instagram signup is buggy
snarfed opened this issue ยท 26 comments
at least two problems:
- indieauth fails for @Zegnat because he uses his own auth endpoint, https://vanderven.se/martijn/auth/ , which we somewhat handle ok, but its verification response doesn't return
me, which we don't handle ok. IRC discussions, snarfed/oauth-dropins@d65d415, snarfed/oauth-dropins@f8ff52e. - when i try to log in, indieauth works ok, but then the IG profile page fetch gets rate limited, which breaks badly with an IG-rendered error page ๐ ๐ญ.
apologies @Zegnat, but i may deprioritize 1 until if/when you actually use bridgy. ๐ 2, though, i should look at.
cc @aaronpk
alternative: drop instagram, with a vengeance. so tempted.
I am curious about tracking down that IndieAuth error though. I'm not sure why the verification response didn't return me, since that's how IndieAuth works. Could be an error on Zegnat's endpoint with something. Maybe the right answer is to better surface or log the error responses during that part of the flow so this is easier to troubleshoot. Now that Wordpress is about to get its own built-in IndieAuth endpoint, people using Bridgy will be getting this IndieAuth response from a lot more different sites than just indieauth.com soon.
we debugged more and determined that i'm not sending an Accept header or otherwise doing conneg in the code verification request, but i'm expecting a form-encoded response, and @Zegnat's endpoint is returning JSON: {"me":"https:\/\/vanderven.se\/martijn\/"}. the spec also says the response is JSON.
@Zegnat says his endpoint should default to form-encoded though, not JSON: https://gist.github.com/Zegnat/4ad87603bcabbf8e095363df99845e50 . the plot thickens.
i updated the signup profile fetch to ignore rate limiting.
@Zegnat i think this is fixed, so your auth endpoint should work now. feel free to try!
I also have issues authorizing my site. The error message I see after the redirect is:
HTTP Error 400: 400 Bad Request The server could not comply with the request since it is either malformed or otherwise incorrect. IndieAuth verification failed: error=Invalid+auth+code
The URL looks fine to me (includes code=123abc), and the state param is being accepted (i.e. I see an error about invalid state when I change anything about it, but otherwise not).
looking at the log from one of your indieauth callback requests (link is just for me ๐):
GET /instagram/callback?code=CODE&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&me=https%3A%2F%2Fupdates.kip.pe%2Fprofile%2Fbasti
decoding state "%7B%22endpoint%22%3A%22https%3A%2F%2Fupdates.kip.pe%2Findieauth%2Fauth%22%2C%22me%22%3A%22https%3A%2F%2Fupdates.kip.pe%22%7D"
requests.post https://updates.kip.pe/indieauth/auth {'data': {'me': u'https://updates.kip.pe', 'state': '', 'code': u'CODE, 'client_id': 'https://brid.gy/', 'redirect_uri': 'https://brid.gy/instagram/callback'}}
Error 400, response body: u'400 Bad Request\n\nThe server could not comply with the request since it is either malformed or otherwise incorrect.\n\n IndieAuth verification failed: error=Invalid+auth+code '
...auth code and me do indeed look fine.
@skddc here's the auth code verification request bridgy makes, as a curl command:
$ curl -v -d 'me=https%3A%2F%2Fupdates.kip.pe&state=&code=CODE&client_id=https%3A%2F%2Fbrid.gy%2F&redirect_uri=https%3A%2F%2Fbrid.gy%2Finstagram%2Fcallback' https://updates.kip.pe/indieauth/auth
...
< HTTP/1.1 400 Bad Request
...
error=Invalid+auth+code
here's a simplified, more readable version, without the non-standard me and state parameters. same result:
curl -v -d 'code=CODE&client_id=https://brid.gy/&redirect_uri=https://brid.gy/instagram/callback' https://updates.kip.pe/indieauth/auth
i'm replacing CODE with an auth code bridgy got from the callback above from your auth endpoint, 2018-06-27 16:53:32 UTC. this failure may be because the code expired, though, so maybe i can catch you in person to debug together.
looks like this may be a bug in known, or at least a bad interaction between it and bridgy. @rikmendes had the same problem with https://rmendes.net/ , also on known.
hey @mapkyca, any tips on how we could debug this? known users are having trouble logging into bridgy (instagram) with their sites' indieauth. details above.
I could retry it and tell you the exact time and URL of the request if that helps.
@mapkyca thanks for looking! you don't actually need an instagram account to repro on https://brid.gy/ , just click the instagram button and then try to log in with indieauth.
the initial redirect from bridgy to known looks like this:
https://updates.kip.pe/indieauth/auth?me=https%3A%2F%2Fupdates.kip.pe&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&redirect_uri=https%3A%2F%2Fbrid.gy%2Finstagram%2Fcallback&client_id=https%3A%2F%2Fbrid.gy%2F
known then redirects back to bridgy with an auth code:
https://brid.gy/instagram/callback?code=CODE&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&me=https%3A%2F%2Fupdates.kip.pe%2Fprofile%2Fbasti
bridgy then tries to verify the auth code - details above in #809 (comment) - which known 400s.
@mapkyca true, but this bug happens during indieauth, before bridgy looks at your Instagram account at all. if you were able to indieauth with known successfully, then you didn't reproduce the bug. maybe you're on a newer known version that fixed it?
I'm on ec0752d (June 18), if that helps.
I wonder if it makes a difference between single user install / multi user installs.. e.g. it'll be hard to auth a single user on a mulituser install if you enter https://example.com/ instead of https://example.com/profile/me
Oh, that actually works. So maybe that's how I did it back when setting it up the first time. Thanks!
Would be nice if people with single-user instances could just use their domain name, of course. My profile does appear on the frontpage, too.
That's what I have, and yet it doesn't work.
Interesting... so you're saying that https://yoursite.com/profile/skddc works but https://yoursite.com doesn't?
Yes, see my original comment: #809 (comment)
I found out what broke it. See my last comment in the linked Known issue. Thanks again for helping!
glad you figured it out!