State mismatch after login

[mhfowler]

While trying to login to outline, the login display shows an "invalid password" if I enter the wrong password (this is expected). On entering the correct password, I get to the screen where it says "Grant Access". I click "grant access" and then see the following error screen:

This was after successfully restoring my yunohost + dex + minio from a backup.

On an entirely different machine, running yunohost 12.0.8.2 , with a fresh install of Outline, with Dex 2.39.1~ynh1 and Outline 0.81.0~ynh1 I'm also seeing the same error in the same way when I try to log in...

what's going on? Is outline authentication working for others?

Context

• Hardware: VPS on digital ocean
• YunoHost version: 11.3.0.2
• I have access to my server: yes
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no
• Outline version 0.67.2~ynh1

[mhfowler]

found these messages in /var/log/outline/outline.log that look relevant:

{"label":"http","level":"info","message":"  <-- GET /auth/oidc"}
{"label":"http","level":"info","message":"  --> GET /auth/oidc 302 7ms 0b"}
{"label":"http","level":"info","message":"  <-- GET /auth/oidc.callback?code=rerzbj2n7rzk6fxjesvq24wm3&state=94560d07aa29beb3"}
{"error":"State not return in OAuth flow","level":"error","message":"Error during authentication","stack":"BadRequestError: State not return in OAuth flow\n    at OAuthStateMismatchError (/var/www/outline/build/server/errors.js:147:34)\n    at StateStore.verify (/var/www/outline/build/server/utils/passport.js:46:61)\n    at OAuth2Strategy.authenticate (/var/www/outline/node_modules/passport-oauth2/lib/strategy.js:222:26)\n    at _passportOauth.Strategy.authenticate (/var/www/outline/build/plugins/oidc/server/auth/oidc.js:33:26)\n    at attempt (/var/www/outline/node_modules/@outlinewiki/koa-passport/node_modules/passport/lib/middleware/authenticate.js:369:16)\n    at authenticate (/var/www/outline/node_modules/@outlinewiki/koa-passport/node_modules/passport/lib/middleware/authenticate.js:370:7)\n    at /var/www/outline/node_modules/@outlinewiki/koa-passport/lib/framework/koa.js:194:7\n    at new Promise (<anonymous>)\n    at /var/www/outline/node_modules/@outlinewiki/koa-passport/lib/framework/koa.js:193:12\n    at /var/www/outline/node_modules/@outlinewiki/koa-passport/lib/framework/koa.js:143:7\n    at new Promise (<anonymous>)\n    at passportAuthenticate (/var/www/outline/node_modules/@outlinewiki/koa-passport/lib/framework/koa.js:107:15)\n    at passportMiddleware (/var/www/outline/build/server/middlewares/passport.js:75:7)\n    at /var/www/outline/node_modules/dd-trace/packages/datadog-instrumentations/src/koa.js:88:57\n    at passportMiddleware (/var/www/outline/node_modules/dd-trace/packages/datadog-shimmer/src/shimmer.js:26:21)\n    at dispatch (/var/www/outline/node_modules/koa-router/node_modules/koa-compose/index.js:44:32)\n    at next (/var/www/outline/node_modules/koa-router/node_modules/koa-compose/index.js:45:18)\n    at /var/www/outline/node_modules/koa-router/lib/router.js:346:16\n    at dispatch (/var/www/outline/node_modules/koa-router/node_modules/koa-compose/index.js:44:32)\n    at next (/var/www/outline/node_modules/koa-router/node_modules/koa-compose/index.js:45:18)\n    at /var/www/outline/node_modules/@outlinewiki/koa-passport/lib/framework/koa.js:60:14\n    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"}
{"label":"http","level":"info","message":"  --> GET /auth/oidc.callback?code=rerzbj2n7rzk6fxjesvq24wm3&state=94560d07aa29beb3 302 4ms 133b"}
{"label":"http","level":"info","message":"  <-- GET /?notice=state-mismatch"}
{"label":"http","level":"info","message":"  --> GET /?notice=state-mismatch 200 29ms 4.95kb"}

[Limezy]

Can you please tell me which package version is your restored instance ?
Did you try login in with a browser in "incognito" mode ? Sometimes, for reasons I didn't understand yet, after a restore or reinstall users need to delete all cookies in memory

[mhfowler]

hi, thanks for the reply! I've just tried logging in to both version in two different incognito windows and I get the same error

for the restored instance, the outline package version is 0.67.2~ynh1

[Limezy]

It looks like an error on Dex side, I will have to check !

[mhfowler]

curious if you were able to replicate the bug? or if any more logs would be helpful?

[mhfowler]

I found a workaround for being able to login to the latest version of outline_ynh. After installing outline, the dex installation does not work (something is broken in dex), but then I was able to log-in via a magic link by doing the following:

cd /var/www/outline;
sudo -u outline env PATH=/opt/node_n/n/versions/node/14/bin:/opt/node_n/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin node build/server/scripts/seed.js youremail@email.com

this returns a magic link which you can use to log-in directly. After logging in like this, everything works as expected (other than figuring out how to get around a limit on the size of image uploads).

however I still have some valuable data stuck my old outline installation, so I'm trying to figure out how to get into that, and then export the data. or possibly a way to export the data via the CLI, similar to above. perhaps when dex is fixed all my problems will be resolved, but I'm on a deadline over here so looking into other options.

maybe the seed.js command is helpful to someone, and good to know for the future...

[mhfowler]

fixed the image upload limit by adding this to .env

FILE_STORAGE_IMPORT_MAX_SIZE=512000000

but still haven't figured out how to successfully import the .zip export from an old version of outline. even after adding to .env:

MAXIMUM_IMPORT_SIZE=512000000

[Limezy]

I'm very sorry I didn't have any time to put on this yet (currently in holidays) but I'll fix the package for sure.

In fact the broken package is Dex, not outline. The same error happens when installing Headscale, also depending on Dex, for instance.

[mhfowler]

@Limezy hope you are having a nice holiday!

after spending some time also trying to deploy the app directly via docker, and seeing how complicated it is, I appreciate how much easier the yunohost install is. Thanks for making this package!

My temporary hack is working for now, and I will happily switch to doing login "the normal way" once dex is fixed

[Limezy]

Many thanks, holidays are good indeed !
Just found that Dex installation is currently broken on Yunohost 12.x, because of a broken go package helper

1. Are you indeed using Yunohost 12.x ?
2. In your outline installation logs, didn't it mention an error about dex installation ? Can you find Dex among your installed apps ?
   This is probably the simple explanation to all your problems... both upgrade and fresh install

[mhfowler]

@Limezy fwiw a few weeks ago when I tried, Dex would successfully install, but then there was the state mismatch error. Now, Dex does not even manage to install.

So when we are able to install Dex again, will have to see if it fixes the issue or if there is still the state mismatch.

I am on yunohost 12.0.9.1