TipsAndTricks.md

####There are some tips, tricks and details to make understanding, debugging and troubleshooting easier

What happens in passport (invitation flow)

There are 2 files to debug or print details:

• /node_modules/passport-google-oauth20/lib/strategy.js (Google specific settings and preparations)
• /node_modules/oauth/lib/oauth.js (generic communication with IDP)

What happens in passport (login flow)

/node_modules/passport-google-id-token/lib/passport-google-id-token/strategy.js

Authorized origins:

• https://${DOMAIN}
• https://acmc.${DOMAIN}

Authorized redirect URIs:

• https://acmc.${DOMAIN}/acmc/api/invitations/return.google
• https://localhost/acmc/api/invitations/return.google - for Vagrant only

Database

• Re-seed: predefined users will be re-created when executing seed:run --production. During this process their assignment to any account will be removed. So do not assign them to any account, if needed create a additional (temporary or not) user and assign it to the account.
• Following can be set for debugging knex: export DEBUG=knex:*

LIMITATIONS:

• Vagrant only: since our vagrant (.local) domain is not publicly accessible as Google Oauth2 requires and we don't use "localhost" as a hostname in order to handle cookies properly, invitation process is broken on vagrant. Once you receive "The site cannot be reached" error for the URL ending with /return.google, you need to replace localhost with acmc.gaia-local.skydns.local manually in the browser and refresh the page

Troubleshooting:

Login problems ~~

Problem: Google is not accessible (e.g., proxy issues)

• Server: message like {"message":"write EPROTO 140120540568616:error:14077419:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert access denied:../deps/openssl/openssl/ssl/s23_clnt.c:769:\n"}
• Client: HTTP-302 to /login from /auth/google/token

Problem: Wrong Google Client ID

• Server: message like {"message":"jwt audience invalid. expected: 32474398743298470-ennub25ri42roilsansk8pvdjf393rsd.apps.googleusercontent.com"}
• Client: HTTP-302 to /login from /auth/google/token

Problem: Missing or wrong GoogleTokenStrategy definition (code problem)

• Server: noting
• Client: HTTP-500 with {"name": "Error","message":"Unknown authentication strategy "google-id-token""} for /auth/google/token

Problem: Missing or wrong GoogleStrategy definition (code problem)

• Server: message like {"message":"jwt audience invalid. expected: 32474398743298470-ennub25ri42roilsansk8pvdjf393rsd.apps.googleusercontent.com"}
• Client: HTTP-302 to /login from /auth/google/token

Problem: Missing serialization (code problem - required due to using custom callback that is used for logging)

• Server: Failed to login as <user_id>
• Client: HTTP-500 with {"name":"Error","message":"Failed to serialize user into session"} for /auth/google/token

Problems like missing redirect or authorized url are shown on client side clearly

Everything is OK

• Server: Logged in as <user_id>
• Client: HTTP-200 for /auth/google/token

Invitation acceptance problems ~~

Problem: Wrong Google Client ID

• Server: Error in invitation acceptance process: The OAuth client was not found.(status 500)
• Client: HTTP-200 with 'TokenError: The OAuth client was not found.' for /api/invitations/return.google

Problem: Wrong Google Client secret

• Server: Error in invitation acceptance process: Unauthorized(status 500)
• Client: HTTP-200 with 'TokenError: Unauthorized' for /api/invitations/return.google

Problem: Invitation already used

• Server: Error in invitation acceptance process: This invitation was already used.(status 400)
• Client: HTTP-200 with 'Error: This invitation was already used' for /api/invitations/return.google

Problem: Start acceptance process with wrong invitation (the link that appears when pressing invitations link in the e-mail: /invitations/

• Server: Bad invitation was attempted to be used: <invitation_id>
• Client: HTTP-400 with '{"name":"Error","message":"Invitation does not exist."}' for /api/invitations/363d6ce5-794d-475b-b4c8-10cb09c6ca25

Everything is OK

• Server: invitation validated and Invitation successfully accepted
• Client: HTTP-200 with 'Invitation successfully accepted' for /api/invitations/return.google

Mock configuration

• ACM server can be used as a mock for testing integrated services (STS) and troubleshooting
• Mock must have internet (Google) access to run
• Mock uses SQLite 3 in-file database
• Knex migrate and seed must run with with --env=mock; seed also must run after export mockuserid=2474 (or any other value)
• The server must be started with mockuserid environment variable that represents the superuser id - the same as used during seed
• DB preparation command examples:
  • create db and schema: ~/.npm-global/bin/knex migrate:latest --env=mock
  • populate db with data: export mockuserid=1234 && ~/.npm-global/bin/knex seed:run --env=mock
  • assign user to account: insert into xref_user_account_roles values(1234,2,1); commit; assuming that userId is 1234, accountId is 2, roleId is 1 (Account Administrator)
• Limitations:
  • not supported: user update, any activity related to invitations