Passbolt broken after v4 update - intermittent login issues

shkarface · June 26, 2023, 9:41am

Do you know of any way to move forward?

remy · June 26, 2023, 9:52am

Do you know of any way to move forward?

We can try to help you by having a look. You can run the following SQL query and past the output here. Or DM me if you’re not comfortable sharing this info publicly.

select * from gpgkeys where user_id = (select id from users where username = 'ada@passbolt.com');

Replace ada with the email of one user that cannot login.

shkarface · July 2, 2023, 7:18am

I sent you a private message

Jose · July 3, 2023, 3:30pm

i have the same problem with the update… could you fix??

I have to restart the server to be able to log in again.

When I log out and want to start again, it says authentication failed

2023-07-03 15:34:45 error: [Authentication\Authenticator\UnauthenticatedException] Authentication is required to continue in /usr/share/php/passbolt/vendor/cakephp/authentica                                                             tion/src/Controller/Component/AuthenticationComponent.php on line 177
Request URL: /auth/is-authenticated.json
Client IP: 192.168.0.105
2023-07-03 15:34:52 error: [Cake\Http\Exception\InternalErrorException] The authentication failed. in /usr/share/php/passbolt/src/Controller/Auth/AuthLoginController.php on l                                                             ine 93
Request URL: /auth/login.json?api-version=v2
Client IP: 192.168.0.105
2023-07-03 15:34:52 error: The authentication failed.
2023-07-03 15:34:52 error: #0 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/Controller.php(547): App\Controller\Auth\AuthLoginController->loginPost()
#1 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php(139): Cake\Controller\Controller->invokeAction()
#2 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Controller/ControllerFactory.php(114): Cake\Controller\ControllerFactory->handle()
#3 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/BaseApplication.php(320): Cake\Controller\ControllerFactory->invoke()
#4 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(86): Cake\Http\BaseApplication->handle()
#5 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/SecurityHeadersMiddleware.php(255): Cake\Http\Runner->handle()
#6 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Middleware\SecurityHeadersMiddleware->process()
#7 /usr/share/php/passbolt/src/Middleware/HttpProxyMiddleware.php(50): Cake\Http\Runner->handle()
#8 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\HttpProxyMiddleware->process()
#9 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php(138): Cake\Http\Runner->handle()
#10 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Middleware\CsrfProtectionMiddleware->process()
#11 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtCsrfDetectionMiddleware.php(55): Cake\Http\Runner->handle()
#12 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtCsrfDetectionMiddleware->process()
#13 /usr/share/php/passbolt/src/Middleware/GpgAuthHeadersMiddleware.php(40): Cake\Http\Runner->handle()
#14 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\GpgAuthHeadersMiddleware->process()
#15 /usr/share/php/passbolt/plugins/PassboltCe/Locale/src/Middleware/LocaleMiddleware.php(47): Cake\Http\Runner->handle()
#16 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\Locale\Middleware\LocaleMiddleware->process()
#17 /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/InjectMfaFormMiddleware.php(67): Cake\Http\Runner->handle()
#18 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\MultiFactorAuthentication\Middleware\InjectMfaFormMiddleware->process()
#19 /usr/share/php/passbolt/plugins/PassboltCe/MultiFactorAuthentication/src/Middleware/MfaRequiredCheckMiddleware.php(82): Cake\Http\Runner->handle()
#20 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\MultiFactorAuthentication\Middleware\MfaRequiredCheckMiddleware->process()
#21 /usr/share/php/passbolt/vendor/cakephp/authentication/src/Middleware/AuthenticationMiddleware.php(124): Cake\Http\Runner->handle()
#22 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Authentication\Middleware\AuthenticationMiddleware->process()
#23 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtDestroySessionMiddleware.php(43): Cake\Http\Runner->handle()
#24 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtDestroySessionMiddleware->process()
#25 /usr/share/php/passbolt/src/Middleware/SessionAuthPreventDeletedUsersMiddleware.php(46): Cake\Http\Runner->handle()
#26 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\SessionAuthPreventDeletedUsersMiddleware->process()
#27 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/BodyParserMiddleware.php(162): Cake\Http\Runner->handle()
#28 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Http\Middleware\BodyParserMiddleware->process()
#29 /usr/share/php/passbolt/src/Middleware/SessionPreventExtensionMiddleware.php(66): Cake\Http\Runner->handle()
#30 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\SessionPreventExtensionMiddleware->process()
#31 /usr/share/php/passbolt/src/Middleware/ApiVersionMiddleware.php(46): Cake\Http\Runner->handle()
#32 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\ApiVersionMiddleware->process()
#33 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtRouteFilterMiddleware.php(47): Cake\Http\Runner->handle()
#34 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtRouteFilterMiddleware->process()
#35 /usr/share/php/passbolt/plugins/PassboltCe/JwtAuthentication/src/Middleware/JwtAuthDetectionMiddleware.php(58): Cake\Http\Runner->handle()
#36 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Passbolt\JwtAuthentication\Middleware\JwtAuthDetectionMiddleware->process()
#37 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php(186): Cake\Http\Runner->handle()
#38 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Routing\Middleware\RoutingMiddleware->process()
#39 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php(77): Cake\Http\Runner->handle()
#40 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Routing\Middleware\AssetMiddleware->process()
#41 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php(131): Cake\Http\Runner->handle()
#42 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): Cake\Error\Middleware\ErrorHandlerMiddleware->process()
#43 /usr/share/php/passbolt/src/Middleware/ContentSecurityPolicyMiddleware.php(39): Cake\Http\Runner->handle()
#44 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\ContentSecurityPolicyMiddleware->process()
#45 /usr/share/php/passbolt/src/Middleware/ContainerInjectorMiddleware.php(54): Cake\Http\Runner->handle()
#46 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(82): App\Middleware\ContainerInjectorMiddleware->process()
#47 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Runner.php(67): Cake\Http\Runner->handle()
#48 /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Server.php(90): Cake\Http\Runner->run()
#49 /usr/share/php/passbolt/webroot/index.php(40): Cake\Http\Server->run()
#50 {main}

shkarface · July 4, 2023, 7:14am

We have not been able to fix the issue yet

shkarface · July 4, 2023, 7:15am

waiting on @remy for any resolution

remy · July 4, 2023, 8:20am

@shkarface I checked the key and it is fine. I’m not sure sure why however the fingerprint is ending with a Q in the database. This is not a correct fingerprint. You can try to rename the fingerprint in the database to remove the trailing Q.

update gpgkeys set fingerprint='7BA18F137CAF2AD47602F5D70D1465FF8E54F8C4' where fingerprint='7BA18F137CAF2AD47602F5D70D1465FF8E54F8C4Q';
update gpgkeys set fingerprint='E58599258FC30BD443918E7A75272900CA7E0DE3' where fingerprint='E58599258FC30BD443918E7A75272900CA7E0DE3Q';
update gpgkeys set fingerprint='9ED4182C336A03DCBB3928C1F4A098D575F13C2C' where fingerprint='9ED4182C336A03DCBB3928C1F4A098D575F13C2CQ';
update gpgkeys set fingerprint='1EB47508C31498F0B580438D671BF639FFEA1821' where fingerprint='1EB47508C31498F0B580438D671BF639FFEA1821Q';
update gpgkeys set fingerprint='4B9ADB17A61B5824CB03E69233C654DE7BEF8349' where fingerprint='4B9ADB17A61B5824CB03E69233C654DE7BEF8349Q';

Then rerun the data check and try to see if the issue is fixed.

@Jose please start a new thread, while the symptoms may be the same, this may not be the same error. We also need your data to evaluate (status-report with healthcheck, data-check, cleanup results etc.)

shkarface · July 5, 2023, 7:44am

Hello @remy, thank you very much for the solution, this worked like a charm.

It’s very weird that this issue has happened during the upgrade, are there any internal bugs related to this?

Steph · July 5, 2023, 9:09am

I gave a look at the code we have to see if there was a bug in our process. I couldn’t find anything yet on my side, it could be the browser extension, the API, some API internal process. I have no clue to be honest.

So, I was wondering, if you still have the SQL export you did before converting, could you check if the backup files contains the Q in the fingerprint please (I’m trying to narrow down the potential source of the problem)?

shkarface · July 5, 2023, 9:36am

Hello Steph,

Yes the Q is in the previous database as well, this is where the initial issue happened.

That’s why we converted from a docker installation to an ubuntu installation so we can easier troubleshoot it.

EDIT: and this happened after upgrading passbolt to v4

remy · July 5, 2023, 10:23am

This is very strange since there is no migration on fingerprint field as part of v4 (and the last one touching that field is v2.0.2 which is from 2018, before the keys were created). What was your upgrade procedure, how did you migrate to a new server and/or export / import data using SQL? Maybe there was an initial charset misconfiguration?

shkarface · July 5, 2023, 1:12pm

We just exported from the docker and imported in the VM.

keep in mind that the issue happened before moving from docker to VM.

Also, it has stopped working again

Steph · July 5, 2023, 1:14pm

It stops again?! With the same issue (having a Q at the end of some fingerprints in the database)?

shkarface · July 6, 2023, 7:30am

Yes, it seems that was the case, some of the fingerprints had the letter Q appended to their end.

(Not all of them though)

shkarface · July 6, 2023, 7:38am

I can confirm that this is the case, the fingerprints get a ‘Q’ appended to the after some time, I don’t know exactly is the issue

shkarface · July 6, 2023, 7:42am

The fingerprints that get changed are random I think?

I’ve had to run multiple commands like these in the past hour:

mysql> UPDATE gpgkeys SET fingerprint = "" WHERE fingerprint = "";
Query OK, 0 rows affected (0.00 sec)
Rows matched: 0  Changed: 0  Warnings: 0

mysql> UPDATE gpgkeys SET fingerprint = "7BA18F137CAF2AD47602F5D70D1465FF8E54F8C4" WHERE fingerprint = "7BA18F137CAF2AD47602F5D70D1465FF8E54F8C4Q";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> UPDATE gpgkeys SET fingerprint = "E58599258FC30BD443918E7A75272900CA7E0DE3" WHERE fingerprint = "E58599258FC30BD443918E7A75272900CA7E0DE3Q";
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> UPDATE gpgkeys SET fingerprint = "5DE165BF83F4516012B7B38A3B5F2393CD881968" WHERE fingerprint = "5DE165BF83F4516012B7B38A3B5F2393CD881968Q";
Query OK, 1 row affected (0.01 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> UPDATE gpgkeys SET fingerprint = "A0ACFF99A2CFE22262C8EE1BEC99C30D202D8DA2" WHERE fingerprint = "A0ACFF99A2CFE22262C8EE1BEC99C30D202D8DA2Q";
Query OK, 1 row affected (0.01 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> UPDATE gpgkeys SET fingerprint = "BDF361329C1F591B4FFCCD9A83FB475685D243AC" WHERE fingerprint = "BDF361329C1F591B4FFCCD9A83FB475685D243ACQ";
Query OK, 1 row affected (0.01 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Steph · July 6, 2023, 7:45am

That’s a very weird one .

Do you know:

if it happens for the same users as before, or if it’s for random users, or new users?
which browser are they using?

Steph · July 6, 2023, 7:50am

By the way, we looked at what are tested automatically, we don’t go (yet) over mariadb 10.6.
I’m will to a test with the 10.11.

shkarface · July 6, 2023, 2:35pm

It usually happens to the same set of users…

shkarface · July 6, 2023, 2:36pm

This is breaking the system entirely, we can jump on a call to see if we can find the issue

Topic		Replies	Views
The newly created user login prompts something went wrong Installation Issues	1	623	February 18, 2022
Issues upgrading to V3 in docker Installation Issues	1	737	July 22, 2021
500 internal server error when inserting or updating a record API & Customization issues	14	1574	April 18, 2023
API v2 not compatible with browser extension v4 anymore - help to upgrade API needed Installation Issues	4	239	May 26, 2023
After upgrade passbolt to 4.1.2-1, it show me the white page after login Installation Issues	6	318	August 22, 2023

Passbolt broken after v4 update - intermittent login issues

Related topics