*passport-steam* failing

[Martii]

Both 1.0.8, 1.0.9 and the OUJS forks (commit specified) are producing ?authfail.

[Martii]

Still failing when deployed via git... not sure what to do and I'm outta time for now.

---

Note: may be related to the extra session found at #1344 ... another one popped up.

[Martii]

Some notes out loud (may add/change to this):

1. This is directly related to the non-user profiled session found at Existence checks for #1343 #1344 earlier today ... tested on dev and it creates one on auth fail. sessionStore.clear(); has no effect when the "stuck" session data is removed (other than logging out everything by removal of the MongoDB session cookies).
2. aLoggedIn argument at

   OpenUserJS.org/libs/passportVerify.js

   Line 16 in 193c04c

   exports.verify = function (aId, aStrategy, aUsername, aLoggedIn, aDone) {

   shows as undefined e.g. blank in console output... which triggers this section at

   OpenUserJS.org/libs/passportVerify.js

   Lines 75 to 77 in 193c04c

   	} else if (aUser) {
   	// user was found matching name but not can't be authenticated
   	return aDone(null, false, 'username is taken');

   which in turns triggers

   OpenUserJS.org/controllers/auth.js

   Lines 242 to 248 in 193c04c

   	if (isDev || isDbg) {
   	console.error(colors.red('`User` not found'));
   	}
   	aRes.redirect(doneUri + (doneUri === '/' ? 'login' : '') + '?authfail');
   	return;
   	}

3. Confirmed that

   OpenUserJS.org/libs/passportLoader.js

   Line 37 in 193c04c

   profile: false,

   is set to match docs at /liamcurry/passport-steam/blob/92974ba/README.md#configure-strategy

4. OpenUserJS.org/controllers/auth.js

   Lines 195 to 199 in 193c04c

   	if (strategy === 'steam') {
   	strategyInstance._verify = function (aIgnore, aId, aDone) {
   	verifyPassport(aId, strategy, username, aReq.session.user, aDone);
   	};
   	} else {

   has the right number of parameters according to docs at /liamcurry/passport-steam/blob/92974ba/README.md#configure-strategy
5. Reverted way back to 9688002 in dev... still failing e.g. probable that it's steam site related and/or the dependency (however since passport-steam@1.0.8 doesn't work... it's possibly site related instead)
6. Removed passport-aol and passport-yahoo (including in strategy JSON list) temporarily in dev to ensure passport-openid wasn't the issue... removed node_modules and re npm i'd... no difference.

[Martii]

@sizzlemctwizzle

Could use some expertise here please.

[Martii]

Lovely... it looks like my auth key changed... dumped dev account Martiii and recreated it... it has a different auth digest (I call it a hash key) then pro now. Logging into dev is solid so far with OUJS logout and then Steam logout. This issue seems similar to what happened with passport-google and them. :S

So two issues here:

• When an auth key doesn't match it doesn't automatically destroy the cookie/session server side. Work around for usage in Existence checks for #1343 #1344 but still I think it should destroy it then and there for tidiness (e.g. this is currently a session leak that auto-repairs on expiration which can be hours later (from Nudge session maxAge #1252) or never like it was before Set maxAge idle session to four (4) hours #1202... keeps username in there though). (btw the "stuck" session expired so session length and session active data match right now). Here's a diff that should fix that from another section of code. Seems to work when I try with my hosed Steam account on (local) pro e.g. length and active remain the same count (but username is blanked):

diff --git a/controllers/auth.js b/controllers/auth.js
index 7b01d3c..41d08c0 100644
--- a/controllers/auth.js
+++ b/controllers/auth.js
@@ -243,6 +243,12 @@ exports.callback = function (aReq, aRes, aNext) {
         console.error(colors.red('`User` not found'));
       }
 
+      if (aReq.session.destroy) {
+        aReq.session.destroy();
+      } else { // TODO: Remove conditional and this fallback when satisifed
+        delete aReq.session.user;
+      }
+
       aRes.redirect(doneUri + (doneUri === '/' ? 'login' : '') + '?authfail');
       return;
     }

(Note: Still not satisfied to remove the else yet but here the .user isn't added until a bit later in the same function. Also assume it could be used earlier on the "catastrophic" error trap earlier in the same callback... perhaps other places too... need to dig)

• The session server side "stuck" cookie in Existence checks for #1343 #1344 was before 2018-04-18 16:32:28.227 +00:00 and after 2018-04-17 21:07:38.075 +00:00 ... in which I wasn't on OUJS... so there could be someone else with the same or similar issue (perhaps just a bad, or incomplete, attempt in logging in too) that initially created it.

A good question is... Does Steam (or any auth) expire your openid/oauth after not logging in for a while? ❓ (it's probably been 5 to 6 months since I last used it)... If so that's really bad for OUJS accounts. Alternatively Steam could have changed their digest auth key algorithm server side before/during/after their http to https migration without our knowledge.

---

Rechecked OUJS forks... they appear to be solid as well with Martiii recreation on dev... so can revert the revert of that. So that leaves the question of why the original Steam digest auth key isn't working.

---

Ref(s):

• 36a935f at Don't create sessions for update checks, update installs, and library downloads #604 ... probably others but this is a back trace start

[Martii]

@sizzlemctwizzle

I think I've identified the bug... indirectly mentioned in the above comment with:

Alternatively Steam could have changed their digest auth key algorithm server side before/during/after their http to https migration without our knowledge.

Comparing my digest on pro to the digest from the creation of the new account on dev.... the difference is the aId contains https:... now instead of http:...... and running both, full, values through the crypto routine produces the exact hash key that I need for Steam authentication respectively.

What this means is everyone, and I do mean everyone, that has Steam as their auth prior to their https switch... their account access with this auth is currently orphaned... I do see a potential recovery option however we should try to figure that part out to keep things private as possible and preferably as smooth as possible (e.g. right now it is painstakingly lengthy to convert as the values are currently unknown)

Also there were a few comments on their repo that they "might go back" which will compound the issue in reverse.

Ref(s):

• Steamcommunity changed all http to https liamcurry/passport-steam#81

[sizzlemctwizzle]

1. Blindly hash the value we get back from steam and see if it matches the stored hash. If it matches, then login.
2. If not, replace /^https:/ with http: on the value we get from seam. Hash it and see if it matches the stored hash.
3. If it does, hash the the unmodified value we got from steam, and update the hash that we store to this new value. Finally, login.

[Martii]

@sizzlemctwizzle

Thank you!!!

We're mostly on the same page here. Although we need to narrow down the exact date Steam did this (some can be done with User.authed and/or User._since and around April 7th, 2018) and add the test to anything before that and apply the variant of No 3. We may have some accounts in the last two'ish weeks that are already correct. No. 2 is permanent now with aa2eda3 in case Steam "changes their mind" and goes back to http (commented in commit). We don't use the plain text value anywhere other than hashing it to a digest.

I'd like to keep most of the changes extremely simple in the code, and avoid using async which would be needed (very messy still for a recovery/migration that shouldn't happen ever again), it is going to still fail but with a different QSP... e.g. offload it to the user... then they can try again with their newly saved/migrated/recovered hash.

I'm currently anonymously auditing the other strategies in case there is a similar potential issue. (if you want to view it do git diff on clone 1). You're the expert if you can fill out the rest of the below list but I don't expect you to recall back that far,,, hence the audit. :)

• Steam of course does contain a secure/unsecure reference
• Google has an array and doesn't contain a secure/unsecure reference
• Github of course isn't hashed and doesn't contain a secure/unsecure reference
• Twitter doesn't contain a secure/unsecure reference
• Facebook doesn't contain a secure/unsecure reference
• Reddit doesn't contain a secure/unsecure reference
• Imgur... doesn't contain a secure/unsecure reference
• AOL ... Dep/site failure... removed in *passport-aol* failing #1369
• Yahoo... DOES CONTAIN secure reference.

Just need the rest of the auths now but that can be whenever someone signs in

• GitLab... doesn't contain a secure/unsecure reference

[Martii]

Ref:

• https://steamcommunity.com/discussions/forum/10/1458455461480324749/?ctp=18#c1696043806558481203 for about April 5th, 2018. Too bad they aren't open source and/or didn't announce it on their Twitter feed. we could pin it down almost to the time they deployed. Will do a stats check to see what was made with Steam after that.

[Martii]

My steam account migrated/recovered well on pro... So if the users on OUJS are observing this issue and have an existing steam account please login it even if it's just for a moment. This is a two time login migration/recovery. Single would have entailed a rather large rewrite and the recovery won't be in there forever imho. e.g. it has at least 6 months before it should be removed to allow those users to recover during that time.

I would like to have a few days (and see some users doing it in stdout) before turning off readonly for new/attached steam accounts.

[Martii]

11 days and not a single Steam user migrating? I have seen some of the users logged in that have it as an alternate but they haven't bothered yet.

For pro reference:

• https://openuserjs.org/announcements/Steam_Authentication_Recovery_Migration

Tick tock, tick tock... 😸

[Martii]

Finally one user migrated besides me... not a very used passport.

[Martii]

Still only myself and one other that has recovered their Steam auth... as of today...

[Martii]

Closing but mitigation label still active.