Email verification seem buggy + is deactivation possible ?

[arminvburren]

Hello,
So I've seen there's a new version of fief which introduce email verification. I'm not too happy and I'll just share the few problems I've had with it:

• First, on every device i was connected to my heroku apps through fief I've had an "Internal Server Error" for 2 weeks. It took me a while to understand it was coming from fief actually and I had to delete all my cookies and have to relogin to be able to the new fief version. This is a bit of a problem because I feel there's a possibility that RIGHT NOW all my users may be having the exact same problem right now and just can't access my websites if they were connected through fief on them. The bigger problem is that I can't debug it because now I'm connected with the new version so I can't see the error, and I don't know how to reach to them to explain they have to remove their fief cookies (if they understand what that evern means) if the only see they can see is the "Internal server error" on my websites. Is there a way to make their cookie expiring or disconnect all my users remotely so that can reconnect and access the websites again ?

• Secondly the actual "verification code" process seem to just not be working. On my two websites where I've done the process to get MY access, I've literally copy pasted the code from the email to the 6 letter boxes, and EVERY TIME it said "wrong code or expired". That said, when I refreshed the websites I was actually connected. But that happend after I tried to do "resend the code", which actually took me to some other page to change the password or something, which is not what I wanted to do at all (and also the "previous" button had a really weird behaviour which didn't bring me back to the right place)

• Thirdly, the bottom line is that I really don't need any kind of email verification, and I absolutely think it's an unnecessary hassle for my users. I don't see the point: no one has sensitive information on my websites and the accounts are here to improve user experience mostly. I actually though it was precisely great that fief enabled authentification without that kind of back and forth between email and website which is so common and annoying this days (not even mentioning the 2FA insanity I need to do just even speak on github where I have 0 code, or the 'saleforce authentificator' for heroku 🙄 ... ). Is there a way I can disable email verification on fief ? If that doesn't exist that would be an ABSOLUTELY welcomed feature from my side in the future (and even right now since the email verification flow seem still quite buggy.

Thanks again for the great library though in general.
Regards

[arminvburren]

Btw the error I'm getting that leads to "internal server error" on devices I was connected before the change is this. Any idea how to avoid this to my users ?

2023-08-30T16:30:30.427873+00:00 heroku[web.1]: State changed from starting to up
2023-08-30T16:30:32.397942+00:00 app[web.1]: INFO:     2a03:2880:27ff:9::face:b00c:0 - "GET /images/favicon_200.jpg HTTP/1.1" 200 OK
2023-08-30T16:30:32.399698+00:00 heroku[router]: at=info method=GET path="/static/images/favicon_200.jpg" host=simu-immo.fr request_id=a8f4be03-020c-460c-b082-c5bd24284c63 fwd="2a03:2880:27ff:9::face:b00c,172.70.39.19" dyno=web.1 connect=0ms service=33ms status=200 bytes=45754 protocol=http
2023-08-30T16:34:49.929798+00:00 app[web.1]: INFO:     2a01:e0a:40c:9140:cab1:d9f6:6fa3:fdf:0 - "GET /admin HTTP/1.1" 500 Internal Server Error
2023-08-30T16:34:49.930572+00:00 heroku[router]: at=info method=GET path="/admin" host=simu-immo.fr request_id=d24c8bf1-845f-4101-8aa7-98b7085e8548 fwd="2a01:e0a:40c:9140:cab1:d9f6:6fa3:fdf,172.71.130.80" dyno=web.1 connect=0ms service=629ms status=500 bytes=193 protocol=http
2023-08-30T16:34:49.931280+00:00 app[web.1]: ERROR:    Exception in ASGI application
2023-08-30T16:34:49.931280+00:00 app[web.1]: Traceback (most recent call last):
2023-08-30T16:34:49.931282+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/uvicorn/protocols/http/h11_impl.py", line 407, in run_asgi
2023-08-30T16:34:49.931291+00:00 app[web.1]: result = await app(  # type: ignore[func-returns-value]
2023-08-30T16:34:49.931292+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/uvicorn/middleware/proxy_headers.py", line 78, in __call__
2023-08-30T16:34:49.931292+00:00 app[web.1]: return await self.app(scope, receive, send)
2023-08-30T16:34:49.931293+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fastapi/applications.py", line 271, in __call__
2023-08-30T16:34:49.931293+00:00 app[web.1]: await super().__call__(scope, receive, send)
2023-08-30T16:34:49.931293+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/applications.py", line 118, in __call__
2023-08-30T16:34:49.931293+00:00 app[web.1]: await self.middleware_stack(scope, receive, send)
2023-08-30T16:34:49.931294+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/middleware/errors.py", line 184, in __call__
2023-08-30T16:34:49.931295+00:00 app[web.1]: raise exc
2023-08-30T16:34:49.931295+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/middleware/errors.py", line 162, in __call__
2023-08-30T16:34:49.931296+00:00 app[web.1]: await self.app(scope, receive, _send)
2023-08-30T16:34:49.931296+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/middleware/exceptions.py", line 79, in __call__
2023-08-30T16:34:49.931296+00:00 app[web.1]: raise exc
2023-08-30T16:34:49.931297+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/middleware/exceptions.py", line 68, in __call__
2023-08-30T16:34:49.931297+00:00 app[web.1]: await self.app(scope, receive, sender)
2023-08-30T16:34:49.931298+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fastapi/middleware/asyncexitstack.py", line 21, in __call__
2023-08-30T16:34:49.931298+00:00 app[web.1]: raise e
2023-08-30T16:34:49.931298+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fastapi/middleware/asyncexitstack.py", line 18, in __call__
2023-08-30T16:34:49.931299+00:00 app[web.1]: await self.app(scope, receive, send)
2023-08-30T16:34:49.931299+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/routing.py", line 706, in __call__
2023-08-30T16:34:49.931299+00:00 app[web.1]: await route.handle(scope, receive, send)
2023-08-30T16:34:49.931299+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/routing.py", line 276, in handle
2023-08-30T16:34:49.931300+00:00 app[web.1]: await self.app(scope, receive, send)
2023-08-30T16:34:49.931301+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/starlette/routing.py", line 66, in app
2023-08-30T16:34:49.931301+00:00 app[web.1]: response = await func(request)
2023-08-30T16:34:49.931301+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fastapi/routing.py", line 227, in app
2023-08-30T16:34:49.931301+00:00 app[web.1]: solved_result = await solve_dependencies(
2023-08-30T16:34:49.931302+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fastapi/dependencies/utils.py", line 543, in solve_dependencies
2023-08-30T16:34:49.931302+00:00 app[web.1]: solved = await call(**sub_values)
2023-08-30T16:34:49.931302+00:00 app[web.1]: File "<makefun-gen-17>", line 2, in _current_user
2023-08-30T16:34:49.931302+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fief_client/integrations/fastapi.py", line 245, in _current_user
2023-08-30T16:34:49.931302+00:00 app[web.1]: userinfo = cast(FiefUserInfo, await result)
2023-08-30T16:34:49.931302+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fief_client/client.py", line 921, in userinfo
2023-08-30T16:34:49.931302+00:00 app[web.1]: self._handle_request_error(response)
2023-08-30T16:34:49.931303+00:00 app[web.1]: File "/app/.heroku/python/lib/python3.9/site-packages/fief_client/client.py", line 379, in _handle_request_error
2023-08-30T16:34:49.931303+00:00 app[web.1]: raise FiefRequestError(response.status_code, response.text)
2023-08-30T16:34:49.931304+00:00 app[web.1]: fief_client.client.FiefRequestError: [401] - {"detail":"Unauthorized"}
2023-08-30T16:34:50.162575+00:00 app[web.1]: INFO:     2a01:e0a:40c:9140:cab1:d9f6:6fa3:fdf:0 - "GET /favicon.ico HTTP/1.1" 404 Not Found
2023-08-30T16:34:50.163091+00:00 heroku[router]: at=info method=GET path="/favicon.ico" host=simu-immo.fr request_id=f1c5534e-d72d-4724-a619-f9e06ec2dd7c fwd="2a01:e0a:40c:9140:cab1:d9f6:6fa3:fdf,172.71.130.116" dyno=web.1 connect=0ms service=1ms status=404 bytes=173 protocol=http

[frankie567]

Hi @arminvburren 👋

• Is there a way to make their cookie expiring or disconnect all my users remotely so that can reconnect and access the websites again ?

The cookie expires when the access token expires. So if the access token has a lifetime of 1 hour, the browser will remove the cookie at that time.

• Secondly the actual "verification code" process seem to just not be working.

I've indeed identified cases where the form is submitted twice, leading to an error to the user, but the verification actually works behind the scenes.

• Is there a way I can disable email verification on fief ? If that doesn't exist that would be an ABSOLUTELY welcomed feature from my side in the future

Not currently, but I may consider it. The thing is, in terms of security, it's highly recommended to verify emails, that's why I decided in a first approach to make it mandatory. But I understand it's an opinionated choice that may not fit every use cases.

[arminvburren]

Here's the beginning of the main function, in FastAPI:

"""
FastAPI entrypoint for Simu-Immo. Launch using "uvicorn main:app --reload" in the current folder.
"""
import os
from datetime import date
import json
import asyncio
import numpy as np
import timer_cm

from fastapi import FastAPI, Request, Form, Depends
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi.staticfiles import StaticFiles
from fastapi.templating import Jinja2Templates

import simu_interface
from simu_interface import SimulationWebInputs
from utils import send_email_webmaster_async

from fiefauth import authrouter, auth
from database import get_db, create_simulation, get_simulation_by_hashstring, delete_simulation_by_hashstring, get_users, log_simulation
from backend import get_authentification_infos

# Deactivating function docstrings since they're obvious with FastAPI syntax.
# pylint: disable=C0116

app = FastAPI()
app.mount("/static", StaticFiles(directory="static"), name="static")
templates = Jinja2Templates(directory="templates")

def https_url_for(request: Request, name: str, **path_params) -> str:
    http_url = request.url_for(name, **path_params)
    if "DATABASE_URL" in os.environ:
        return http_url.replace("http://", "https://", 1)
    else:
        return http_url
templates.env.globals["https_url_for"] = https_url_for

app.include_router(authrouter)

### Home Page
##############
@app.get("/")
async def root(request: Request, user = Depends(auth.current_user(optional=True)), db_sess = Depends(get_db)):

    auth_infos = await get_authentification_infos(request, user, db_sess)

    return templates.TemplateResponse("index.html", {"request": request,
                                                     "auth_infos": auth_infos})

@app.get("/index.html")
async def root_index(request: Request, user = Depends(auth.current_user(optional=True)), db_sess = Depends(get_db)):

    auth_infos = await get_authentification_infos(request, user, db_sess)

    return templates.TemplateResponse("index.html", {"request": request,
                                                     "auth_infos": auth_infos})

Here's the "fiefauth.py" file (without the keys):

"""
This module contains all functions related to the interaction with Fief for authentification.
"""
import uuid
from datetime import datetime
from typing import Dict, Optional

from fastapi import APIRouter, Depends, HTTPException, Query, Request, Response, status
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi.security import APIKeyCookie
from fief_client import FiefAccessTokenInfo, FiefAsync, FiefUserInfo
from fief_client.integrations.fastapi import FiefAuth

fief = FiefAsync(  # !
    "https://simu-immo.fief.dev",
    "###",
    "###",
)

def make_https_if_not_local(redirect_uri):
    if not '127.0.0.1:8000' in redirect_uri or 'localhost:8000' in redirect_uri:
        return redirect_uri.replace("http://", "https://")
    return redirect_uri

class CustomFiefAuth(FiefAuth):  # !
    client: FiefAsync

    async def get_unauthorized_response(self, request: Request, response: Response):
        redirect_uri =  make_https_if_not_local(request.url_for("auth_callback"))
        auth_url = await self.client.auth_url(redirect_uri, scope=["openid"])
        raise HTTPException(
            status_code=status.HTTP_307_TEMPORARY_REDIRECT,
            headers={"Location": auth_url},
        )

# Cache
class MemoryUserInfoCache:  #
    def __init__(self) -> None:
        self.storage: Dict[uuid.UUID, FiefUserInfo] = {}  #
    async def get(self, user_id: uuid.UUID) -> Optional[FiefUserInfo]:  #
        return self.storage.get(user_id)
    async def set(self, user_id: uuid.UUID, userinfo: FiefUserInfo) -> None:  #
        self.storage[user_id] = userinfo

memory_userinfo_cache = MemoryUserInfoCache()
async def get_memory_userinfo_cache() -> MemoryUserInfoCache:  #
    return memory_userinfo_cache


scheme = APIKeyCookie(name="user_session_cookie", auto_error=False)
auth = CustomFiefAuth(fief, scheme, get_userinfo_cache=get_memory_userinfo_cache)


### Auth Router ###
###################

authrouter = APIRouter()

@authrouter.get("/auth-callback", name="auth_callback")
async def auth_callback(request: Request, response: Response, code: str = Query(...),
                        my_memory_userinfo_cache: MemoryUserInfoCache = Depends(get_memory_userinfo_cache)):
    redirect_uri = make_https_if_not_local(request.url_for("auth_callback"))
    tokens, userinfo = await fief.auth_callback(code, redirect_uri)

    response = RedirectResponse(make_https_if_not_local(request.url_for("login")))
    response.set_cookie(
        "user_session_cookie",
        tokens["access_token"],
        expires=int(datetime.now().timestamp() + tokens["expires_in"]),
        httponly=True,
        secure=False,  # ❌ Set this to `True` in production !
    )

    await my_memory_userinfo_cache.set(uuid.UUID(userinfo["sub"]), userinfo)

    return response

@authrouter.get("/login", name="login")
async def login(access_token_info: FiefAccessTokenInfo = Depends(auth.current_user())): # pylint: disable=W0613 # external code
    response = HTMLResponse("<script>document.write(window.opener.location.pathname);window.close();\
                              if(window.opener.location.pathname.includes('simulation')) \
                              {window.opener.document.forms['simu_params_form'].submit();} else \
                              {window.opener.location.reload();} \
                              </script>")
    return response

@authrouter.get("/logout", name="logout")
async def logout(request: Request):
    logout_redirect = "http://localhost:8000/" if request.client.host == "127.0.0.1" else "https://simu-immo.fr/"
    logout_url = await fief.logout_url(logout_redirect)
    response = RedirectResponse(logout_url)
    response.delete_cookie("user_session_cookie")
    return response

And the "backend.py" file :

"""
This module contains the authentification logic, which includes creating a new entry in
the db for a new user and "short naming" for display.
"""
from timer_cm import Timer
from database import get_user_by_email, create_user
from utils import send_email_webmaster_async

async def get_authentification_infos(request, userinfo, db_sess):
    with Timer('Timing get_authentification_infos() '):
        authenticated = False
        user_mail_short = None
        db_user = None
        if userinfo is not None:
            try:
                user_mail_short = userinfo["email"].split("@")[0]
                if len(user_mail_short) > 12:
                    user_mail_short = user_mail_short[:9] + "..."
                authenticated = True

                db_user = get_user_by_email(db_sess, userinfo["email"])
                if db_user is None:
                    print("Creating new user in db...")
                    db_user = create_user(db_sess, str(userinfo["email"]))
                    await send_email_webmaster_async("[New User !] " + user_mail_short,
                                            userinfo["email"],
                                            "Vous avez un nouvel utilisateur !",
                                            "Nouvel utilisateur !\nE-mail: " + userinfo["email"] + "\nShort Name: " + user_mail_short)
                else:
                    print("Found user '"+userinfo["email"]+" in db.")

            except Exception as xcp: # pylint: disable=W0718 # The point is to do something whichever Exception happens and report
                print(xcp)
                await send_email_webmaster_async("[Debug] Erreur !", "[email protected]", "Error in backend.py",
                                                "Error:+\n+" + str(xcp) + "\n\n" + str(userinfo))
                authenticated = False
                userinfo = None
                user_mail_short = None

        else: # To test the db_sess in local
            if request.client.host == "127.0.0.1":
                authenticated = True
                userinfo = {"email": "[email protected]"}
                user_mail_short = "arminlocal"
                db_user = get_user_by_email(db_sess, userinfo["email"])
                if db_user is None:
                    print("Creating new user in db...")
                    db_user = create_user(db_sess, str(userinfo["email"]))


        auth_infos={"authenticated":authenticated,
                    "is_admin": False if userinfo is None else (userinfo["email"] == "[email protected]"),
                    "userinfo": userinfo,
                    "user_mail_short":user_mail_short,
                    "db_user":db_user}

    return auth_infos

Note that the website is behind cloudflare "flexible" https method. Any advice to bring back my users would be appreciated

[frankie567]

Ok. So, before diving into it further a quick and easy fix is to simply change the name of the cookie. This way, the old one will be discarded and users can re-login without any issue.

scheme = APIKeyCookie(name="simmuimmo_session", auto_error=False)

[frankie567]

Next: I suggest you to upgrade to fief-client==0.18.1.

Normally, if a token is invalid, it should be gracefully rejected and the user disconnected. This fix handles another possible case of invalid JWT.

[arminvburren]

It seems working ! I only use fief-client>=0.14.0 as a requirement right now. What's the difference between the two packages ?

[frankie567]

Sorry, it's indeed still fief-client, but I recommend you to upgrade to benefits from the latest bugfixes.

[AntonOfTheWoods]

• Is there a way I can disable email verification on fief ? If that doesn't exist that would be an ABSOLUTELY welcomed feature from my side in the future

Not currently, but I may consider it. The thing is, in terms of security, it's highly recommended to verify emails, that's why I decided in a first approach to make it mandatory. But I understand it's an opinionated choice that may not fit every use cases.

@frankie567 I might be holding it wrong but it seems that even for social login it requires an email. This is extremely inconvenient, and I'm not sure I see any value in it at all. Social login is so that the trusted social provider can provide the security and reliability to the user - as secondary users of this identity, we just need to know that the trusted provider knows who it is, and that we can uniquely identify the user. Some fief users might want extra info from the 3rd party provider, some don't.

As a user's email is Personally Identifiable Information under European law, this also has important legal implications. Many users of fief don't actually need any PII and just need a convenient login mechanism, so you are forcing them to collect PII and create significant extra legal and security challenges.

Many countries also don't really use email, and forcing users to validate one is a huge hassle. As an example, email really, really didn't take off in China (a huge proportion of business communication even goes via WeChat!), so many users will actually stop a signup process and not use your service if they have to validate an email address. Many online services, including those in the West (like MS), don't require an email, so you can sign up with just a phone number.

In any case, that it what is happening for me with the Microsoft login - it is forcing email validation after I log in with MS. For the project I am working on I don't want PII (that requires significant extra hassle with university ethics approval), so that makes Fief a lot less useful than it would be.

[frankie567]

@frankie567 I might be holding it wrong but it seems that even for social login it requires an email. This is extremely inconvenient, and I'm not sure I see any value in it at all. Social login is so that the trusted social provider can provide the security and reliability to the user - as secondary users of this identity, we just need to know that the trusted provider knows who it is, and that we can uniquely identify the user. Some fief users might want extra info from the 3rd party provider, some don't.

Maybe, but at some point, we need to make implementation choices. Ours is to consider that email is required to make a user account; which is generally recommended so we can contact users, implement account recovery features, etc.

As a user's email is Personally Identifiable Information under European law, this also has important legal implications. Many users of fief don't actually need any PII and just need a convenient login mechanism, so you are forcing them to collect PII and create significant extra legal and security challenges.

Strictly speaking, whenever you start to store user's data you fall under the GDPR law. Even when just using a social provider, you'll store their external account ID and an access token, so this is also personal information.

Many countries also don't really use email, and forcing users to validate one is a huge hassle. As an example, email really, really didn't take off in China (a huge proportion of business communication even goes via WeChat!), so many users will actually stop a signup process and not use your service if they have to validate an email address. Many online services, including those in the West (like MS), don't require an email, so you can sign up with just a phone number.

As I said, we have to make implementation choices at some point. In Europe, we can't really do anything without an email address (pay our taxes, make a doctor's appointment, etc.). This is an assumption that's made by most of authentication services similar to Fief, like Auth0.

In any case, that it what is happening for me with the Microsoft login - it is forcing email validation after I log in with MS. For the project I am working on I don't want PII (that requires significant extra hassle with university ethics approval), so that makes Fief a lot less useful than it would be.

In this case, I would say that you don't really need Fief. If your goal is "just" to identify users with their MS account, you can just implement a really simple OAuth2 process and be done with it. No need to tackle with a huge thing that does a lot of things you don't actually need.

[arminvburren]

In this case, I would say that you don't really need Fief. If your goal is "just" to identify users with their MS account, you can just implement a really simple OAuth2 process and be done with it. No need to tackle with a huge thing that does a lot of things you don't actually need.

Mm what exactly is the goal / mission / vision of Fief with respect to this sentence ? I mean what are the "lot of things" ? Originally I used fief as simple authentification / identification of my users so they can save some simulations for example. I'm not sure what the more advanced functionalities are ?

Have you made up your mind also about an option for disabling the "email verification" step ? That would be really nice in my opinion, and it would not impact the project too much if it's opt-out only for example.
Cheers