Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login fails with "For security, this session has been signed out" #25703

Closed
richvdh opened this issue Jul 3, 2023 · 7 comments · Fixed by matrix-org/matrix-react-sdk#11207
Closed

Login fails with "For security, this session has been signed out" #25703

richvdh opened this issue Jul 3, 2023 · 7 comments · Fixed by matrix-org/matrix-react-sdk#11207
Assignees
@t3chguy
Labels
O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect

Comments

@richvdh
Copy link
Member

richvdh commented Jul 3, 2023
edited by weeman1337
Loading

Steps to reproduce

  1. Start with an active session on an account on matrix.org
  2. Opt in to analytics
  3. Invalidate that session somehow from outside the client (eg by logging out from another device)
  4. Attempt to log into an account on another homeserver
  5. wait

Outcome

What did you expect?

Client is successfully logged in to new account

What happened instead?

image

Operating system

Ubuntu 22.04

Browser information

Firefox 111.0

URL for webapp

https://develop.element.io

Application version

No response

Homeserver

sw1v.org

Will you send logs?

No
@t3chguy
Copy link
Member

t3chguy commented Jul 3, 2023

Related #13005 #15619

@richvdh
Copy link
Member Author

richvdh commented Jul 3, 2023

This seems to be a problem in the PosthogAnalytics code. PosthogAnalytics.updateAnonymityFromSettings is being called with the old MatrixClient, which obviously presents an invalid access token.

It's rather troubling from the security point of view that we're hanging onto an old MatrixClient with the corresponding account details despite telling the user that we've been logged out.

@weeman1337
Copy link
Contributor

Unfortunately, I cannot reproduce this. I've signed in using app.element.io and development.element.io . Then I've signed out my development session from app. At this point I saw the dialog from the description „Signed Out…“. I was then able to switch the homeserver and log in with a different account. Didn't see the dialog again.

@richvdh can you validate the steps to reproduce and possibly update them?

@richvdh
Copy link
Member Author

richvdh commented Jul 4, 2023
edited
Loading

One thing that might be necessary is opting into pseudonymous analytics. I have this in my account data:

{
  "type": "im.vector.analytics",
  "content": {
    "id": "c7b1e66e-9b3d-41e6-88ca-d6f3ca6e5fe2",
    "pseudonymousAnalyticsOptIn": true
  }
}

What I notice is that, after being logged out in this way, SettingsStore still has registered watchers for pseudonymousAnalyticsOptIn:

Array.from(mxSettingsStore.watchers.entries()).filter(([k,v])=>k.search("pseudonymousAnalyticsOptIn")>=0)

->

0: Array [ "1688467641100_15_pseudonymousAnalyticsOptIn_null", localizedCallback(changedInRoomId, atLevel, newValAtLevel)]
​1: Array [ "1688467646504_18_pseudonymousAnalyticsOptIn_null", localizedCallback(changedInRoomId, atLevel, newValAtLevel)]
​2: Array [ "1688468704319_692_pseudonymousAnalyticsOptIn_null", localizedCallback(changedInRoomId, atLevel, newValAtLevel)]
​3: Array [ "1688468705035_695_pseudonymousAnalyticsOptIn_null", localizedCallback(changedInRoomId, atLevel, newValAtLevel)]

and of course those listeners still have the old MatrixClient in their closure.

@weeman1337
Copy link
Contributor

Can reproduce. Added the analytics opt in to the description.

@weeman1337 weeman1337 added S-Major Severely degrades major functionality or product features, with no satisfactory workaround O-Occasional Affects or can be seen by some users regularly or most users rarely O-Uncommon Most users are unlikely to come across this or unexpected workflow S-Minor Impairs non-critical functionality or suitable workarounds exist and removed X-Cannot-Reproduce O-Occasional Affects or can be seen by some users regularly or most users rarely S-Major Severely degrades major functionality or product features, with no satisfactory workaround labels Jul 4, 2023
@weeman1337
Copy link
Contributor

Marked this as S-Minor because it can be worked around with reload.
O-Occasional because you need to opt in to analytics and switch accounts with the same browser window.

@richvdh
Copy link
Member Author

richvdh commented Jul 4, 2023

I don't think it's necessary to switch accounts, actually. All you need is to be opted into analytics (not that uncommon, hopefully?) and to try to log in after being logged out.

@richvdh richvdh added O-Occasional Affects or can be seen by some users regularly or most users rarely and removed O-Uncommon Most users are unlikely to come across this or unexpected workflow labels Jul 4, 2023
@t3chguy t3chguy self-assigned this Jul 7, 2023
@t3chguy t3chguy mentioned this issue Jul 10, 2023
Merged
su-ex added a commit to SchildiChat/element-desktop that referenced this issue Feb 24, 2024
@su-ex
Merge tag 'v1.11.36' into sc
bc6f74c 
* Fixes for [CVE-2023-37259](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-37259) / [GHSA-c9vx-2g7w-rp65](GHSA-c9vx-2g7w-rp65)
* Deprecate customisations in favour of Module API ([\#25736](element-hq/element-web#25736)). Fixes element-hq/element-web#25733.
* OIDC: store initial screen in session storage  ([\#25688](element-hq/element-web#25688)). Fixes element-hq/element-web#25656. Contributed by @kerryarchibald.
* Allow default_server_config as a fallback config ([\#25682](element-hq/element-web#25682)). Contributed by @ShadowRZ.
* OIDC: remove auth params from url after login attempt ([\#25664](element-hq/element-web#25664)). Contributed by @kerryarchibald.
* feat(faq): remove keyboard shortcuts button ([\#9342](matrix-org/matrix-react-sdk#9342)). Fixes element-hq/element-web#22625. Contributed by @gefgu.
* GYU: Update banner ([\#11211](matrix-org/matrix-react-sdk#11211)). Fixes element-hq/element-web#25530. Contributed by @justjanne.
* Linkify mxc:// URLs as links to your media repo ([\#11213](matrix-org/matrix-react-sdk#11213)). Fixes element-hq/element-web#6942.
* OIDC: Log in ([\#11199](matrix-org/matrix-react-sdk#11199)). Fixes element-hq/element-web#25657. Contributed by @kerryarchibald.
* Handle all permitted url schemes in linkify ([\#11215](matrix-org/matrix-react-sdk#11215)). Fixes element-hq/element-web#4457 and element-hq/element-web#8720.
* Autoapprove Element Call oidc requests ([\#11209](matrix-org/matrix-react-sdk#11209)). Contributed by @toger5.
* Allow creating knock rooms ([\#11182](matrix-org/matrix-react-sdk#11182)). Contributed by @charlynguyen.
* Expose and pre-populate thread ID in devtools dialog ([\#10953](matrix-org/matrix-react-sdk#10953)).
* Hide URL preview if it will be empty ([\#9029](matrix-org/matrix-react-sdk#9029)).
* Change wording from avatar to profile picture ([\#7015](matrix-org/matrix-react-sdk#7015)). Fixes element-hq/element-meta#1331. Contributed by @aaronraimist.
* Quick and dirty devtool to explore state history ([\#11197](matrix-org/matrix-react-sdk#11197)).
* Consider more user inputs when calculating zxcvbn score ([\#11180](matrix-org/matrix-react-sdk#11180)).
* GYU: Account Notification Settings ([\#11008](matrix-org/matrix-react-sdk#11008)). Fixes element-hq/element-web#24567. Contributed by @justjanne.
* Compound Typography pass ([\#11103](matrix-org/matrix-react-sdk#11103)). Fixes element-hq/element-web#25548.
* OIDC: navigate to authorization endpoint ([\#11096](matrix-org/matrix-react-sdk#11096)). Fixes element-hq/element-web#25574. Contributed by @kerryarchibald.
* Fix read receipt sending behaviour around thread roots ([\#3600](matrix-org/matrix-js-sdk#3600)).
* Fix missing metaspace notification badges ([\#11269](matrix-org/matrix-react-sdk#11269)). Fixes element-hq/element-web#25679.
* Make checkboxes less rounded ([\#11224](matrix-org/matrix-react-sdk#11224)). Contributed by @andybalaam.
* GYU: Fix issues with audible keywords without activated mentions ([\#11218](matrix-org/matrix-react-sdk#11218)). Contributed by @justjanne.
* PosthogAnalytics unwatch settings on logout ([\#11207](matrix-org/matrix-react-sdk#11207)). Fixes element-hq/element-web#25703.
* Avoid trying to set room account data for pinned events as guest ([\#11216](matrix-org/matrix-react-sdk#11216)). Fixes element-hq/element-web#6300.
* GYU: Disable sound for DMs checkbox when DM notifications are disabled ([\#11210](matrix-org/matrix-react-sdk#11210)). Contributed by @justjanne.
* force to allow calls without video and audio in embedded mode ([\#11131](matrix-org/matrix-react-sdk#11131)). Contributed by @EnricoSchw.
* Fix room tile text clipping ([\#11196](matrix-org/matrix-react-sdk#11196)). Fixes element-hq/element-web#25718.
* Handle newlines in user pills ([\#11166](matrix-org/matrix-react-sdk#11166)). Fixes element-hq/element-web#10994.
* Limit width of user menu in space panel ([\#11192](matrix-org/matrix-react-sdk#11192)). Fixes element-hq/element-web#22627.
* Add isLocation to ComposerEvent analytics events ([\#11187](matrix-org/matrix-react-sdk#11187)). Contributed by @andybalaam.
* Fix: hide unsupported login elements ([\#11185](matrix-org/matrix-react-sdk#11185)). Fixes element-hq/element-web#25711. Contributed by @kerryarchibald.
* Scope smaller font size to user info panel ([\#11178](matrix-org/matrix-react-sdk#11178)). Fixes element-hq/element-web#25683.
* Apply i18n to strings in the html export ([\#11176](matrix-org/matrix-react-sdk#11176)).
* Inhibit url previews on MXIDs containing slashes same as those without ([\#11160](matrix-org/matrix-react-sdk#11160)).
* Make event info size consistent with state events ([\#11181](matrix-org/matrix-react-sdk#11181)).
* Fix markdown content spacing ([\#11177](matrix-org/matrix-react-sdk#11177)). Fixes element-hq/element-web#25685.
* Fix font-family definition for emojis ([\#11170](matrix-org/matrix-react-sdk#11170)). Fixes element-hq/element-web#25686.
* Fix spurious error sending receipt in thread errors ([\#11157](matrix-org/matrix-react-sdk#11157)).
* Consider the empty push rule actions array equiv to deprecated dont_notify ([\#11155](matrix-org/matrix-react-sdk#11155)). Fixes element-hq/element-web#25674.
* Only trap escape key for cancel reply if there is a reply ([\#11140](matrix-org/matrix-react-sdk#11140)). Fixes element-hq/element-web#25640.
* Update linkify to 4.1.1 ([\#11132](matrix-org/matrix-react-sdk#11132)). Fixes element-hq/element-web#23806.
su-ex added a commit to SchildiChat/element-web that referenced this issue Feb 24, 2024
@su-ex
Merge tag 'v1.11.36' into sc
4a0c85d 
* Fixes for [CVE-2023-37259](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-37259) / [GHSA-c9vx-2g7w-rp65](GHSA-c9vx-2g7w-rp65)
* Deprecate customisations in favour of Module API ([\element-hq#25736](element-hq#25736)). Fixes element-hq#25733.
* OIDC: store initial screen in session storage  ([\element-hq#25688](element-hq#25688)). Fixes element-hq#25656. Contributed by @kerryarchibald.
* Allow default_server_config as a fallback config ([\element-hq#25682](element-hq#25682)). Contributed by @ShadowRZ.
* OIDC: remove auth params from url after login attempt ([\element-hq#25664](element-hq#25664)). Contributed by @kerryarchibald.
* feat(faq): remove keyboard shortcuts button ([\element-hq#9342](matrix-org/matrix-react-sdk#9342)). Fixes element-hq#22625. Contributed by @gefgu.
* GYU: Update banner ([\element-hq#11211](matrix-org/matrix-react-sdk#11211)). Fixes element-hq#25530. Contributed by @justjanne.
* Linkify mxc:// URLs as links to your media repo ([\element-hq#11213](matrix-org/matrix-react-sdk#11213)). Fixes element-hq#6942.
* OIDC: Log in ([\element-hq#11199](matrix-org/matrix-react-sdk#11199)). Fixes element-hq#25657. Contributed by @kerryarchibald.
* Handle all permitted url schemes in linkify ([\element-hq#11215](matrix-org/matrix-react-sdk#11215)). Fixes element-hq#4457 and element-hq#8720.
* Autoapprove Element Call oidc requests ([\element-hq#11209](matrix-org/matrix-react-sdk#11209)). Contributed by @toger5.
* Allow creating knock rooms ([\#11182](matrix-org/matrix-react-sdk#11182)). Contributed by @charlynguyen.
* Expose and pre-populate thread ID in devtools dialog ([\element-hq#10953](matrix-org/matrix-react-sdk#10953)).
* Hide URL preview if it will be empty ([\element-hq#9029](matrix-org/matrix-react-sdk#9029)).
* Change wording from avatar to profile picture ([\element-hq#7015](matrix-org/matrix-react-sdk#7015)). Fixes element-hq/element-meta#1331. Contributed by @aaronraimist.
* Quick and dirty devtool to explore state history ([\element-hq#11197](matrix-org/matrix-react-sdk#11197)).
* Consider more user inputs when calculating zxcvbn score ([\element-hq#11180](matrix-org/matrix-react-sdk#11180)).
* GYU: Account Notification Settings ([\element-hq#11008](matrix-org/matrix-react-sdk#11008)). Fixes element-hq#24567. Contributed by @justjanne.
* Compound Typography pass ([\element-hq#11103](matrix-org/matrix-react-sdk#11103)). Fixes element-hq#25548.
* OIDC: navigate to authorization endpoint ([\#11096](matrix-org/matrix-react-sdk#11096)). Fixes element-hq#25574. Contributed by @kerryarchibald.
* Fix read receipt sending behaviour around thread roots ([\element-hq#3600](matrix-org/matrix-js-sdk#3600)).
* Fix missing metaspace notification badges ([\element-hq#11269](matrix-org/matrix-react-sdk#11269)). Fixes element-hq#25679.
* Make checkboxes less rounded ([\element-hq#11224](matrix-org/matrix-react-sdk#11224)). Contributed by @andybalaam.
* GYU: Fix issues with audible keywords without activated mentions ([\element-hq#11218](matrix-org/matrix-react-sdk#11218)). Contributed by @justjanne.
* PosthogAnalytics unwatch settings on logout ([\element-hq#11207](matrix-org/matrix-react-sdk#11207)). Fixes element-hq#25703.
* Avoid trying to set room account data for pinned events as guest ([\element-hq#11216](matrix-org/matrix-react-sdk#11216)). Fixes element-hq#6300.
* GYU: Disable sound for DMs checkbox when DM notifications are disabled ([\element-hq#11210](matrix-org/matrix-react-sdk#11210)). Contributed by @justjanne.
* force to allow calls without video and audio in embedded mode ([\element-hq#11131](matrix-org/matrix-react-sdk#11131)). Contributed by @EnricoSchw.
* Fix room tile text clipping ([\element-hq#11196](matrix-org/matrix-react-sdk#11196)). Fixes element-hq#25718.
* Handle newlines in user pills ([\element-hq#11166](matrix-org/matrix-react-sdk#11166)). Fixes element-hq#10994.
* Limit width of user menu in space panel ([\element-hq#11192](matrix-org/matrix-react-sdk#11192)). Fixes element-hq#22627.
* Add isLocation to ComposerEvent analytics events ([\element-hq#11187](matrix-org/matrix-react-sdk#11187)). Contributed by @andybalaam.
* Fix: hide unsupported login elements ([\element-hq#11185](matrix-org/matrix-react-sdk#11185)). Fixes element-hq#25711. Contributed by @kerryarchibald.
* Scope smaller font size to user info panel ([\element-hq#11178](matrix-org/matrix-react-sdk#11178)). Fixes element-hq#25683.
* Apply i18n to strings in the html export ([\element-hq#11176](matrix-org/matrix-react-sdk#11176)).
* Inhibit url previews on MXIDs containing slashes same as those without ([\element-hq#11160](matrix-org/matrix-react-sdk#11160)).
* Make event info size consistent with state events ([\element-hq#11181](matrix-org/matrix-react-sdk#11181)).
* Fix markdown content spacing ([\element-hq#11177](matrix-org/matrix-react-sdk#11177)). Fixes element-hq#25685.
* Fix font-family definition for emojis ([\element-hq#11170](matrix-org/matrix-react-sdk#11170)). Fixes element-hq#25686.
* Fix spurious error sending receipt in thread errors ([\element-hq#11157](matrix-org/matrix-react-sdk#11157)).
* Consider the empty push rule actions array equiv to deprecated dont_notify ([\element-hq#11155](matrix-org/matrix-react-sdk#11155)). Fixes element-hq#25674.
* Only trap escape key for cancel reply if there is a reply ([\element-hq#11140](matrix-org/matrix-react-sdk#11140)). Fixes element-hq#25640.
* Update linkify to 4.1.1 ([\element-hq#11132](matrix-org/matrix-react-sdk#11132)). Fixes element-hq#23806.
su-ex added a commit to SchildiChat/matrix-react-sdk that referenced this issue Feb 24, 2024
@su-ex
Merge tag 'v3.76.0' into sc
70e1aa3 
* Fixes for [CVE-2023-37259](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-37259) / [GHSA-c9vx-2g7w-rp65](GHSA-c9vx-2g7w-rp65)
* GYU: Update banner ([\matrix-org#11211](matrix-org#11211)). Fixes element-hq/element-web#25530. Contributed by @justjanne.
* Linkify mxc:// URLs as links to your media repo ([\matrix-org#11213](matrix-org#11213)). Fixes element-hq/element-web#6942.
* OIDC: Log in ([\matrix-org#11199](matrix-org#11199)). Fixes element-hq/element-web#25657. Contributed by @kerryarchibald.
* Handle all permitted url schemes in linkify ([\matrix-org#11215](matrix-org#11215)). Fixes element-hq/element-web#4457 and element-hq/element-web#8720.
* Autoapprove Element Call oidc requests ([\matrix-org#11209](matrix-org#11209)). Contributed by @toger5.
* Allow creating knock rooms ([\matrix-org#11182](matrix-org#11182)). Contributed by @charlynguyen.
* feat(faq): remove keyboard shortcuts button ([\matrix-org#9342](matrix-org#9342)). Fixes element-hq/element-web#22625. Contributed by @gefgu.
* Expose and pre-populate thread ID in devtools dialog ([\matrix-org#10953](matrix-org#10953)).
* Hide URL preview if it will be empty ([\matrix-org#9029](matrix-org#9029)).
* Change wording from avatar to profile picture ([\matrix-org#7015](matrix-org#7015)). Fixes element-hq/element-meta#1331. Contributed by @aaronraimist.
* Quick and dirty devtool to explore state history ([\matrix-org#11197](matrix-org#11197)).
* Consider more user inputs when calculating zxcvbn score ([\matrix-org#11180](matrix-org#11180)).
* GYU: Account Notification Settings ([\matrix-org#11008](matrix-org#11008)). Fixes element-hq/element-web#24567. Contributed by @justjanne.
* Compound Typography pass ([\matrix-org#11103](matrix-org#11103)). Fixes element-hq/element-web#25548.
* OIDC: navigate to authorization endpoint ([\matrix-org#11096](matrix-org#11096)). Fixes element-hq/element-web#25574. Contributed by @kerryarchibald.
* Fix missing metaspace notification badges ([\matrix-org#11269](matrix-org#11269)). Fixes element-hq/element-web#25679.
* Make checkboxes less rounded ([\matrix-org#11224](matrix-org#11224)). Contributed by @andybalaam.
* GYU: Fix issues with audible keywords without activated mentions ([\matrix-org#11218](matrix-org#11218)). Contributed by @justjanne.
* PosthogAnalytics unwatch settings on logout ([\matrix-org#11207](matrix-org#11207)). Fixes element-hq/element-web#25703.
* Avoid trying to set room account data for pinned events as guest ([\matrix-org#11216](matrix-org#11216)). Fixes element-hq/element-web#6300.
* GYU: Disable sound for DMs checkbox when DM notifications are disabled ([\matrix-org#11210](matrix-org#11210)). Contributed by @justjanne.
* force to allow calls without video and audio in embedded mode ([\matrix-org#11131](matrix-org#11131)). Contributed by @EnricoSchw.
* Fix room tile text clipping ([\matrix-org#11196](matrix-org#11196)). Fixes element-hq/element-web#25718.
* Handle newlines in user pills ([\matrix-org#11166](matrix-org#11166)). Fixes element-hq/element-web#10994.
* Limit width of user menu in space panel ([\matrix-org#11192](matrix-org#11192)). Fixes element-hq/element-web#22627.
* Add isLocation to ComposerEvent analytics events ([\matrix-org#11187](matrix-org#11187)). Contributed by @andybalaam.
* Fix: hide unsupported login elements ([\matrix-org#11185](matrix-org#11185)). Fixes element-hq/element-web#25711. Contributed by @kerryarchibald.
* Scope smaller font size to user info panel ([\matrix-org#11178](matrix-org#11178)). Fixes element-hq/element-web#25683.
* Apply i18n to strings in the html export ([\matrix-org#11176](matrix-org#11176)).
* Inhibit url previews on MXIDs containing slashes same as those without ([\matrix-org#11160](matrix-org#11160)).
* Make event info size consistent with state events ([\matrix-org#11181](matrix-org#11181)).
* Fix markdown content spacing ([\matrix-org#11177](matrix-org#11177)). Fixes element-hq/element-web#25685.
* Fix font-family definition for emojis ([\matrix-org#11170](matrix-org#11170)). Fixes element-hq/element-web#25686.
* Fix spurious error sending receipt in thread errors ([\matrix-org#11157](matrix-org#11157)).
* Consider the empty push rule actions array equiv to deprecated dont_notify ([\matrix-org#11155](matrix-org#11155)). Fixes element-hq/element-web#25674.
* Only trap escape key for cancel reply if there is a reply ([\matrix-org#11140](matrix-org#11140)). Fixes element-hq/element-web#25640.
* Update linkify to 4.1.1 ([\matrix-org#11132](matrix-org#11132)). Fixes element-hq/element-web#23806.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t3chguy t3chguy

Labels
O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Impairs non-critical functionality or suitable workarounds exist T-Defect
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

PosthogAnalytics unwatch settings on logout matrix-org/matrix-react-sdk
3 participants
@richvdh @t3chguy @weeman1337