instagram signup is buggy

[snarfed]

at least two problems:

1. indieauth fails for @Zegnat because he uses his own auth endpoint, https://vanderven.se/martijn/auth/ , which we somewhat handle ok, but its verification response doesn't return me, which we don't handle ok. IRC discussions, snarfed/oauth-dropins@d65d415, snarfed/oauth-dropins@f8ff52e.
2. when i try to log in, indieauth works ok, but then the IG profile page fetch gets rate limited, which breaks badly with an IG-rendered error page 😂 😭.

apologies @Zegnat, but i may deprioritize 1 until if/when you actually use bridgy. 😆 2, though, i should look at.

cc @aaronpk

[snarfed]

alternative: drop instagram, with a vengeance. so tempted.

[aaronpk]

I am curious about tracking down that IndieAuth error though. I'm not sure why the verification response didn't return me, since that's how IndieAuth works. Could be an error on Zegnat's endpoint with something. Maybe the right answer is to better surface or log the error responses during that part of the flow so this is easier to troubleshoot. Now that Wordpress is about to get its own built-in IndieAuth endpoint, people using Bridgy will be getting this IndieAuth response from a lot more different sites than just indieauth.com soon.

[snarfed]

we debugged more and determined that i'm not sending an Accept header or otherwise doing conneg in the code verification request, but i'm expecting a form-encoded response, and @Zegnat's endpoint is returning JSON: {"me":"https:\/\/vanderven.se\/martijn\/"}. the spec also says the response is JSON.

@Zegnat says his endpoint should default to form-encoded though, not JSON: https://gist.github.com/Zegnat/4ad87603bcabbf8e095363df99845e50 . the plot thickens.

[snarfed]

@Zegnat added logging and reported that i'm sending Accept */* (maybe added by app engine urlfetch), which triggers him to return json. got it. thanks for the sleuthing @Zegnat!

[snarfed]

i updated the signup profile fetch to ignore rate limiting.

[snarfed]

@Zegnat i think this is fixed, so your auth endpoint should work now. feel free to try!

[raucao]

I also have issues authorizing my site. The error message I see after the redirect is:

HTTP Error 400: 400 Bad Request The server could not comply with the request since it is either malformed or otherwise incorrect. IndieAuth verification failed: error=Invalid+auth+code

The URL looks fine to me (includes code=123abc), and the state param is being accepted (i.e. I see an error about invalid state when I change anything about it, but otherwise not).

[snarfed]

thanks for reporting @skddc, and sorry for the trouble! I'll look into it.

[snarfed]

looking at the log from one of your indieauth callback requests (link is just for me 😁):

GET /instagram/callback?code=CODE&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&me=https%3A%2F%2Fupdates.kip.pe%2Fprofile%2Fbasti

decoding state "%7B%22endpoint%22%3A%22https%3A%2F%2Fupdates.kip.pe%2Findieauth%2Fauth%22%2C%22me%22%3A%22https%3A%2F%2Fupdates.kip.pe%22%7D"
requests.post https://updates.kip.pe/indieauth/auth {'data': {'me': u'https://updates.kip.pe', 'state': '', 'code': u'CODE, 'client_id': 'https://brid.gy/', 'redirect_uri': 'https://brid.gy/instagram/callback'}}
Error 400, response body: u'400 Bad Request\n\nThe server could not comply with the request since it is either malformed or otherwise incorrect.\n\n IndieAuth verification failed: error=Invalid+auth+code '

...auth code and me do indeed look fine.

[snarfed]

@skddc here's the auth code verification request bridgy makes, as a curl command:

$ curl -v -d 'me=https%3A%2F%2Fupdates.kip.pe&state=&code=CODE&client_id=https%3A%2F%2Fbrid.gy%2F&redirect_uri=https%3A%2F%2Fbrid.gy%2Finstagram%2Fcallback' https://updates.kip.pe/indieauth/auth
...
< HTTP/1.1 400 Bad Request
...
error=Invalid+auth+code

here's a simplified, more readable version, without the non-standard me and state parameters. same result:

curl -v -d 'code=CODE&client_id=https://brid.gy/&redirect_uri=https://brid.gy/instagram/callback' https://updates.kip.pe/indieauth/auth

i'm replacing CODE with an auth code bridgy got from the callback above from your auth endpoint, 2018-06-27 16:53:32 UTC. this failure may be because the code expired, though, so maybe i can catch you in person to debug together.

[snarfed]

looks like this may be a bug in known, or at least a bad interaction between it and bridgy. @rikmendes had the same problem with https://rmendes.net/ , also on known.

hey @mapkyca, any tips on how we could debug this? known users are having trouble logging into bridgy (instagram) with their sites' indieauth. details above.

[mapkyca]

Hmm... do we have a record of what's sent to known / getting from known? (I've not got a public instagram, so not tried to replicate)

[raucao]

I could retry it and tell you the exact time and URL of the request if that helps.

[snarfed]

@mapkyca thanks for looking! you don't actually need an instagram account to repro on https://brid.gy/ , just click the instagram button and then try to log in with indieauth.

the initial redirect from bridgy to known looks like this:

https://updates.kip.pe/indieauth/auth?me=https%3A%2F%2Fupdates.kip.pe&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&redirect_uri=https%3A%2F%2Fbrid.gy%2Finstagram%2Fcallback&client_id=https%3A%2F%2Fbrid.gy%2F

known then redirects back to bridgy with an auth code:

https://brid.gy/instagram/callback?code=CODE&state=%257B%2522endpoint%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%252Findieauth%252Fauth%2522%252C%2522me%2522%253A%2522https%253A%252F%252Fupdates.kip.pe%2522%257D&me=https%3A%2F%2Fupdates.kip.pe%2Fprofile%2Fbasti

bridgy then tries to verify the auth code - details above in #809 (comment) - which known 400s.

[mapkyca]

Hmm... bridgy seems to not like private accounts. I'll see if I can create a new instagram and try again...

[snarfed]

@mapkyca true, but this bug happens during indieauth, before bridgy looks at your Instagram account at all. if you were able to indieauth with known successfully, then you didn't reproduce the bug. maybe you're on a newer known version that fixed it?

[raucao]

I'm on ec0752d (June 18), if that helps.

[mapkyca]

I wonder if it makes a difference between single user install / multi user installs.. e.g. it'll be hard to auth a single user on a mulituser install if you enter https://example.com/ instead of https://example.com/profile/me

[raucao]

Oh, that actually works. So maybe that's how I did it back when setting it up the first time. Thanks!

Would be nice if people with single-user instances could just use their domain name, of course. My profile does appear on the frontpage, too.

[mapkyca]

If you have a single user install you can use the domain, but you have to explicitly set "single user" mode. This is because that mode puts the user header on the top of the front page, which has all the rel=me links that IndieAuth uses...

[raucao]

That's what I have, and yet it doesn't work.

[mapkyca]

Interesting... so you're saying that https://yoursite.com/profile/skddc works but https://yoursite.com doesn't?

[raucao]

Yes, see my original comment: #809 (comment)

[mapkyca]

Latest code has some more logging, might want to give it a try...

[raucao]

I found out what broke it. See my last comment in the linked Known issue. Thanks again for helping!

[snarfed]

glad you figured it out!