Whitescreen when user not found

[FelixMalfait]

I was going back to demo.twenty.com and since the database was reset it threw a "user not found" error. But this error wasn't properly interpreted by the frontend and I just had a full blank page. Instead I should have been logged out and sent to the login page (we should already have this mechanism for token expiration).

Maybe check if it's a proper AuthException being thrown in every case?

This probably happens to everyone who visits the demo website and comes back the following day.

[himanshuraimau]

can i work on this issue?

[FelixMalfait]

Sure @himanshuraimau thanks!

Note: I'm not sure the hint I gave is the right one

[himanshuraimau]

no problem i will try to figure it out.

[himanshuraimau]

the issue is this page right?

[FelixMalfait]

@himanshuraimau Mmh no I think that's something different linked to the fact that your database schema changed (no artist object)

[Bonapara]

/oss.gg 150

[oss-gg]

Thanks for opening an issue! It's live on oss.gg!

[Anujv93]

/assign

[oss-gg]

Assigned to @Anujv93! Please open a draft PR linking this issue within 48h ⚠️ If we can't detect a PR from you linking this issue in 48h, you'll be unassigned automatically 🕹️ Excited to have you ship this 🚀

[oss-gg]

This issue is already assigned to another person. Please find more issues here.

[siamliam12]

/assign

[oss-gg]

This issue is already assigned to another person. Please find more issues here.

[rabel798]

/assign

[oss-gg]

This issue is already assigned to another person. Please find more issues here.

[Anky9972]

/assign

[oss-gg]

This issue is already assigned to another person. Please find more issues here.

[krVatsal]

/assign

[oss-gg]

This issue is already assigned to another person. Please find more issues here.

[Bonapara]

Removing you @Anujv93 as it's been two weeks, thanks for contributing!

[krVatsal]

/assign

[oss-gg]

Assigned to @krVatsal! Please open a draft PR linking this issue within 48h ⚠️ If we can't detect a PR from you linking this issue in 48h, you'll be unassigned automatically 🕹️ Excited to have you ship this 🚀

[krVatsal]

@FelixMalfait Can you help me to replicate the issue such that i can fix it more efficiently

[oss-gg]

@krVatsal, Just a little reminder: Please open a draft PR linking this issue within 12 hours. If we can't detect a PR in 12h, you will be unassigned automatically.

[Anuragyadav622003]

/assign

[oss-gg]

This issue is already assigned to another person. Please find more issues here.

[nicolasrouanne]

I just tried to reproduce this locally and I wonder if it's still happening.

Here's what I did:

• seeded in demo

  cd packages/twenty-server
  npx nx workspace:seed:demo

• logged in using tim@apple.dev
• reseeded in demo (deleting all previous data)
• (waited for the accessToken to expire)
• refreshed the frontend

I get a Token has expired. error, followed by a Token invalid. error when trying to renew the token - which is expected.

{
  "errors": [
    {
      "message": "Token has expired.",
      "extensions": {
        "code": "UNAUTHENTICATED"
      }
    }
  ]
}

{
  "errors": [
    {
      "message": "Token invalid.",
      "extensions": {
        "code": "UNAUTHENTICATED"
      }
    }
  ],
  "data": null
}

I'm then redirected to the login page, as expected too.

I'm currently logged in on the real demo environment, and will try to reproduce tomorrow morning.

[Anuragyadav622003]

ensure frontend recognize the "unauthenticated" errors from the expire token and trigger a refresh request.
to correctly generate the new access token the refress token must be valid that helps to generate new access tokens.
clear all browser storage like (local storage) to prevent using of out dated tokens

[nicolasrouanne]

@Anuragyadav622003 I'm not sure I understand your point... I'm saying that as far as I'm concerned everything seems to work as expected.

I will double check tomorrow on the demo environment if I can reproduce the issue, once the cron task to reseed the demo environment has run.

[FelixMalfait]

@nicolasrouanne I suspect it's this:

When we validate the token we throw a INVALID_INPUT instead of USER_NOT_FOUND

[FelixMalfait]

FYI behavior on the frontend is defined here:

[nicolasrouanne]

@FelixMalfait I still couldn't reproduce either in demo or development environment. Refreshing the page with yesterday's accessToken on demo still logged me in, although the DB was re-seeded (which is weird no?)

Anyway, I believe it may happen and you maybe are able to reproduce it on your side, so I'm still going to try to fix it. 🤞🏻

Thanks for the pointers it really helped me out, and I think you were right in your analysis. I try to sum it up here:

• if the user isn't found, we throw an AuthException but with the AuthExceptionCode.INVALID_INPUT code (weird hun)
  

  twenty/packages/twenty-server/src/engine/core-modules/auth/strategies/jwt.auth.strategy.ts

  Lines 114 to 117 in 898006f

  	throw new AuthException(
  	'User not found',
  	AuthExceptionCode.INVALID_INPUT,
  	);

• this exception is then caught and a UserInputError is thrown
  

  twenty/packages/twenty-server/src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter.ts

  Lines 21 to 22 in 898006f

  	case AuthExceptionCode.INVALID_INPUT:
  	throw new UserInputError(exception.message);

• but this error doesn't have an UNAUTHORIZED error code, that would have allowed graphql to properly try to renew a token and redirect to login
  

  twenty/packages/twenty-front/src/modules/apollo/services/apollo.factory.ts

  Lines 99 to 111 in 898006f

  	switch (graphQLError?.extensions?.code) {
  	case 'UNAUTHENTICATED': {
  	return fromPromise(
  	renewToken(uri, this.tokenPair)
  	.then((tokens) => {
  	if (isDefined(tokens)) {
  	onTokenPairChange?.(tokens);
  	}
  	})
  	.catch(() => {
  	onUnauthenticatedError?.();
  	}),
  	).flatMap(() => forward(operation));

  
  

  twenty/packages/twenty-front/src/modules/apollo/hooks/useApolloFactory.ts

  Lines 67 to 82 in 898006f

  	onUnauthenticatedError: () => {
  	setTokenPair(null);
  	setCurrentUser(null);
  	setCurrentWorkspaceMember(null);
  	setCurrentWorkspace(null);
  	setWorkspaces(null);
  	if (
  	!isMatchingLocation(AppPath.Verify) &&
  	!isMatchingLocation(AppPath.SignInUp) &&
  	!isMatchingLocation(AppPath.Invite) &&
  	!isMatchingLocation(AppPath.ResetPassword)
  	) {
  	setPreviousUrl(`${location.pathname}${location.search}`);
  	navigate(AppPath.SignInUp);
  	}
  	},

  
  It has a BAD_USER_INPUT error code, which graphql doesn't know what to do with.

So I suggest rather, when a user is not found in jwt.auth.strategy, to throw a USER_NOT_FOUND exception, which will properly be rethrown as an AuthenticationError.

twenty/packages/twenty-server/src/engine/core-modules/auth/filters/auth-graphql-api-exception.filter.ts

Lines 26 to 28 in 898006f

	case AuthExceptionCode.USER_NOT_FOUND:
	case AuthExceptionCode.WORKSPACE_NOT_FOUND:
	throw new AuthenticationError(exception.message);

By the way, that's what's done in impersonate, verify, challenge and updatePassword.

Warning

This will change the HTTP response code for the REST API though... It will go from 400 to 404. Which is actually a breaking change.

twenty/packages/twenty-server/src/engine/core-modules/auth/filters/auth-rest-api-exception.filter.ts

Lines 20 to 24 in 898006f

	case AuthExceptionCode.USER_NOT_FOUND:
	case AuthExceptionCode.CLIENT_NOT_FOUND:
	throw new NotFoundException(exception.message);
	case AuthExceptionCode.INVALID_INPUT:
	throw new BadRequestException(exception.message);

[FelixMalfait]

Agree with your analysis @nicolasrouanne thanks a lot!
You can create random accounts in demo. I guess it worked for you because you used tim@apple.dev which is seeded with the exact same uuid every day, but in my case maybe I have created a different account in demo and therefore it wasn't there the following day 🤔 that's my best guess!

[nicolasrouanne]

Arf I completely forgot UUIDs are hardcoded that's why! Thanks!

Is changing the HTTP code for the REST API not an issue? Do you want that I open a PR?

[FelixMalfait]

@nicolasrouanne yes changing that part of the REST API isn't a big deal, I don't even think the token endpoints should be available in REST as we only use GraphQL internally and this is not something workspace users should care about
If you don't mind raising a PR that's always appreciated of course 😌 thanks a lot!

[nicolasrouanne]

I managed to reproduce, following your hint @FelixMalfait . It was indeed because I was using the tim@apple.dev seeded user that I didn't experience any issue.

Here is how to reproduce in dev environment

• seed the database using npx nx database:reset twenty-server
• login using tim@apple.dev
• copy the Invite member by link URL
• open the invitation link in Incognito window and signup with another email
  => you are now logged in using a new user, don't close this browser window
• re-seed the database: npx nx database:reset twenty-server
• refresh the browser window where you were previously logged in as a new user
  => the white screen appear and never leaves 💥

If you inspect the browser console requests, you can see that the graphql exception code is INVALID_INPUT

[
  {
    "message": "User not found",
    "extensions": {
      "code": "BAD_USER_INPUT"
    }
  }
]