Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized 401 Error Prevents Complete Security Reset (Security Settings -> Complete Security) #7838

Closed
rumz26 opened this issue Sep 3, 2024 · 1 comment · Fixed by #7874
Assignees
Labels
T-Defect Something isn't working: bugs, crashes, hangs and other reported problems

Comments

@rumz26
Copy link

rumz26 commented Sep 3, 2024

Steps to reproduce

  1. Where are you starting? What can you see?
    I navigate to the Settings section and then select Security. From here, I can see the Complete Security option.

  2. What do you click?
    I click on the Reset button under the Complete Security section.

  3. More steps…
    After clicking Reset, an alert appears with the error message: "Request failed, unauthorized 401."

Outcome

What did you expect?

I expected the reset process under Complete Security to complete successfully without any errors.

What hap

element-iOS-401.mov

pened instead?
Instead, I received an alert with the error message: "Request failed, unauthorized 401."

Your phone model

iPhone 14

Operating system version

17.5

Application version

1.11.17

Homeserver

matrix.org

Will you send logs?

No

@rumz26 rumz26 added the T-Defect Something isn't working: bugs, crashes, hangs and other reported problems label Sep 3, 2024
@NicolasBuquet
Copy link

NicolasBuquet commented Sep 18, 2024

In fact, the process is composed of 2 HTTP requests:

  • 1st request without any keys awaits for a return info about the authentication state of the client
    • no info: the client is authenticated and can process
    • JSON info about the authentication flows supported: the client must reauthenticate
  • 2nd request: the real request with the keys in the params parameter.

The reauthentication takes place if necessary between the 2 requests.

Actually, the backend responds to the 1st request with a success code 200 but without any payload in JSONResponse about the authentication flows, telling the client that it can process without reauthenticating.

When the client try the real request, the backend rejects it with an error 401 and with a payload containing the available authentication flows:

[MXHTTPClient] Request 0x600001753040 failed for path: _matrix/client/unstable/keys/device_signing/upload - HTTP code: 401. Error: Error Domain=com.alamofire.error.serialization.response Code=-1011 "Request failed: unauthorized (401)" UserInfo={NSLocalizedDescription=Request failed: unauthorized (401), NSErrorFailingURLKey=https://matrix.<domain>/_matrix/client/unstable/keys/device_signing/upload, com.alamofire.serialization.response.error.data={length = 92, bytes = 0x7b227365 7373696f 6e223a22 767a534b ... 616d7322 3a7b7d7d }, com.alamofire.serialization.response.error.response=<NSHTTPURLResponse: 0x600000329e40> { URL: https://matrix.<domain>/_matrix/client/unstable/keys/device_signing/upload } { Status Code: 401, Headers {
    "Access-Control-Allow-Headers" =     (
        "X-Requested-With, Content-Type, Authorization, Date"
    );
    "Access-Control-Allow-Methods" =     (
        "GET, HEAD, POST, PUT, DELETE, OPTIONS"
    );
    "Access-Control-Allow-Origin" =     (
[MXHTTPClient] Error JSONResponse: {
    flows =     (
                {
            stages =             (
                "m.login.password"
            );
        }
    );
    params =     {
    };
    session = <...>;
}
Screenshot 2024-09-18 at 17 14 20

Can the bad answer from the 1st request be linked to this backend issue: element-hq/synapse#16943 ?

@giomfo @stefanceriu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T-Defect Something isn't working: bugs, crashes, hangs and other reported problems
Projects
None yet
3 participants