Problem with Google auth due to bundle install

I think this is a bug, but I don’t understand how I could be the first one to complain and Google auths work on Meta. . .

I have several sites that use Google auth set in ENV variables in the YML file. They’ve worked for years. One stopped working today, but two others still worked. I ran upgrades on those sites and now they all return this message:

Sorry, there was an error authorizing your account. Please try again.

When the first one stopped working, I thought it might be an issue on the Google side, but the correct URLs are still there.

I don’t know what a google-protobuf could be-- could this be related? Build(deps): Bump google-protobuf from 4.28.3 to 4.29.0 (#29969) · discourse/discourse@996f993 · GitHub (EDIT: No. It cannot: “Protobuf.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic”)

EDIT: Well, the logs say “(google_oauth2) Authentication failure! authenticity_error: OmniAuth::AuthenticityError, Forbidden” so that sounds like Google doesn’t like my credentials.

These are the same credentials that the other sites are using and that these sites were using before the last upgrade. I see that the expected values are in /var/www/discourse/config/discourse.conf and in SiteSettings in Rails.

If you set them in Site Settings instead of via ENV, does it behave differently?

Can you post the /logs traceback?

I’ll try to edit discourse.conf and set via site-settings

Message (4 copies reported)

(google_oauth2) Authentication failure! authenticity_error: OmniAuth::AuthenticityError, Forbidden

Backtrace

/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:134:in `block in error'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:231:in `block in dispatch'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:231:in `each'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:231:in `dispatch'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:134:in `error'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:163:in `log'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:540:in `fail!'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:261:in `rescue in request_call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:233:in `request_call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:193:in `call!'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:169:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/builder.rb:44:in `call'
/var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:43:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/tempfile_reaper.rb:15:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/conditional_get.rb:40:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/head.rb:12:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/http/permissions_policy.rb:38:in `call'
/var/www/discourse/lib/content_security_policy/middleware.rb:12:in `call'
/var/www/discourse/lib/middleware/anonymous_cache.rb:399:in `call'
/var/www/discourse/lib/middleware/csp_script_nonce_injector.rb:12:in `call'
/var/www/discourse/config/initializers/008-rack-cors.rb:14:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/session/abstract/id.rb:266:in `context'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/session/abstract/id.rb:260:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/cookies.rb:704:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/callbacks.rb:31:in `block in call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/callbacks.rb:101:in `run_callbacks'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/callbacks.rb:30:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/debug_exceptions.rb:31:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/show_exceptions.rb:32:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/logster-2.20.0/lib/logster/middleware/reporter.rb:40:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/rack/logger.rb:41:in `call_app'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/rack/logger.rb:29:in `call'
/var/www/discourse/config/initializers/100-quiet_logger.rb:20:in `call'
/var/www/discourse/config/initializers/100-silence_logger.rb:29:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/request_id.rb:33:in `call'
/var/www/discourse/lib/middleware/enforce_hostname.rb:24:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/method_override.rb:24:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/executor.rb:16:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/sendfile.rb:110:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-mini-profiler-3.3.1/lib/mini_profiler.rb:191:in `call'
/var/www/discourse/lib/middleware/processing_request.rb:12:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/message_bus-4.3.8/lib/message_bus/rack/middleware.rb:60:in `call'
/var/www/discourse/lib/middleware/request_tracker.rb:360:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/remote_ip.rb:96:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/engine.rb:535:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/railtie.rb:226:in `public_send'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/railtie.rb:226:in `method_missing'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/urlmap.rb:74:in `block in call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/urlmap.rb:58:in `each'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/urlmap.rb:58:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:634:in `process_client'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:739:in `worker_loop'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:143:in `start'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/bin/unicorn:128:in `<top (required)>'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `load'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `<main>'

Env

HTTP HOSTS: looks.right.to.me.com

It’s not obvious that there is more info with verbose logging.

I’m rebuilding one of the sites now for an unrelated reason

OMG. I just ran another upgrade and it’s working.

And then I upgraded the other site and it too is working. I see nothing in the commits or my stuff that could explain any of this. Usually I can at least prove that I am the cause of the problem.

Sigh. And now nothing has changed and what worked yesterday afternoon when I “fixed” it by rebuilding both sites is now giving

Sorry, there was an error authorizing your account. Please try again.

for both of them.

The thing that did change is that I entered both containers and edited /var/www/discourse/plugins/discourse-data-explorer/plugins.rb and did an sv restart unicorn.

So could somehow restarting the unicorn cause a problem? That makes no sense. I don’t want to restart the containers because both are doing long-running imports for the next 30-40 hours.

This might be a clue. For each of the errors mentioned there’s also one of these Attack prevented by OmniAuth::AuthenticityTokenProtection.

Message (8 copies reported)

Attack prevented by OmniAuth::AuthenticityTokenProtection

Backtrace

/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:130:in `block in warn'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:231:in `block in dispatch'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:231:in `each'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:231:in `dispatch'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/broadcast_logger.rb:130:in `warn'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/authenticity_token_protection.rb:26:in `deny'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-protection-3.2.0/lib/rack/protection/base.rb:57:in `react'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/authenticity_token_protection.rb:18:in `call!'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/authenticity_token_protection.rb:11:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:240:in `request_call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:193:in `call!'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb:169:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/omniauth-2.1.2/lib/omniauth/builder.rb:44:in `call'
/var/www/discourse/lib/middleware/omniauth_bypass_middleware.rb:43:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/tempfile_reaper.rb:15:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/conditional_get.rb:40:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/head.rb:12:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/http/permissions_policy.rb:38:in `call'
/var/www/discourse/lib/content_security_policy/middleware.rb:12:in `call'
/var/www/discourse/lib/middleware/anonymous_cache.rb:399:in `call'
/var/www/discourse/lib/middleware/csp_script_nonce_injector.rb:12:in `call'
/var/www/discourse/config/initializers/008-rack-cors.rb:14:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/session/abstract/id.rb:266:in `context'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/session/abstract/id.rb:260:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/cookies.rb:704:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/callbacks.rb:31:in `block in call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/activesupport-7.2.2/lib/active_support/callbacks.rb:101:in `run_callbacks'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/callbacks.rb:30:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/debug_exceptions.rb:31:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/show_exceptions.rb:32:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/logster-2.20.0/lib/logster/middleware/reporter.rb:40:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/rack/logger.rb:41:in `call_app'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/rack/logger.rb:29:in `call'
/var/www/discourse/config/initializers/100-quiet_logger.rb:20:in `call'
/var/www/discourse/config/initializers/100-silence_logger.rb:29:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/request_id.rb:33:in `call'
/var/www/discourse/lib/middleware/enforce_hostname.rb:24:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/method_override.rb:24:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/executor.rb:16:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/sendfile.rb:110:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-mini-profiler-3.3.1/lib/mini_profiler.rb:191:in `call'
/var/www/discourse/lib/middleware/processing_request.rb:12:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/message_bus-4.3.8/lib/message_bus/rack/middleware.rb:60:in `call'
/var/www/discourse/lib/middleware/request_tracker.rb:360:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/actionpack-7.2.2/lib/action_dispatch/middleware/remote_ip.rb:96:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/engine.rb:535:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/railtie.rb:226:in `public_send'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/railties-7.2.2/lib/rails/railtie.rb:226:in `method_missing'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/urlmap.rb:74:in `block in call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/urlmap.rb:58:in `each'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/rack-2.2.10/lib/rack/urlmap.rb:58:in `call'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:634:in `process_client'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:739:in `worker_loop'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:547:in `spawn_missing_workers'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/lib/unicorn/http_server.rb:143:in `start'
/var/www/discourse/vendor/bundle/ruby/3.3.0/gems/unicorn-6.1.0/bin/unicorn:128:in `<top (required)>'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `load'
/var/www/discourse/vendor/bundle/ruby/3.3.0/bin/unicorn:25:in `<main>'

Env

HTTP HOSTS: six.imports.literatehosting.com

No doubt!

I don’t touch this part of the stack so I’ve got no idea… except…

How do you have this version installed? The version Discourse is locked to is 1.9.2

It’s possible this is an incompatibility. Are you doing anything… atypical… here?

Wow! You noticed the version!

That’s it! (maybe)

I did an apt update to install some stuff (vim but especially tiny_tds for the import. So maybe something that I upgraded forced am upgrade of omniauth.

No. That’s not it. I removed the Gemfile.lock so when i did the bundle install, it upgraded omniauth?

So maybe rather then this being an annoyance, it might really help find an issue with the new omniauth.

I’ll see it I can replicate it, maybe by just upgrading omniauth. Maybe just delete the Gemfile lock and bundling?

Oh. Maybe this is why setting IMPORT=1 is more important than I thought.

Edit: yes. It definitely must be about doing a bundle install to add the tiny_tds for the import. I often don’t use IMPORT=1 because it causes other problems. I’ll try to confirm that it’s the Omni auth upgrade that’s causing the problem, but it seems very likely

Soon as you did, this whole thing became unsupported. Major gem version upgrades are something that needs to be tested, I’m not surprised you’re having problems.

(as I understand it) When we do imports we do what’s necessary to get the data in place, then we take a backup and restore it to a clean site.

All else being equal I’d try that first.

Yup! Thanks for noticing that version!

I’m not quite sure how to get the tiny tds installed without bumping the version (perhaps the IMPORT=1 will do it), but at least I now have an explanation. And this explains why building a new container fixes it.

Thanks so much for noticing that. I was going crazy.

Maybe the be version has different parameters or something so it’s just not getting the settings at all.