Corrupted session state

[psbrandt]

Steps to Recreate

1. Be GSuite admin
2. Create new project here: https://console.developers.google.com/apis/library
3. On same page, search for and enable Admin SDK, Google+ API and Group Settings API
4. Configure consent screen here: https://console.developers.google.com/apis/credentials/consent
5. Create credentials here: https://console.developers.google.com/apis/credentials
6. Select OAuth Client ID, choose Web Application as application type (take note of ID & secret)
7. Clone https://github.com/stripe/gaps
8. Edit docker-compose.yml to look like:

version: '2'
services:
  web:
    build: .
    ports:
      - 3500:3500
    links:
      - mongo
    environment:
      - MONGODB_URL=mongodb://mongo/mongo
      - RACK_ENV=development
      - FAVICON_URL=
      - GAPS_URL=http://localhost:3500
      - ORG_DOMAIN=example.com
      - ORG_NAME=Example
      - OAUTH_CLIENT_ID=<CLIENT ID> # replace
      - OAUTH_CLIENT_SECRET=<CLIENT SECRET> # replace
      - OAUTH_REDIRECT_URL=http://localhost:3500/oauth2callback
      - SESSION_SECRET=123

  mongo:
    image: mongo

9. Run docker-compose up
10. Navigate to http://localhost:3500/
11. Click Sign In
12. Select GSuite admin user
13. Click ALLOW
14. Observe error message:

You seem to have corrupted session state. Try logging in again?

Looks like something went wrong :(

15. Be sad 😞

Browsers

• Safari 10.1 (12603.1.30.0.34)
• Chrome 58.0.3029.110 (64-bit) (macOS)

[psbrandt]

Docker logs:

➜  gaps git:(master) ✗ docker-compose up
Creating gaps_mongo_1
Creating gaps_web_1
Attaching to gaps_mongo_1, gaps_web_1
mongo_1  | 2017-06-27T20:44:44.015+0000 I CONTROL  [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/data/db 64-bit host=6b3ba2bc3053
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] db version v3.4.4
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] git version: 888390515874a9debd1b6c5d36559ca86b44babd
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1t  3 May 2016
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] allocator: tcmalloc
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] modules: none
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] build environment:
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten]     distmod: debian81
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten]     distarch: x86_64
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten]     target_arch: x86_64
mongo_1  | 2017-06-27T20:44:44.016+0000 I CONTROL  [initandlisten] options: {}
mongo_1  | 2017-06-27T20:44:44.020+0000 I STORAGE  [initandlisten]
mongo_1  | 2017-06-27T20:44:44.020+0000 I STORAGE  [initandlisten] ** WARNING: Using the XFS filesystem is strongly recommended with the WiredTiger storage engine
mongo_1  | 2017-06-27T20:44:44.020+0000 I STORAGE  [initandlisten] **          See http://dochub.mongodb.org/core/prodnotes-filesystem
mongo_1  | 2017-06-27T20:44:44.020+0000 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=3474M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),checkpoint=(wait=60,log_size=2GB),statistics_log=(wait=0),
mongo_1  | 2017-06-27T20:44:44.196+0000 I CONTROL  [initandlisten]
mongo_1  | 2017-06-27T20:44:44.196+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
mongo_1  | 2017-06-27T20:44:44.196+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
mongo_1  | 2017-06-27T20:44:44.196+0000 I CONTROL  [initandlisten]
mongo_1  | 2017-06-27T20:44:44.277+0000 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db/diagnostic.data'
mongo_1  | 2017-06-27T20:44:44.383+0000 I INDEX    [initandlisten] build index on: admin.system.version properties: { v: 2, key: { version: 1 }, name: "incompatible_with_version_32", ns: "admin.system.version" }
mongo_1  | 2017-06-27T20:44:44.383+0000 I INDEX    [initandlisten] 	 building index using bulk method; build may temporarily use up to 500 megabytes of RAM
mongo_1  | 2017-06-27T20:44:44.388+0000 I INDEX    [initandlisten] build index done.  scanned 0 total records. 0 secs
mongo_1  | 2017-06-27T20:44:44.388+0000 I COMMAND  [initandlisten] setting featureCompatibilityVersion to 3.4
mongo_1  | 2017-06-27T20:44:44.388+0000 I NETWORK  [thread1] waiting for connections on port 27017
mongo_1  | 2017-06-27T20:44:46.392+0000 I NETWORK  [thread1] connection accepted from 172.20.0.3:45596 #1 (1 connection now open)
mongo_1  | 2017-06-27T20:44:46.396+0000 I -        [conn1] end connection 172.20.0.3:45596 (1 connection now open)
mongo_1  | 2017-06-27T20:44:46.398+0000 I NETWORK  [thread1] connection accepted from 172.20.0.3:45598 #2 (1 connection now open)
mongo_1  | 2017-06-27T20:44:46.485+0000 I INDEX    [conn2] build index on: mongo.cache properties: { v: 2, unique: true, key: { key: -1 }, name: "key_-1", ns: "mongo.cache" }
mongo_1  | 2017-06-27T20:44:46.485+0000 I INDEX    [conn2] 	 building index using bulk method; build may temporarily use up to 500 megabytes of RAM
mongo_1  | 2017-06-27T20:44:46.488+0000 I INDEX    [conn2] build index done.  scanned 0 total records. 0 secs
mongo_1  | 2017-06-27T20:44:46.587+0000 I INDEX    [conn2] build index on: mongo.group properties: { v: 2, unique: true, key: { group_email: 1 }, name: "group_email_1", ns: "mongo.group" }
mongo_1  | 2017-06-27T20:44:46.587+0000 I INDEX    [conn2] 	 building index using bulk method; build may temporarily use up to 500 megabytes of RAM
mongo_1  | 2017-06-27T20:44:46.590+0000 I INDEX    [conn2] build index done.  scanned 0 total records. 0 secs
mongo_1  | 2017-06-27T20:44:46.590+0000 I COMMAND  [conn2] command mongo.$cmd command: createIndexes { createIndexes: "group", indexes: [ { name: "group_email_1", key: { group_email: 1 }, unique: true } ] } numYields:0 reslen:113 locks:{ Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { W: 1 } }, Collection: { acquireCount: { w: 1 } } } protocol:op_query 100ms
mongo_1  | 2017-06-27T20:44:46.677+0000 I INDEX    [conn2] build index on: mongo.user properties: { v: 2, unique: true, key: { google_id: 1 }, name: "google_id_1", ns: "mongo.user", sparse: true }
mongo_1  | 2017-06-27T20:44:46.677+0000 I INDEX    [conn2] 	 building index using bulk method; build may temporarily use up to 500 megabytes of RAM
mongo_1  | 2017-06-27T20:44:46.679+0000 I INDEX    [conn2] build index done.  scanned 0 total records. 0 secs
mongo_1  | 2017-06-27T20:44:46.682+0000 I NETWORK  [thread1] connection accepted from 172.20.0.3:45600 #3 (2 connections now open)
web_1    | Puma 2.10.1 starting...
web_1    | * Min threads: 0, max threads: 16
web_1    | * Environment: development
web_1    | * Listening on tcp://0.0.0.0:3500
web_1    | == Sinatra/1.4.5 has taken the stage on 3500 for development with backup from Puma
mongo_1  | 2017-06-27T20:44:46.686+0000 I NETWORK  [thread1] connection accepted from 172.20.0.3:45602 #4 (3 connections now open)
web_1    | 172.20.0.1 - - [27/Jun/2017 20:47:24] "GET / HTTP/1.1" 302 - 0.0074
web_1    | 172.20.0.1 - - [27/Jun/2017 20:47:24] "GET /subs HTTP/1.1" 303 - 0.0011
mongo_1  | 2017-06-27T20:47:24.881+0000 I NETWORK  [thread1] connection accepted from 172.20.0.3:45606 #5 (4 connections now open)
web_1    | 172.20.0.1 - - [27/Jun/2017 20:47:24] "GET /login HTTP/1.1" 200 2258 0.0056
web_1    | 172.20.0.1 - - [27/Jun/2017 20:47:27] "GET /login/gafyd?type=lister HTTP/1.1" 302 - 0.0046
web_1    | 172.20.0.1 - - [27/Jun/2017 20:48:15] "GET /oauth2callback?code=4/Io_P3JGZ1Qs-t_3-Wv3oKbO6HZ47V6BH50yXe_Mxqrw HTTP/1.1" 200 2120 0.0035

[psbrandt]

Solution

In my case, the primary issue was with secure cookies. I figured this out because the default value is false when running locally (which worked for me), but true when using the Docker image. There was also a secondary issue due to the Mongo version not being pinned (see my response on #37).

Steps To Recreate (Abridged)

Configure Google API, setup credentials as specified in the README, then create a .env file as follows:

MONGODB_URL=mongodb://mongo/gaps
GAPS_URL=gaps.example.com
ORG_DOMAIN=example.com
ORG_NAME=Example
OAUTH_CLIENT_ID=🆔
OAUTH_CLIENT_SECRET=🔑
OAUTH_REDIRECT_URL=http://gaps.example.com/oauth2callback
SESSION_SECRET=testing

Start Mongo:

docker run -p 27017:27017 --name mongo mongo:2

Start Gaps:

docker run --name gaps --link mongo -p 3500:3500 --env-file=.env stripeoss/gaps

Step To Fix 🎉

I created a new Docker image that makes secure cookies configurable (see commit). To get things to work, add SECURE_COOKIES=false to your .env file, then run the new image as follows:

docker run --name gaps --link mongo -p 3500:3500 --env-file=.env commure/gaps

⚠️ Gaps does not like connecting to an existing mongo database, so you'll either need to change the database name (gaps) in the MONGODB_URL variable in your .env file before running commure/gaps, or you can drop the mongo container (and volume) and recreate it:

docker rm --force --volumes mongo && docker run -p 27017:27017 --name mongo mongo:2