[SOLVED] GraphQL request signature verification fails since cloud server v5 migration

Bugs Solved Bugs
1

I have…

  • [ ] Checked the logs and have uploaded a log file and provided a link because I found something suspicious there. Please do not post the log file in the topic because very often something important is missing.

I’m submitting a…

  • [x] Regression (a behavior that stopped working in a new release)
  • [ ] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

We are using the GraphQL API via the CDN to access squidex content on our Android and iOS clients. Since the migration of the cloud version to Squidex v5 requests are rejected with signature-fail on GraphQL API. We are properly re-requesting tokens after getting a 401, but even the new tokens then fail right away.

Did something change with how requests are signed? If yes, that would be really a problem because it means that even if we fix this client side all our users which are not on the latest version will have no content in the app.

Expected behavior

Requests signed with access tokens should be accepted just as before.

Minimal reproduction of the problem

For us it happens every time we make a request against the GraphQL API and sign it with an access token.

Environment

  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [x] Cloud version

Version: latest

Browser:

  • [ ] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [ ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

Others:
We are using the apollo graphql libraries on both Android and iOS.

I am happy to help debugging by sending over requests or doing a screen share live debugging session - as this affects all our users and we are getting very angry user reports we are obviously interested in a quick solution to the problem and are willing to do anything necessary to aid you in debugging/fixing. :slight_smile:

2

CDN Response headers of one of the failed requests (401):

accept-ranges: bytes
content-length: 0
date: Mon, 02 Nov 2020 15:50:35 GMT
jwt-error: signature-fail
retry-after: 0
server: Varnish
via: 1.1 varnish
x-cache: MISS
x-cache-hits: 0
x-served-by: cache-fra19125-FRA
x-timer: S1604332235.375967,VS0,VE0
3

One more thing:

When I use one of the static access tokens from the Clients Page on the Squidex dashboard everything works fine. So it could it be, that the tokens generated by https://cloud.squidex.io/identity-server/connect/token is not valid for graphQL requests against the new server version?

4

My last remark might be misleading. I also changed the URL to point directly at squidex and not the GraphQL API which made things work.

It looks like the CDN might be the actual culprit. As soon as I use the CDN URL https://contents.squidex.io/clear/graphql for the requests, they fail - while everything works fine when requesting from https://cloud.squidex.io/api/content/clear/graphql. Any idea?

5

I think that the CDN might have an old public key, I will check that.

1 Like
6

It is fixed now and deployed to the cloud.

I am thinking about writing a service, which makes a few test calls to the CDN and can be invoked by monitoring solutions.

1 Like
7

Many thanks for the quick fix! I can confirm it works perfectly fine again. :slight_smile:

8

I have also added the CDN to the monitoring.

1 Like
9

This topic was automatically closed after 2 days. New replies are no longer allowed.