Looping redirect on fresh bootstrapped project

[bschlaman]

TL;DR

After provisioning ENVS for the first time using the "production" setup, logging in with the default user "super@example.com" results in looping redirects through several endpoints.

@whaught

Expected behavior
Successful login

Observed behavior
Seemed to get 303 redirected through these endpoints until hitting rate limits (somewhere around 100 requests):
/admin
/login/manage-account?mode=verifyEmail
/login/select-realm

Before finally getting redirected to /logout

I can see these in the logs:
"realm does not exist in session"
"user email not verified"

In chrome, ERR_TOO_MANY_REDIRECTS also shows. Clearing cookies did not resolve the problem, nor did testing from mobile or a new ip.

Reproduction

Start with a fresh gcp project and follow the steps outlined in docs/production.md.
As stated, enter super@example.com into Firebase and enable Identity Platform.

Behavior can be seen at my server URL:
https://server-dyjepj3nfa-uc.a.run.app/
User: super@example.com
Pw: asdfasdf

Environment

• OS: windows & linux
• Browser: chrome: ERR_TOO_MANY_REDIRECTS
• Browser: ie: HTTP 405
• Version: chrome: 86.0.4240.75
• Version: ENVS: v13

[bschlaman]

Should also mention I'm not using a load balancer or custom domain

[sethvargo]

Can you share the logs (either copy-paste or screenshot) from around that time? If you can enable debug logs (set LOG_DEBUG=true as an envvar on the service) and run again, that'd be super helpful.

[whaught]

Sorry not sure if I closed this prematurely. Could you try redeploying with #874 and verify that the scenario succeeds?

[bschlaman]

Yes - done. The problem is still there, but I think I found the issue.

[bschlaman]

I think the problem is occurring because an admin is logging in without having verified the email, and with 0 realms present yet. Here is the redirect flow:

POST /session

GET /login/select-realm (this first GET is from the login js script)

Redirect to “/admin”

• First: requireVerified

Redirect to “/login/manage-account?mode=verifyEmail”

• First: processFirewall -> controller.MissingRealm(w, r, h)

GET /login/select-realm (subsequent GETs to this endpoint are from MissingRealm)
(process repeats)

[whaught]

I ran through the scenario with an unverified super user - the scenario should be good to go!

[bschlaman]

Works for me too! Obviously one can't verify the "super@example.com" email address, so might be good to update the production.md bootstrapping instructions. I'll raise a PR if I get a chance.

[sethvargo]

We can verify that email. We do it in tools/seed/main.go.

[bschlaman]

Ah cool - didn't see that tool. Thanks!