SSO and Movim authentification issue

[M5oul]

I upgrade from version <= 1.3 to 1.6.1.

I have a private pod.

When I am authenticated on SSOwat and I go to /movim/, I get this error message Oups ! Movim n’a pas pu vous authentifier. Vous avez entré des données erronées. Then, after many redirection I am redirected to movim/?disconnect.
Finally, I can't log in to Movim.

But, when I am not authenticated on SSOwat, I can connect to Movim.

[src386]

Hi, can you please post your :

• /etc/yunohost/apps/movim/settings.yml (just hide the mysqlpwd and other things you dont want to publish)
• /var/www/movim/app/controllers/DisconnectController.php

?

[M5oul]

• /etc/yunohost/apps/movim/settings.yml:

admin: moul
domain:
id: movim
install_time: 1449442613
label: Movim
mysqlpwd:
path: /movim
port: '9537'
ssoenabled: 'Yes'
unprotected_uris: /
update_time: 1455625388

• /var/www/movim/app/controllers/DisconnectController.php:

<?php

class DisconnectController extends BaseController {
    function load() {
        $this->session_only = false;
    }

    function dispatch() {
        $user = new User();
        $user->desauth();
        $this->redirect('');
    }
}

[M5oul]

Finally, I am not sure, I can connect to Movim when I am not authenticated on SSOwat. Strange things happen.

[src386]

Did you tried to clear the firefox cache ?

[M5oul]

I tried F5. It's the same.

[src386]

cltrl+shift+suppr ?

[M5oul]

Aftercltrl+shift+suppr, I can login in Movim when I am not authenticated on SSOwat.
But, still, I can't log in Movim when I am authenticated on SSOwat.

[src386]

Is it the same login / domain ?

[M5oul]

Yep same login and same domain name.

[src386]

I was unable to reproduce the bug ...
Can you run the update again or remove then install movim ?

[M5oul]

I reinstalled and get a blank page.

[src386]

Ok, this time I can reproduce the bug.
I am investigating...

[src386]

Should be fixed, can you remove then install ? Or just upgrade :

yunohost app upgrade movim -u https://github.com/movim/movim_ynh

Please let me know

[M5oul]

The screen is no more white.
The upper issue is still present.

[Rayus]

Same problem here. The problem happens when auto login is on.
Maybe it's related to the administrator login asked at installation : shouldn't be an XMPP account ? Does Movim creates an XMPP Account linked to the administrator login when installing ?

[src386]

@Rayus : The administrator login is internal to Movim, it is not related to an XMPP account (edhelas confirmed).

I am still unable to reproduce the bug, can you run :

yunohost app install https://github.com/movim/movim_ynh

And your paste your answers to the install form ? (from "domain" to "movim port").

[Rayus]

@src386 : I uninstalled and installed again with these parameters :

Domaine du pod : bourreau.xyz
Chemin du pod (default: /movim) : /movim
Administrateur du pod : jonathan
Mot de passe administrateur : m0v1m
Langue du pod (ar|de|en|es|fr|it|ja|nl|ru) (default: en) : fr
Activer le SSO (connexin auto) ? (Yes|No) (default: Yes) : Yes
Port privé pour Movim ? (interne uniquement) (default: 9537) : 
Exécution du script...

... and now I have another issue, the Movim deamon isn't running (or isn't reachable).

*EDIT : I restarted the internet cube and now movim is running. *

BUT, I still have the auto-login problem : when accessing the "Mo" page from Yunohost, it loads the login page and then automatically displays "
Oups !

Le format de l'identifiant n'est pas correct".
Clicking "Back", loads the page again and it reloads... and finally disconnects me (https://bourreau.xyz/movim/?disconnect).

Problem occurs in Firefox and Chrome on Ubuntu.
I hope this help !

[src386]

Okay, this message should be a warning and does not prevents the login (for me at least).
Do you have a Javascript blocker ?

[alainsanguinetti]

Hello, I have a fresh YunoHost install and I am a bit lost, I would like to connect but I am not even sure what username to use ? I have tried users that I created on the Yunohost administration page but anytime I try to login, it gives redirects me to the disconnect page and it stays blank.

[JimboJoe]

I have the exact same problem as @alainsanguinetti.
Here are the relevant logs from syslog :

May 14 15:02:34 localhost movim[6291]: #033[0m#033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m : #033[32m268 connected
May 14 15:02:35 localhost movim[6291]: #033[0m#033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m widgets before : 1.6696472 MB
May 14 15:02:35 localhost movim[6291]: #033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m widgets : 2.4941483 MB
May 14 15:02:35 localhost modl[9376]: modl.INFO: s:126:"insert into cache                 (session, name, data, timestamp)                 values (:session, :name, :data, :timestamp)"; [] []
May 14 15:02:35 localhost modl[9376]: modl.INFO: i:1048; [] []
May 14 15:02:35 localhost modl[9376]: modl.INFO: s:31:"Column 'session' cannot be null"; [] []
May 14 15:02:35 localhost movim[9376]: movim.ERROR: Invalid argument supplied for foreach() [] []
May 14 15:02:35 localhost movim[6291]: #033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m : #033[34mlinker launched#033[0m
May 14 15:02:35 localhost movim[6291]: #033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m launched : 3.1815262 MB
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : Memory instance not found for  [] []
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : Not an XMPP ACK [] []
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : Searching a payload for "streamfeatures:", "d9017180bc56364e7ba2bb1e493994b8" [] []
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : This event is not listed [] []
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : Searching a payload for "starttls:urn:ietf:params:xml:ns:xmpp-tls", "b95746de5ddc3fa5fbf28906c017d9d8" [] []
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : Searching a payload for "required:", "ac67ede5a84eb5a1add7ff4440e9a485" [] []
May 14 15:02:36 localhost moxl[9376]: moxl.DEBUG: Handler : This event is not listed [] []
May 14 15:02:36 localhost movim[6291]: #033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m : #033[31mstream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
May 14 15:02:36 localhost movim[6291]: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed#033[0m
May 14 15:02:36 localhost movim[6291]: #033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m : #033[31mlinker killed
May 14 15:02:36 localhost movim[6291]: #033[0m#033[33mceKiiG8M3wrUxNUPB9BGxyNHwpiteEEk#033[0m : #033[31m268 deconnected
May 14 15:02:36 localhost movim[6364]: movim.DEBUG: Locale: Translation key "Route not set for the page %s" not found [] []
May 14 15:02:36 localhost movim[6364]: movim.ERROR: Uncaught exception 'Exception' in /var/www/movim/system/Route.php:92 Stack trace: #0 /var/www/movim/src/Movim/Controller/Base.php(58): Route::urlize('') #1 /var/www/movim/app/controllers/DisconnectController.php(19): Movim\Controller\Base->redirect('') #2 /var/www/movim/src/Movim/Controller/Front.php(43): DisconnectController->dispatch() #3 /var/www/movim/src/Movim/Controller/Front.php(11): Movim\Controller\Front->runRequest('disconnect') #4 /var/www/movim/index.php(58): Movim\Controller\Front->handle() #5 {main}   thrown [] []

[alainsanguinetti]

I managed to solve this issue using a certificate issued by StartSSL and following the instructions to add the root certificate and the intermediate certificate while the yunohost wiki only says to install the intermediate certificate.

[JimboJoe]

I set up a let's encrypt certificate, and the problem is gone!
Thanks a lot @alainsanguinetti!

[M5oul]

@alainsanguinetti, could you do a pull request for fr/en certificates pages.
Thanks.

[alainsanguinetti]

Sure, here it is:
YunoHost/doc#370
Let me know if I need to improve it. I'm still a beginner in github and git.

[M5oul]

I tried what is in the pull request and it did not solved the issue.

[alainsanguinetti]

Maybe it just works for StartSSL and cacert ?

[M5oul]

I am using a StartSSL certificate.

[alainsanguinetti]

What do you mean by "it" is not working ? I had to restart nginx to take the modifications into account.

[M5oul]

I mean it does not solve this issue.
I have also change certs rights and reloaded/restarted Nginx.

[M5oul]

With a Let's Encrypt certificate:

• with auto-login SSO: I could reproduce the issue
• without auto-login SSO: I can't reproduce the issue

[M5oul]

Should we remove (or don't put as default) auto-login which isn't working?

[src386]

SSO auto-login is required for a yunohost app (at least to be present in the unofficial list).

[jellium]

I have just tried to install Movim using my default YunoHost domain with or without auto-login, as well as using a subdomain from my YunoHost configuration, likewise with or without auto-login.
In the end: I could never connect to Movim, I always end up being disconnected and brought back to the main YunoHost SSO login page.

[src386]

Without auto-login, can you access the login page ?

[jellium]

Without auto-login (similarly to with auto-login), the only thing I can access to is the login page. And when I try to login with any possible login/password I can imagine, the CONNECT button turns into CONNECTING and then I am disconnected from the SSO after a few seconds.

[src386]

Hm, that's weird, there is technically no "CONNECT" button (replaced by "COME IN !").
Maybe your movim_ynh is not up to date, can you run :

yunohost app upgrade movim -u https://github.com/movim/movim_ynh

Then try again to log in ?

[jellium]

There is some improvement!
I am sorry for my mistake in my previous post, it was indeed COME IN! replaced by CONNECTING and then disconnect.

I reinstalled Movim with auto-login. Here is what I am encountering now:

• First I login with YunoHost SSO.
• Then I start Movim: I am brought to the login page and can choose my account. I have to enter my password (problem here?)
• Then I am successfully logged in (great!).
• Finally, if I disconnect from Movim (with the bottom left-hand corner link), I get disconnected from the YunoHost SSO.

Do you want me to try an installation without auto-login? (I assume it should behave identically as above described, perhaps without SSO disconnection when clicking on Movim's disconnect button -- I don't know).

Thanks for your quick reaction anyway!

[src386]

I think this a normal behavior, I will try to reproduce this on my Yunohost/Movim server ;)

[src386]

Indeed, when you Disconnect from Movim, you get Disconnected from Yunohost. But this is the same behavior in Roundcube (official app). I think the reason is :

• When you disconnect from Movim, you are redirected to the login page
• Yunohost/SSO will detect that you are currently in the Movim login page, then log you automatically again.... resulting in not being able to disconnect from Movim.

So the solution was to disconnect from Yunohost to avoid being connected again. Don't know if it's clear ;)

[jellium]

OK it's a normal behavior to be disconnected from SSO with the Movim's disconnect button (similarly to Roundcube, as you mention).

However, there must be an issue with the SSO authentication propagation to Movim:

For example, if I login within YunoHost SSO with account A, and start Movim. I am brought to Movim's login page and type the password associated to the already filled address and password to login to Movim. Then I disconnect from Movim/SSO with the Movim's disconnect button.
After that, I login with YunoHost SSO with account B and start Movim. I am suggested to login with the address of account A (and not B as it should be with "auto-login").

I can in fact indifferently login with address A or B in Movim, whatever the connection used within SSO authentication.

[src386]

Seems like a Firefox/Chrome behavior (it's the same URL so it remembers the credentials).
SSO will NOT make appears any password in the login page.

[jellium]

Sure, it might be the browser which stores the previously entered login/pass in its keyring or so.

But why am I prompted to login by Movim in the first place, since I just logged in with YunoHost? Once logged in under YunoHost SSO authentication, I would expect to be directly connected to my corresponding Movim account (just like for Nextcloud or Roundcube), not even being allowed to log in with other credentials.

Thanks for your time and involvement by the way!

[JimboJoe]

@jellium with latest version, if you login on YunoHost SSO, then start Movim, you see the Movim login page, but only temporarily: if you wait, you'll get directly to the application without typing anything. Can you confirm that?

[jellium]

@JimboJoe I just upgraded Movim and tried. After logging in with YunoHost SSO, I clicked on the Movim square and end up on the Movim login page prefilled with my YunoHost credentials. Nothing else happens.

From the Firefox console, I can see among the last actions and comments GET https://domain.tld/ws with SSO login headers and so on, for which the Raw Data line in the Answer tab is empty. This console entry is followed by "Connection established!".

Let me mention that I use Movim on another domain name as my YunoHost install domain.

[JimboJoe]

It's working OK for me on domain root. Is movim installed on a domain subdirectory? If yes could you please try at a domain root?

I just tried installing in a domain subdirectory in a VM and I'm redirected to the Movim login page with the user pre-filled... and then to the YunoHost SSO credential page with the mention "Disconnected"... :-/
There's definitely something going wrong here...