Cannot get passwords on the Android App

Hello everyone, today I have updated my Passbolt to the latest version (v3.4.0) and followed the steps described here in order to activate the mobile plugin and begin testing the official app on Android.

Everything was great updating, following the steps and configuring the app with the given QR codes but when I log in into the app, always shows a “Something went wrong!” message and doesn’t show any password or any information else.

I saw into de error.log file on the server the following entries (note that I have changed the IP for XX and the path is edited with $user and $domain):

2021-12-09 12:26:13 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /home/$user/domains/$domain/public_html/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: XX.XX.XX.XX


2021-12-09 12:27:45 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /home/$user/domains/$domain/public_html/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: XX.XX.XX.XX


2021-12-09 12:27:53 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /home/$user/domains/$domain/public_html/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: XX.XX.XX.XX


2021-12-09 12:28:30 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /home/$user/domains/$domain/public_html/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: XX.XX.XX.XX


2021-12-09 12:28:37 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /home/$user/domains/$domain/public_html/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: XX.XX.XX.XX

I don’t know if it is about something I have did wrong or is a bug. If you need more information, do not hesitate to ask and I will try to provide it.

Thank you in advance to read me and try to solve it

1 Like

Hi @Termindiego25,

Are you using SSL on your server?
If so

  • it is self signed certificate? → You need to add your CA cert to your device
  • LetsEncrypt?
  • Other authority?

Navigate to your passbolt server using your browser in order to check if the connection is secure from your phone to your instance

Let us know,
Max

Hi @max ,
I’m using SSL and LetsEncrypt for signing the certificate. I checked the connection navigating using my browser and it shows the padlock as secure. Also, executing the healthcheck tool it shows all tests passed without errors. Attached is a screenshot of the page with the secured padlock and the screen of the app with the error

Could it be possible to execute this command on your server:

sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/status-report"

The first one is in dry-run because if you manage to display your data with the browser extension but not with the mobile that means that there is a bug on mobile side when there is a discrepancy in the data. So your feedback is very important to us.
Thanks for your time!

Best,
Max

EDIT: just use the status-report since this one include the cleanup and datacheck

Same issue and same setup for me. I’m also using LetsEncrypt. Web client works fine, but Android app fails with “Something went wrong!” and I’m seeing the same UnauthenticatedException exception in the “error.log” file.

In the data check I see a couple of issues with AuthenticationTokens, but have no idea how to fix it.

Data check shell
[FAIL] Data integrity for AuthenticationTokens.
  [FAIL] Can validate: 432/440
    [FAIL] Validation failed for authenticationToken 03e6f69a-fd79-4889-9de6-b862b28b1f93. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken 366340dd-3ffa-4273-8ede-59862ccb8e90. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken 70f2d11a-d216-4882-9baf-3cf8a678caa4. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken bc4333d6-7b29-4e6b-a2f1-b073fdf156f7. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken c6e74704-6198-415e-ac1f-fea2f19e8cee. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken c740fcea-6c0a-473c-b88a-b7371ba55379. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken da9498cd-b5a0-4238-934e-a30b181b86bd. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}
    [FAIL] Validation failed for authenticationToken f6835caa-5985-41cb-afa4-cf45b981e2ba. {"type":{"type":"The type should be one of the following: register, recover, login, mfa, mobile_transfer, refresh_token, verify_token."}}

Hello again @max and sorry for the late, I have not received the notification in my email.
I tried to execute the command you told me and it gave me this errors:

$ sudo "/$path/bin/status-report" $user

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 3.4.0
Cakephp 4.2.9
Linux $hostname 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
PHP 7.3.31-1~deb10u1 (cli) (built: Oct 24 2021 15:18:08) ( NTS )
mysql  Ver 15.1 Distrib 10.3.31-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Composer 1.8.4 2019-02-11 10:52:10

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.31-1~deb10u1.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://pbt.diegosr.es
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /$path/.gnupg.
 [PASS] The directory /$path/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (3.4.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /$path/config/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [PASS] No error found. Nice one sparky!


     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Cleanup shell (dry-run)
-------------------------------------------------------------------------------
No issue found, data looks squeaky clean!

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
Data check shell
[PASS] Data integrity for AuthenticationTokens.
  [PASS] Can validate: 53/53
[PASS] Data integrity for Comments.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Favorites.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Gpgkeys.
  [PASS] Can encrypt: 1/1
  [PASS] Can validate: 1/1
[PASS] Data integrity for Groups.
  [PASS] Can validate: 0/0
[PASS] Data integrity for Profiles.
  [PASS] Can validate: 1/1
[PASS] Data integrity for Resources.
  [PASS] Can validate: 32/32
[PASS] Data integrity for Secrets.
  [PASS] Can validate: 29/29
[PASS] Data integrity for Users.
  [PASS] Can validate: 1/1
Request URL: /auth/is-authenticated.json
Client IP: $ip


2021-12-11 12:07:16 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: $ip


2021-12-11 19:49:25 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/wp-load.php" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /wp-load.php?daksldlkdsadas=1
Client IP: 45.90.219.64


2021-12-11 22:36:49 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: $ip


2021-12-13 08:04:18 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 80.24.120.222


2021-12-13 20:38:00 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/robots.txt" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /robots.txt
Client IP: 66.249.66.132


2021-12-14 04:16:08 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Client IP: 104.219.251.41


2021-12-14 09:51:07 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 80.24.120.222


2021-12-14 13:53:57 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Client IP: 212.192.241.93


2021-12-14 13:53:59 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Client IP: 212.192.241.93


2021-12-14 13:54:00 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Client IP: 212.192.241.93


2021-12-14 18:48:41 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: $ip


2021-12-15 01:49:51 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/.env" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /.env
Client IP: 23.146.241.19


2021-12-15 09:43:04 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 80.24.120.222


2021-12-15 12:53:29 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: $ip


2021-12-15 20:49:07 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: $ip


2021-12-16 21:32:07 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/robots.txt" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /robots.txt
Client IP: 138.246.253.24


2021-12-17 15:35:01 Error: [Cake\Routing\Exception\MissingRouteException] A route matching "/" could not be found. in /$path/vendor/cakephp/cakephp/src/Routing/RouteCollection.php on line 199
Request URL: /
Referer URL: https://www.bing.com
Client IP: 178.62.98.101


2021-12-17 18:25:00 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: $ip


2021-12-17 18:25:08 Error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /$path/vendor/cakephp/authentication/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /resources.json?contain%5Bpermission%5D=1
Client IP: $ip

After a meet with @max and a partner of him, we found the solution to the problem.
I’m using Apache and it seems to be filtering the authentication token header, so you need to add this lines in your Apache website configuration to solve it:

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*) 
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Thank you again Max and Juan

2 Likes

Thanks for your time @Termindiego25
more information about the “issue” with apache2 here: Authentication · tymondesigns/jwt-auth Wiki · GitHub

Is there any way to debug that the token is being read from the script side? I’m running under Nginx and have the same issue by the looks of it…

@rkk unless you are specifying header directives, this default NGINX setup (showing for ipv4 port 443) should work:

server {
        listen 443 ssl http2;

        server_name domain[.]com;

        root /usr/share/php/passbolt/webroot;
        index index.php;

        access_log      /var/log/nginx/access.log;
        error_log       /var/log/nginx/error.log info;

        client_body_buffer_size     100K;
        client_header_buffer_size   1k;
        client_max_body_size        5M;

        client_body_timeout   10;
        client_header_timeout 10;
        keepalive_timeout     5 5;
        send_timeout          10;

        ssl_certificate     /path/to/fullchain.cer;
        ssl_certificate_key /path/to/domain.key;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13
05:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA2
56:ECDHE-RSA-AES128-SHA256';

        ssl_session_tickets off;

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                try_files                $uri =404;
                include                  fastcgi_params;
                fastcgi_pass             unix:/run/php/php7.4-fpm.sock;
                fastcgi_index            index.php;
                fastcgi_intercept_errors on;
                fastcgi_split_path_info  ^(.+\.php)(.+)$;
                fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param            SERVER_NAME $http_host;
                fastcgi_param            PHP_VALUE "upload_max_filesize=5M post_max_size=5M";
        }

}

Hi @rkk
Can you check the permissions on your jwt keys:
sudo chown -r www-data:www-data /etc/passbolt/jwt
sudo chmod 755 /etc/passbolt/jwt
sudo chmod 600 /etc/passbolt/jwt/jwt.key
sudo chmod 644 /etc/passbolt/jwt/jwt.pem

Also are you able to access with your desktop to https://yourpassboltdomain/auth/jwt/rsa.json
This should return the public key.

Let us know

Best,
Max

Thanks for the help! It’s working now! I set the permissions as you mentioned, and I also reran the “composer install --no-dev” step of the upgrade, where it found newer dependency versions, perhaps I forgot to perform that step during upgrade. But everything seems to be working fine now.

3 Likes

Glad to hear it @rkk thanks for letting us know.

Enjoy the app!

Best,
Max

1 Like