Facebook Auth: Error 101 "Facebook auth is invalid for this user"

[penultimate-labs]

I believe there's a bug in 2.1.0 with the RestWrite.js -> facebook.js data path. The validateAppId function in facebook.js assumes a passing of the literal access_token (String) but what's actually passed is an authData structure within which lives a key called "access_token".. so facebook.js should actually be trying to append access_token.access_token to the graph request, and not just access_token. More appropriately, the access_token argument of facebook.js:validateAppId should be renamed to authData and subsequently authData.access_token for the string builder contained within. As it is for the validateAuthData function above it.

[penultimate-labs]

Ok, this is still an issue. There are two facebook.js files, one in oauth and one in the general /lib folder . The one in oauth reflects this problem, and at least on my local deployment, is the one being called.

[nitrag]

@flovilmart

[flovilmart]

@penultimate-labs @nitrag There is a proposal here #478 Can you check if it reproduces?

[drew-gross]

#478 should fix this. Please re-open if it doesn't.

[absolutlabs]

still receiving Facebook auth is invalid for this user :/

[flovilmart]

@absolutlabs what version are you using? How is your parse-server configured? Please also consider running the server with VERBOSE=1 so you can provide the trace of network requests.

[absolutlabs]

Hello
Thanks for your help

I'm using the parse-server-example on Heroku

package.json :

{
  "name": "parse-server-example",
  "version": "1.0.0",
  "description": "An example Parse API server using the parse-server module",
  "main": "index.js",
  "repository": {
    "type": "git",
    "url": "https://github.com/ParsePlatform/parse-server-example"
  },
  "license": "MIT",
  "dependencies": {
    "express": "~4.2.x",
    "kerberos": "~0.0.x",
    "parse": "~1.6.14",
    "parse-server": "latest"
  },
  "scripts": {
    "start": "node index.js"
  },
  "engines": {
    "node": ">=4.1"
  }
}

node_modules_cache is disabled (heroku config:set NODE_MODULES_CACHE=false, is it correct ?)

index.js :

var api = new ParseServer({
  databaseURI: process.env.DATABASE_URI,
  cloud: __dirname + '/cloud/main.js',
  appId: process.env.APP_ID,
  masterKey: process.env.MASTER_KEY,
  clientKey: process.env.CLIENT_KEY,
  serverURL : 'https://deuxpointzero.herokuapp.com/parse',
  facebookAppIds : '698426340294778',
  oauth : {
   facebook: {
     appIds: '698426340294778'
    }
  }
});

[flovilmart]

@absolutlabs I'm not sure latest would pick the github master version. Could you try replace "parse-server": "latest" by "parse-server": "git://github.com/parseplatform/parse-server#master"

or "parse-server": "parseplatform/parse-server#master"
or "parse-server": "parseplatform/parse-server"

For more info on github URL's see here

Also it seems that your parse package version is out of date, please use ~1.7.0

Secondly, are you FacebookAppIds valid and was the auth token acquired with that app ID?

[absolutlabs]

Heroku now fails to launch the app after deploying with one of the parse-server addresses you suggested:

Error: Cannot find module 'parse-server'
    at Function.Module._resolveFilename (module.js:339:15)
    at Function.Module._load (module.js:290:25)
    at Module.require (module.js:367:17)
    at require (internal/module.js:16:19)
    at Object.<anonymous> (/app/index.js:4:19)
    at Module._compile (module.js:413:34)
    at Object.Module._extensions..js (module.js:422:10)
    at Module.load (module.js:357:32)
    at Function.Module._load (module.js:314:12)
    at Function.Module.runMain (module.js:447:10)

FacebookAppIds was working great before migrating to heroku + mongolab.
Before 2.1.0, login with FB worked but after a fetch on user, token became invalid ( #427 & #373 ) .

Build logs, in case it could help :

remote: Compressing source files... done.
remote: Building source:
remote: 
remote: -----> Using set buildpack heroku/nodejs
remote: -----> Node.js app detected
remote: 
remote: -----> Creating runtime environment
remote:        
remote:        NPM_CONFIG_LOGLEVEL=error
remote:        NPM_CONFIG_PRODUCTION=true
remote:        NODE_ENV=production
remote:        NODE_MODULES_CACHE=false
remote: 
remote: -----> Installing binaries
remote:        engines.node (package.json):  >=4.1
remote:        engines.npm (package.json):   unspecified (use default)
remote:        
remote:        Resolving node version >=4.1 via semver.io...
remote:        Downloading and installing node 5.6.0...
remote:        Using default npm version: 3.6.0
remote: 
remote: -----> Restoring cache
remote:        Skipping cache restore (disabled by config)
remote: 
remote: -----> Building dependencies
remote:        Pruning any extraneous modules
remote:        Installing node modules (package.json)
remote:        
remote:        > kerberos@0.0.18 install /tmp/build_3b87c0c6b4e66823ca6f4e355fc1bc30/node_modules/kerberos
remote:        > (node-gyp rebuild) || (exit 0)
remote:        
remote:        make: Entering directory `/tmp/build_3b87c0c6b4e66823ca6f4e355fc1bc30/node_modules/kerberos/build'
remote:        CXX(target) Release/obj.target/kerberos/lib/kerberos.o
remote:        CXX(target) Release/obj.target/kerberos/lib/worker.o
remote:        CC(target) Release/obj.target/kerberos/lib/kerberosgss.o
remote:        ../lib/kerberosgss.c:36:0: warning: ignoring #pragma clang diagnostic [-Wunknown-pragmas]
remote:        #pragma clang diagnostic push
remote:        ^
remote:        ../lib/kerberosgss.c:37:0: warning: ignoring #pragma clang diagnostic [-Wunknown-pragmas]
remote:        #pragma clang diagnostic ignored "-Wdeprecated-declarations"
remote:        ^
remote:        ../lib/kerberosgss.c: In function ‘authenticate_gss_client_wrap’:
remote:        ../lib/kerberosgss.c:362:19: warning: variable ‘server_conf_flags’ set but not used [-Wunused-but-set-variable]
remote:        char buf[4096], server_conf_flags;
remote:        ^
remote:        ../lib/kerberosgss.c: At top level:
remote:        ../lib/kerberosgss.c:930:0: warning: ignoring #pragma clang diagnostic [-Wunknown-pragmas]
remote:        #pragma clang diagnostic pop
remote:        ^
remote:        CC(target) Release/obj.target/kerberos/lib/base64.o
remote:        CXX(target) Release/obj.target/kerberos/lib/kerberos_context.o
remote:        SOLINK_MODULE(target) Release/obj.target/kerberos.node
remote:        COPY Release/kerberos.node
remote:        make: Leaving directory `/tmp/build_3b87c0c6b4e66823ca6f4e355fc1bc30/node_modules/kerberos/build'
remote:        parse-server-example@1.0.0 /tmp/build_3b87c0c6b4e66823ca6f4e355fc1bc30
remote:        ├─┬ express@4.2.0
remote:        │ ├─┬ accepts@1.0.1
remote:        │ │ ├── mime@1.2.11
remote:        │ │ └── negotiator@0.4.9
remote:        │ ├── buffer-crc32@0.2.1
remote:        │ ├── cookie@0.1.2
remote:        │ ├── cookie-signature@1.0.3
remote:        │ ├── debug@0.8.1
remote:        │ ├── escape-html@1.0.1
remote:        │ ├── fresh@0.2.2
remote:        │ ├── merge-descriptors@0.0.2
remote:        │ ├── methods@1.0.0
remote:        │ ├── parseurl@1.0.1
remote:        │ ├── path-to-regexp@0.1.2
remote:        │ ├── qs@0.6.6
remote:        │ ├── range-parser@1.0.0
remote:        │ ├─┬ send@0.3.0
remote:        │ │ └── debug@0.8.0
remote:        │ ├── serve-static@1.1.0
remote:        │ ├── type-is@1.1.0
remote:        │ └── utils-merge@1.0.0
remote:        ├─┬ kerberos@0.0.18
remote:        │ └── nan@2.0.9
remote:        ├─┬ parse@1.7.1
remote:        │ ├─┬ babel-runtime@5.8.35
remote:        │ │ └── core-js@1.2.6
remote:        │ └── xmlhttprequest@1.8.0
remote:        └─┬ parse-server@2.1.0  (git://github.com/parseplatform/parse-server.git#ba68acfb0d63dd6d101a245926d14cae1c9db1a9)
remote:        ├─┬ apn@1.7.5
remote:        │ ├─┬ debug@2.2.0
remote:        │ │ └── ms@0.7.1
remote:        │ ├── node-forge@0.6.39
remote:        │ └── q@1.4.1
remote:        ├─┬ aws-sdk@2.2.36
remote:        │ ├── sax@1.1.5
remote:        │ ├── xml2js@0.4.16
remote:        │ └─┬ xmlbuilder@4.2.1
remote:        │   └── lodash@4.5.0
remote:        ├── babel-runtime@6.5.0
remote:        ├── bcrypt-nodejs@0.0.3
remote:        ├─┬ body-parser@1.15.0
remote:        │ ├── bytes@2.2.0
remote:        │ ├── content-type@1.0.1
remote:        │ ├── debug@2.2.0
remote:        │ ├── depd@1.1.0
remote:        │ ├─┬ http-errors@1.4.0
remote:        │ │ ├── inherits@2.0.1
remote:        │ │ └── statuses@1.2.1
remote:        │ ├── iconv-lite@0.4.13
remote:        │ ├─┬ on-finished@2.3.0
remote:        │ │ └── ee-first@1.1.1
remote:        │ ├── qs@6.1.0
remote:        │ ├─┬ raw-body@2.1.5
remote:        │ │ └── unpipe@1.0.0
remote:        │ └─┬ type-is@1.6.11
remote:        │   └── media-typer@0.3.0
remote:        ├── deepcopy@0.6.1
remote:        ├─┬ express@4.13.4
remote:        │ ├─┬ accepts@1.2.13
remote:        │ │ └── negotiator@0.5.3
remote:        │ ├── array-flatten@1.1.1
remote:        │ ├── content-disposition@0.5.1
remote:        │ ├── cookie@0.1.5
remote:        │ ├── cookie-signature@1.0.6
remote:        │ ├── debug@2.2.0
remote:        │ ├── escape-html@1.0.3
remote:        │ ├── etag@1.7.0
remote:        │ ├─┬ finalhandler@0.4.1
remote:        │ │ ├── debug@2.2.0
remote:        │ │ └── escape-html@1.0.3
remote:        │ ├── fresh@0.3.0
remote:        │ ├── merge-descriptors@1.0.1
remote:        │ ├── methods@1.1.2
remote:        │ ├── parseurl@1.3.1
remote:        │ ├── path-to-regexp@0.1.7
remote:        │ ├─┬ proxy-addr@1.0.10
remote:        │ │ ├── forwarded@0.1.0
remote:        │ │ └── ipaddr.js@1.0.5
remote:        │ ├── qs@4.0.0
remote:        │ ├── range-parser@1.0.3
remote:        │ ├─┬ send@0.13.1
remote:        │ │ ├── destroy@1.0.4
remote:        │ │ └── http-errors@1.3.1
remote:        │ ├── serve-static@1.10.2
remote:        │ ├── type-is@1.6.11
remote:        │ └── vary@1.0.1
remote:        ├── mime@1.3.4
remote:        ├─┬ mongodb@2.1.7
remote:        │ ├── es6-promise@3.0.2
remote:        │ ├─┬ mongodb-core@1.3.1
remote:        │ │ ├── bson@0.4.21
remote:        │ │ └─┬ require_optional@1.0.0
remote:        │ │   ├── resolve-from@2.0.0
remote:        │ │   └── semver@5.1.0
remote:        │ └─┬ readable-stream@1.0.31
remote:        │   ├── core-util-is@1.0.2
remote:        │   ├── isarray@0.0.1
remote:        │   └── string_decoder@0.10.31
remote:        ├─┬ multer@1.1.0
remote:        │ ├── append-field@0.1.0
remote:        │ ├─┬ busboy@0.2.12
remote:        │ │ ├─┬ dicer@0.2.5
remote:        │ │ │ ├── readable-stream@1.1.13
remote:        │ │ │ └── streamsearch@0.1.2
remote:        │ │ └── readable-stream@1.1.13
remote:        │ ├─┬ concat-stream@1.5.1
remote:        │ │ ├─┬ readable-stream@2.0.5
remote:        │ │ │ ├── process-nextick-args@1.0.6
remote:        │ │ │ └── util-deprecate@1.0.2
remote:        │ │ └── typedarray@0.0.6
remote:        │ ├─┬ mkdirp@0.5.1
remote:        │ │ └── minimist@0.0.8
remote:        │ ├── object-assign@3.0.0
remote:        │ ├── type-is@1.6.11
remote:        │ └── xtend@4.0.1
remote:        ├─┬ node-gcm@0.14.0
remote:        │ └── lodash@3.10.1
remote:        ├─┬ request@2.69.0
remote:        │ ├── aws-sign2@0.6.0
remote:        │ ├─┬ aws4@1.2.1
remote:        │ │ └── lru-cache@2.7.3
remote:        │ ├─┬ bl@1.0.3
remote:        │ │ └── readable-stream@2.0.5
remote:        │ ├── caseless@0.11.0
remote:        │ ├─┬ combined-stream@1.0.5
remote:        │ │ └── delayed-stream@1.0.0
remote:        │ ├── extend@3.0.0
remote:        │ ├── forever-agent@0.6.1
remote:        │ ├─┬ form-data@1.0.0-rc3
remote:        │ │ └── async@1.5.2
remote:        │ ├─┬ har-validator@2.0.6
remote:        │ │ ├─┬ chalk@1.1.1
remote:        │ │ │ ├── ansi-styles@2.1.0
remote:        │ │ │ ├── escape-string-regexp@1.0.4
remote:        │ │ │ ├─┬ has-ansi@2.0.0
remote:        │ │ │ │ └── ansi-regex@2.0.0
remote:        │ │ │ ├── strip-ansi@3.0.0
remote:        │ │ │ └── supports-color@2.0.0
remote:        │ │ ├─┬ commander@2.9.0
remote:        │ │ │ └── graceful-readlink@1.0.1
remote:        │ │ ├─┬ is-my-json-valid@2.13.0
remote:        │ │ │ ├── generate-function@2.0.0
remote:        │ │ │ ├─┬ generate-object-property@1.2.0
remote:        │ │ │ │ └── is-property@1.0.2
remote:        │ │ │ └── jsonpointer@2.0.0
remote:        │ │ └─┬ pinkie-promise@2.0.0
remote:        │ │   └── pinkie@2.0.4
remote:        │ ├─┬ hawk@3.1.3
remote:        │ │ ├── boom@2.10.1
remote:        │ │ ├── cryptiles@2.0.5
remote:        │ │ ├── hoek@2.16.3
remote:        │ │ └── sntp@1.0.9
remote:        │ ├─┬ http-signature@1.1.1
remote:        │ │ ├── assert-plus@0.2.0
remote:        │ │ ├─┬ jsprim@1.2.2
remote:        │ │ │ ├── extsprintf@1.0.2
remote:        │ │ │ ├── json-schema@0.2.2
remote:        │ │ │ └── verror@1.3.6
remote:        │ │ └─┬ sshpk@1.7.4
remote:        │ │   ├── asn1@0.2.3
remote:        │ │   ├─┬ dashdash@1.13.0
remote:        │ │   │ └── assert-plus@1.0.0
remote:        │ │   ├── ecc-jsbn@0.1.1
remote:        │ │   ├── jodid25519@1.0.2
remote:        │ │   ├── jsbn@0.1.0
remote:        │ │   └── tweetnacl@0.13.3
remote:        │ ├── is-typedarray@1.0.0
remote:        │ ├── isstream@0.1.2
remote:        │ ├── json-stringify-safe@5.0.1
remote:        │ ├─┬ mime-types@2.1.10
remote:        │ │ └── mime-db@1.22.0
remote:        │ ├── node-uuid@1.4.7
remote:        │ ├── oauth-sign@0.8.1
remote:        │ ├── qs@6.0.2
remote:        │ ├── stringstream@0.0.5
remote:        │ ├── tough-cookie@2.2.1
remote:        │ └── tunnel-agent@0.4.2
remote:        └─┬ winston@2.1.1
remote:        ├── async@1.0.0
remote:        ├── colors@1.0.3
remote:        ├── cycle@1.0.3
remote:        ├── eyes@0.1.8
remote:        ├── pkginfo@0.3.1
remote:        └── stack-trace@0.0.9
remote:        
remote: 
remote: -----> Caching build
remote:        Clearing previous node cache
remote:        Skipping cache save (disabled by config)
remote: 
remote: -----> Build succeeded!
remote:        ├── express@4.2.0
remote:        ├── kerberos@0.0.18
remote:        ├── parse@1.7.1
remote:        └── parse-server@2.1.0 (git://github.com/parseplatform/parse-server.git#ba68acfb0d63dd6d101a245926d14cae1c9db1a9)
remote:        
remote: 
remote: -----> Discovering process types
remote:        Procfile declares types     -> (none)
remote:        Default types for buildpack -> web
remote: 
remote: -----> Compressing...
remote:        Done: 17.3M
remote: -----> Launching...
remote:        Released v45
remote:        https://deuxpointzero.herokuapp.com/ deployed to Heroku
remote: 
remote: Verifying deploy.... done.
To https://git.heroku.com/deuxpointzero.git
   ccdbaf6..11f7b2f  master -> master

thanks

[flovilmart]

It seems that npm build is not run upon deployment to generate the lib directory.

[nitrag]

Same error with AWS... :(

[flovilmart]

@nitrag the Facebook auth error?

[nitrag]

No sorry, well, I'm still having that issue too but I am hoping it will be
solved with some of the latest commits. I was referring to AWS NodeJS
server pulling the absolute latest and greatest from github via your
suggestion of putting the url in package.json. It seems that AWS (like
Heroku for OP) doesn't support this.

I'll just wait until tomorrow for the next npm release.

On Thu, Feb 18, 2016 at 11:30 PM, Florent Vilmart notifications@github.com
wrote:

@nitrag https://github.com/nitrag the Facebook auth error?

—
Reply to this email directly or view it on GitHub
#475 (comment)
.

[absolutlabs]

Everything works well with 2.1.2 (session token and FB oauth)
Problem solved ! Thanks :)

[flovilmart]

@absolutlabs good to hear! Cheers!

[Gegham]

@flovilmart @absolutlabs In my project I'm using parse-server version 2.1.6 and still getting the same error: "Facebook auth is invalid for this user".

Can someone help me to achieve it.

[flovilmart]

@Gegham what client are you using?

[Gegham]

@flovilmart I'm using parse-server in Node.js

[flovilmart]

I mean to log/link your user in? Did you properly configure ParseServer with facebookAppIds as described here?

[Gegham]

Oh, I'm using iOS SDK. Yes I've implemented it as described in docs. Please review :

var api = new ParseServer({
databaseURI: 'mongodb://localhost:27017/HelpIn',
cloud: 'C:/inetpub/wwwroot/HelpIn/cloud/main.js', // Provide an absolute path
appId: AppID,
clientKey: ClientPath,
masterKey: MasterKey, // Keep this key secret!
serverURL: 'http://localhost:1337/parse', // Don't forget to change to https if needed
push: {
ios: [
{
pfx: './Resources/helpin_development_push_certificate.p12', // Dev PFX or P12
bundleId: 'info.way4app.SocialMap',
production: false // Dev
},
{
pfx: './Resources/helpin_distribution_push_certificate.p12', // Prod PFX or P12
bundleId: 'info.way4app.SocialMap',
production: true // Prod
}
]
},
facebookAppIds : '765363916914088',
oauth: {
facebook: {
appIds: "765363916914088"
}
}
});

[flovilmart]

if you try removing the appIds as well as facebookAppIds from your configuration does it work?

[Gegham]

Initially it did not have it in configurations, I have added it in hope that it will fix my problem. But I'll remove it and try now, again.

[Gegham]

I have removed both keys and still getting the issue.

[flovilmart]

So if you removed those keys, it means that either your authData object is improperly formatted or that the auth_token is invalid / has expired.
Are you running the latest version of the iOS SDK? How did you acquire this auth token?

can you run your server with the environment variable VERBOSE=1 so we have more logs on the requests?

[Gegham]

Yes, I'm using latest iOS SDK. I acquire this auth token by simply calling :
PFFacebookUtils logInInBackgroundWithReadPermissions:permissionsArray
block:^(PFUser user, NSError error)

Now I'm getting this error in client:

Error Domain=com.facebook.sdk.core Code=8 "(null)" UserInfo={NSRecoveryAttempter=<_FBSDKLoginRecoveryAttempter: 0x16005df00>, NSLocalizedRecoverySuggestion=Please log into this app again to reconnect your Facebook account., com.facebook.sdk:FBSDKGraphRequestErrorGraphErrorCode=190, com.facebook.sdk:FBSDKErrorDeveloperMessageKey=Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons., com.facebook.sdk:FBSDKGraphRequestErrorHTTPStatusCodeKey=400, com.facebook.sdk:FBSDKGraphRequestErrorCategoryKey=2, com.facebook.sdk:FBSDKGraphRequestErrorGraphErrorSubcode=460, com.facebook.sdk:FBSDKGraphRequestErrorParsedJSONResponseKey={
body = {
error = {
code = 190;
"error_subcode" = 460;
"fbtrace_id" = BIRfexJo4lH;
message = "Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons.";
type = OAuthException;
};
};
code = 400;
}, NSLocalizedRecoveryOptions=(
OK,
Cancel
)}

[flovilmart]

As you can see, this is a Facebook SDK error

[Gegham]

Yes you are right, but when I'm switching back to parse.com from parse-server, it works fine.

[Gegham]

This error appears after migration

[flovilmart]

Sure, but the error is generated by the Facebook SDK. http://stackoverflow.com/questions/6248173/facebook-access-token-invalid-with-message-session-does-not-match-current-store#6769696

[Gegham]

Sure I understand it, but if it works with parse.com and not working with parse-server, means problem is in parse-server side. I think every time when I'm trying to logInInBackgroundWithReadPermissions:permissionsArray , I'm getting wrong session token from parse-server, I don't know how can I fix this issue

[flovilmart]

Try to acquire the access token from the Facebook SDK and then run the login method with this access token

[flovilmart]

Also what version of PFFacebookUtils, FBSDK, Parse-iOS-SDK, and parse-server are you using?

[absolutlabs]

@Gegham, did you only try with old users (created on Parse) or did you signed up with a new user on the parse-server and then try to re-login ?

[Gegham]

With new users everything is works. I have solved this issue for old users by unlinking then linking users to FB. Thanks ALL!!!

[FilipZawada]

@absolutlabs @flovilmart I can confirm this issue exists with new users. Way to reproduce:

1. Sign-up to your app through Facebook (no Parse account linked before)
2. Change password on your Facebook account. Check to log out all sessions
3. Remove your app (to clear all cache)
4. Install app, and login with your facebook account. Error as described above occurs.

Alternatively, if you remove user linked parse account before step 4. , new account is created without problem. So it fails, if there is an existing parse account linked in the database. I'm 99% sure it's a problem with Parse.

[flovilmart]

Can you write a test that encompasses that use case and provide a PR for that?

[FilipZawada]

I'd love to, but this means I'd have to find a root cause and then write a test-case. Unfortunately this will not happen in the nearest future due to lack of time :-((

[alombard]

Jumping in late here I realize but has there been any further movement on this by chance? I'm still seeing FBSDKGraphRequestErrorGraphErrorSubcode=460 for "legacy" Parse users when I try to log them in on Parse Server (they work fine on Parse.com).

[flovilmart]

I'll try something out later today

[alombard]

Followup on this. I hadn't migrated my users to "Require revocable sessions" prior to trying to work with users on the new server. This seemed to fix the issue for me - hope this helps others.

[michalumni]

@alombard will that allow me to save to the user object from a REST call? I am having the same issue, I make calls from a separate python script to edit information about the users and it says "Facebook auth is invalid for this user".

[alombard]

@michalumni not sure. Why not try it? Can't imagine this would hurt (it's the recommended approach).

[michalumni]

I tried it, by switching over to Revocable sessions, still no go... I am wondering if I have to unlink and then relink my users as well?