error in my log:

error: Error: failed to find request token in session
    at OAuthStrategy.authenticate (/app/node_modules/passport-oauth/lib/passport-oauth/strategies/oauth.js:122:54)
    at attempt (/app/node_modules/passport/lib/passport/middleware/authenticate.js:243:16)
    at Passport.authenticate (/app/node_modules/passport/lib/passport/middleware/authenticate.js:244:7)
    at callbacks (/app/node_modules/express/lib/router/index.js:272:11)
    at param (/app/node_modules/express/lib/router/index.js:246:11)
    at pass (/app/node_modules/express/lib/router/index.js:253:5)
    at Router._dispatch (/app/node_modules/express/lib/router/index.js:280:5)
    at Object.middleware [as handle] (/app/node_modules/express/lib/router/index.js:45:10)
    at Context.next (/app/node_modules/express/node_modules/connect/lib/http.js:204:15)
    at Context.actions.pass (/app/node_modules/passport/lib/passport/context/http/actions.js:77:8)

if we look at passport-oauth/strategies/oauth.js:122, we see:

if (!req.session[self._key]) { return self.error(new Error('failed to find request token in session')); }

After reading a comment above this line, I think I understand what is going on:
- the app got a request token and secret from oDesk
- the app directed the user to oDesk's site with the request token, and a return url
- the user authenticated the app on oDesk, and was redirected to the given url
- oDesk appended query parameters to the redirect link including the request token and verifier
- now the code in oauth.js is going to fetch the access token from oDesk
- BUT, it needs three things: a request token (included as query parameter from oDesk), a verifier (also included in query parameter), and the secret. The secret is not sent back from oDesk. It's secret. My app is supposed to know it already. My app.. or rather the module I'm using.. keeps the secret in a session. The above is verifying that it's in the session, but it isn't.

How could that be?
- maybe they don't have cookies enabled? I tried disabling cookies, and I couldn't log into oDesk itself in order to verify the app. I know this user was able to verify the app, because the code above only runs after oDesk redirects the user back to my site, which happens after they verify the app, so they must have logged into oDesk.. so they must have cookies.
- maybe cookies are disabled just for my site? Unlikely. I don't see an easy way to enable cookies just for certain sites.
- I feel like it might reveal something to see their session.. I think I'll ask them for it. I need instructions for them to give it to me. How about:

1. copy-paste "chrome://settings/cookies" into the address bar and press enter
2. in the search box where it says "Search cookies", type "heroku"
3. look for an item in the list beginning with "random-name-6789" and click on it
4. a little bubble should appear beneath where it says "1 cookie" that says "connect.sid", click on that
5. now highlight all the text that appears in the box, by clicking the mouse just to the left of "Name" and dragging down and to the right, until everything above the "Remove" button is highlighted.
6. copy it, and paste it into this e-mail and send it to me.

ok, sent.. we'll see what comes of that..

hm.. now that I've sent that e-mail, I could probably have made it easier on them to have them login again, and I could record their session id in the log.. or could I? I'd like to modify the code above, but I'm not sure that will work exactly when I check it into heroku.. maybe it will..

or maybe I could log session id's for all errors.. yes, that seems better..

No comments:

Post a Comment