"user/logout" and "user/reset_password" pages are broken

So I am new to teeboard and just wondering if it works or not… I saw that you have perhaps a workaround but unsure what I am doing. Would anyone please be able to help. Thanks

It does not work and until the log out issue is resolved, TeeBoard / Twitch authorization remains broken.

okay thank you!

Some question to the Devs:

  1. Why is authenticity_token necessary to logout? Could you not remove that?
  2. If there is no possibility that you might remove that necessity: Could you make legit way to get that token?
    I think that would solve DeezjaVu’s problem…

As per estrat’s post, we solved the issue with the addition of a url parameter that forces user confirmation that they’re on the correct account.

Adding a method to get the CSRF token completely negates the point of a CSRF token in the first place, and removing the CSRF check would re-open the security vulnerability that it’s meant to negate.

The issue was not solved. Adding the parameter solves nothing as the logout doesn’t work when used via an embedded browser (what Adobe AIR uses for instance). If that wasn’t clear to you yet… I donno what to say anymore.

What could possibly solve the issue, at least with the logout not working properly, is to force a login rather than trying to log the current user out. So instead of - or in addition to - a force_verify, have a force_login parameter. With that parameter set to true, an authentication would show the “login” form regardless of user status.

This would fix/bypass the logout issue and be a better user experience as users will no longer be presented with a “do you want to authorize” page for a user they already have authorized and they’d no longer have to manually click the “not me?” link.

The addition of the parameter (according to DeezjaVu) doesn’t seem to help (at least not always) in some embedded or older Browsers…

Yes I did assume that there won’t be a legit way to get said token…

But a logout doesn’t need that token…
It’s a bigger Security Issue if the logout doesn’t work because of a missing token than a logout that logs you out no matter what…

The parameter works fine in normal browsers, and I’m unable to debug the embedded browser in teeboard. Therefore, I’m unfortunately unable to figure out why this isn’t working for you. If you’re able to figure out what is going wrong (does the embedded browser not run javascript?) then we’ll be able to address the issue.

I was seeing some funky behavior in certain browsers as well though, e.g. in Firefox, using /login while already logged in with another account wouldn’t work properly. This is a different issue from the /logout not working properly though.

So as for the /logout not working in AIR, I’ll have one of my apps display the issue. I was on vacation so haven’t been able to do so yet. I’ll post it here when I have a build for testing this.

Well, I found a way to prevent the user having to log out, which was to first show the login page (´/login´). Once the user logged in I could then redirect to the authirzation url. This worked fine… until now.

The login page contains a captcha and all that was required was to click the “I’m not a robot” button. Now all of a sudden it asks the user to select images. Doing so and clicking the verify button does nothing. So loggin in is impossible.

I’m pretty much done with Twitch tbh. It’s just not worth my time.

You are aware that the force_verify parameter allows users to choose who they want to log in as, right? It prompts them as their logged in user, and gives a “not me?” link to logout. You shouldn’t be force logging out users, you should be allowing them the ability to logout on the authorization page.

At this point, my only conclusion is that there’s something dreadfully wrong with Adobe Air’s embedded browser, and I’m unfortunately unable to debug it myself. If you’re able to figure out what’s going wrong, I will investigate how to fix it.

Please (re)read: "user/logout" and "user/reset_password" pages are broken

Clicking the not me? link redirects to the /logout, which fails… always has, which is why I used /user/logout in the first place.

Agreed, the webkit engine used in Adobe AIR is old, however - I’m no JS guru so I could be wrong - if I’m not mistaken, not much (if anything) has changed in the last few years regarding JavaScript. Again, I could be wrong about that though.

I’ll see if I can come up with some answers, regarding the logout, but so far I haven’t had much luck.

I have invested a lot of time (2+ years) in these applications, but it looks like I’ll have to drop them because of the recent changes. Sad really.

DeezjaVu perhaps Fugiman could help if you provide him a version of Teeboard with this thing activated where he can test the not working “not me”-link: http://help.adobe.com/en_US/AIR/1.5/devappshtml/WS5b3ccc516d4fbf351e63e3d118666ade46-7ed2.html
It would be really sad if you gave up too early … and why not let him analyze the situation? …

I know it seems to be the easy way if they just re-enable the /user/logout … but if they don’t want to …

If the not working “not me” link is a problem on twitch’s side this could be the solution to convince them to do something (re-enable /user/logout or fix the link) …
If it’s a problem on your side (who knows) … more people see more …

I hope for the best … good luck :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.