Session issues on iOS

loics2 · April 30, 2024, 10:23pm

Hi, I’m slowly losing my mind about a bug with liveview on iOS.

Users on my application are members of organizations, and the homepage is the organization’s page. If a user is logged in and a member of the organization, it gets redirected to the management side of the application. This part of the application is protected with the standard plugs and mount hooks to check if the user is logged in, a member and have the required permissions.

Some users cannot access the management page on iOS because they are trapped in a redirect loop, and I cannot find what causes this issue. I’m almost certain it affects only iOS users, and I could not reproduce the bug on LambdaTest, on any version of iOS.

Here are the interesting part of my router:

# Routes unavailable to authenticated users
scope "/", NyghtWeb do
  pipe_through [:browser, :redirect_if_user_is_authenticated]

  live_session :redirect_if_user_is_authenticated,
    on_mount: [OrganizationHook, {NyghtWeb.UserAuth, :redirect_if_user_is_authenticated}],
    session: {Session, :session, []} do
    live "/users/log_in", UserLive.Login, :new
  end

  post "/users/log_in", UserSessionController, :create
end

# Routes requiring authentication
scope "/app", NyghtWeb do
  pipe_through [:browser, :require_authenticated_user]

  live_session :require_authenticated_org_user,
    on_mount: [OrganizationHook, {NyghtWeb.UserAuth, :ensure_authenticated}],
    layout: {NyghtWeb.UI.Layouts, :app_admin},
    session: {Session, :session, []} do

    scope "/events", EventLive do
      live "/", IndexList, :upcoming
    end
end

# Routes that don't require authentication
scope "/", NyghtWeb do
  pipe_through [:browser]

  live_session :optional_authenticated_user,
    on_mount: [OrganizationHook, {NyghtWeb.UserAuth, :mount_current_user}],
    session: {Session, :session, []} do
    live "/", OrganizationLive.Show, :index, as: :home
  end
end

Here are some of the liveview on_mount hooks:

# redirects a user if it's a member of the organization, used on the homepage
def on_mount(:redirect_if_user_is_member, _params, session, socket) do
  socket = mount_current_user(socket, session)

  with {:ok, user} <- Map.fetch(socket.assigns, :current_user),
       true <- Organizations.member?(socket.assigns.current_organization, user) do
    Logger.info("Redirecting user, page is not available for organization member (LV)")
    {:halt, Phoenix.LiveView.redirect(socket, to: ~p"/app/events")}
  else
    _ ->
      {:cont, socket}
  end
end

# generated by phx.gen.auth with added logging
def on_mount(:ensure_authenticated, _params, session, socket) do
  socket = mount_current_user(socket, session)

  if socket.assigns.current_user do
    {:cont, socket}
  else
    Logger.warning("Current user not found, unauthorized access (LV)")

    socket =
      socket
      |> Phoenix.LiveView.put_flash(:error, "You must log in to access this page.")
      |> Phoenix.LiveView.redirect(to: ~p"/users/log_in")

    {:halt, socket}
  end
end

# also generated with phx.gen.auth with added logging
def redirect_if_user_is_authenticated(conn, _opts) do
  if conn.assigns[:current_user] do
    Logger.info("Redirecting user, page is not available for authenticated users (plug)")

    conn
    |> redirect(to: signed_in_path(conn))
    |> halt()
  else
    conn
  end
end

Finally, here are some logs when a user is stuck in a loop:

[INFO] GET /
[INFO] Redirecting user, page is not available for organization member (LV)
[INFO] Sent 302 in 13ms
[INFO] GET /app/events
[INFO] Sent 200 in 28ms
[INFO] CONNECTED TO Phoenix.LiveView.Socket in 22µs Transport: :websocket Serializer: Phoenix.Socket.V2.JSONSerializer parameters: %{"_csrf_token" => "<token>", "_live_referer" => "undefined", "_mounts" => "0", "_track_static" => %{"0" => "...", "1" => "..."}, "timezone" => "Europe/Zurich", "vsn" => "2.0.0"}
[WARN] Current user not found, unauthorized access (LV)
[INFO] GET /users/log_in
[INFO] Redirecting user, page is not available for authenticated users (plug)
[INFO] Sent 302 in 5ms
[INFO] GET /
...

Does anybody have an idea of what’s happening?

Thanks!

mindok · May 1, 2024, 6:40am

Is it in a WebView inside an iOS app, or Safari?

loics2 · May 1, 2024, 7:00am

Most of users are using Safari, but a few are using chrome

mindok · May 2, 2024, 4:23am

If this is a test system I’d break it down into steps to isolate what’s going on.

Maybe redirect to a liveview (instead of “/app/events”) that is available whether authed or not to confirm whether user details get passed through properly via session, and also try sending it to a dead view (view/controller) page to confirm whether user details get added to the conn assigns.

Once you’ve isolated exactly where auth details are getting lost it may be a bit easier to troubleshoot.

codeanpeace · May 2, 2024, 10:25pm

Sounds frustrating to say the least… here’s an attempt to recap this redirect loop based on the logs.

GET / => live "/", OrganizationLive.Show, :index, as: :home
where true <- Organizations.member?(socket.assigns.current_organization, user)
in on_mount(:redirect_if_user_is_member, ...)
matches so user is redirected to /app/events
/app/events => live "/", IndexList, :upcoming
where if socket.assigns.current_user do
in on_mount(:ensure_authenticated, ...)
is falsey so user is redirected to live "/users/log_in"
live /users/log_in => UserLive.Login
where if conn.assigns[:current_user] do
in redirect_if_user_is_authenticated/2
is truthy so user is redirected to signed_in_path(conn)
and this then goes back to the step 1 with GET /
since mix phx.gen.auth adds defp signed_in_path(_conn), do: ~p"/" in the UserAuth module

So the user stuck in a loop somehow meets the following conditions:

# Step 1
Organizations.member?(socket.assigns.current_organization, user)` => truthy
# Step 2
socket.assigns.current_user => falsey
# Step 3
conn.assigns[:current_user] => truthy

It seems like Step 2 should be truthy as well, but is not for some mysterious reason.

What does your mount_current_user/2 and Organizations.member/2 functions look like? As a sanity check, I’d investigate whether the former is somehow returning nil which could be a problem if the latter somehow returns true when passed a nil as a user.

yasoob · May 3, 2024, 6:12pm

I don’t have any solution to your problem but I wanted to share that I was facing similar auth related issues with a LiveView app. In my case, the iOS version was very old and I think there was probably some feature that iOS didn’t support (that is required by LV). As soon as I upgraded the iOS version, the issue automatically resolved. To this day I have no clue what was the root-cause.

Maybe ask the client to update the iOS version if they are on a pretty old version. I know it is an unrealistic ask in certain circumstances but maybe it is a viable solution for you?

ibarch · May 3, 2024, 7:55pm

Can you try to remove :require_authenticated_user form pipe_through list?
During the initial HTTP call both :require_authenticated_user and {NyghtWeb.UserAuth, :ensure_authenticated} are called. I assume that these two are doing similar authentication/authorization job and may cause the issue.