Bot detection prevents login in some cases

[morganlutz]

Describe the problem

After enabling bot detection in dev and testing the behavior, I am able to get into a scenario where I continually receive this error message when trying to login: "Session is too old, login required". Repeated attempts to login show the same error message. I am not sure if this is due to my test set up or if it is an actual issue.

What was the expected behavior?

Login with bot detection enabled should show the universal login page with a CAPTCHA challenge.

Reproduction

The set up for this is a bit involved:

• Enable bot detection in the auth0 dashboard
• Replace all user agent headers with BadBadUserAgent to trigger bot detection (I do this with Charles Proxy)
• Attempt to login and complete the universal login flow with CAPTCHA challenge
• Log out / close the app
• Wait until the web session has expired
• Attempt to login again, you should see the error message Session is too old, login required. All login attempts fail

Environment

Lock.Android v2.23.0
Auth0.Android v2.29.0

[lbalmaceda]

Hi Morgan 👋 , apologies for missing this one.

I couldn't find any reference to "Session is too old, login required" on our side. Given that this is a recently added feature it might be that it wasn't documented yet on the auth0 docs.
I saw the PR linked above is working around this by using an ephemeral session (not keeping the browser cookie). That, unfortunately, wouldn't be possible on android, as the browser app is out of our library's domain.

Are you still running into this issue? If so, let me know and I'll try to reproduce later and raise it with the corresponding team.

[morganlutz]

Hey @lbalmaceda! I think the error in this case could be anything, really. When we get a fatal error after pulling the current user session I would expect that the user could attempt to re-login afterwards. The current flow just locks the user out of logging in until they clear their web session. We shared these issues with the support team.

Because of this and another related error, we decided to clear the current user's session before launching login w/CAPTCHA by using WebProvider#logout. So we were able to push out this update and can turn on bot detection finally.

[lbalmaceda]

Thanks for the additional details 😊 Do you mind sharing the support tickets or any other reference you have, so I can find more context locally? I want to ensure this is how the Bot Detection feature is supposed to work in this scenario or raise a bit more visibility otherwise.

[morganlutz]

This was the support ticket: https://support.auth0.com/tickets/00474936. We didn't continue to work with support since we came up with our own solution. In our meeting with the support team we spoke with Anna Franceschelli, Noel Thompson, and Ian Hassard.

Ideally we would like to see:

• User logs in with mobile app
• CAPTCHA is required, so they are sent to the universal login screen
• If universal login based on the current user session fails, the user should be allowed to attempt to login again from universal login instead of being kicked back to the app.

Ian mentioned that using the native SDK for Google's reCAPTCHA was not supported due to security concerns.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇‍♂️