Hi all,
My YunoHost server
Hardware: computer at home
YunoHost version:
- yunohost version: 11.2.8.2 (stable) , upgraded to 11.2.9.1 (stable)
- yunohost-admin version: 11.2.3 (stable) , upgraded to 11.2.4 (stable)
- moulinette version: 11.2 (stable) (no upgrade)
- ssowat version: 11.2 (stable) (no upgrade)
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no /
If your request is related to an app, specify its name and version:
id: syncserver-rs
name: Firefox SyncStorage
version: 0.14.4~ynh1 (no upgrade)
Description of my issue
I have installed syncserver-rs, expecting it to be a drop-in replacement for the old syncserver (1.9.1~ynh3) that ran on Python 2. After installing and connecting Firefox, sync does not happen; about:sync-log in Firefox shows errors.
To keep sync functionality and also upgrade to Bullseye, I had a small VPS running Debian 10 / Buster with Yunohost 4.4.3. It ran at https://ffs.domain.tld/ffsync/.
The VPS is still running, only DNS points to Yunohost at home now, where I also added the ffs-subdomain.
Because syncserver-rs does not like to be installed in a subdirectory, the identity.sync.tokenserver.uri changed a bit:
- https://ffs.domain.tld/token/1.0/sync/1.5 vs
- https://ffs.domain.tld/ffsync/token/1.0/sync/1.5 previously
I started out with a new profile in Firefox and an alternative Firefox-based browser on my phone for the new syncserver-rs. No synchronization was happening. I switched my main profile as well, to prevent the syncserver-rs or nginx log to show mentions of the old URL.
Firefox logs the synchronization client side. Logs are written to the profile directory, and can conveniently be accessed via the special about:sync-logs
URL. I uploaded a sample of this morningsâ error log
Searching for âffsâ, this section pops out:
1704950836337 FirefoxAccounts INFO fetching updated device list
1704950836393 Services.Common.RESTRequest DEBUG GET request to https://api.accounts.firefox.com/v1/account/devices?filterIdleDevicesTimestamp=1703136436340
1704950836464 Services.Common.RESTRequest DEBUG GET https://ffs.maindomain.tld/token/1.0/sync/1.5 404
1704950836464 Services.Common.TokenServerClient DEBUG Got token response: 404
1704950836465 Services.Common.TokenServerClient WARN Error processing token server response: TypeError: right-hand side of 'in' should be an object, got number(resource://services-common/tokenserverclient.sys.mjs:297:11) JS Stack trace: _processTokenResponse@tokenserverclient.sys.mjs:297:11
_tokenServerExchangeRequest@tokenserverclient.sys.mjs:239:19
1704950836465 Sync.SyncAuthManager ERROR Non-authentication error in _fetchTokenForUser: TokenServerClientError({"message":{}})(resource://services-common/tokenserverclient.sys.mjs:28:36) JS Stack trace: TokenServerClientError@tokenserverclient.sys.mjs:25:16
_tokenServerExchangeRequest@tokenserverclient.sys.mjs:245:19
1704950836465 Sync.Status DEBUG Status.login: success.status_ok => error.login.reason.network
1704950836465 Sync.Status DEBUG Status.service: error.login.failed => error.login.failed
When visiting the domain âmanuallyâ, a note is displayed telling âSyncstorage is runningâ, and some JSON-info when visiting the token-URL. There the response header mentions SSO:
Response headers X-Firefox-Spdy h2 content-length 1 content-security-policy upgrade-insecure-requests content-type application/json date Thu, 11 Jan 2024 05:54:00 GMT permissions-policy interest-cohort=() server nginx strict-transport-security max-age=63072000; includeSubDomains; preload x-content-type-options nosniff x-download-options noopen x-frame-options SAMEORIGIN x-permitted-cross-domain-policies none x-sso-wat Youâve just been SSOed x-weave-timestamp 1704952440.28 x-xss-protection 1; mode=block
Iâm not familiar with the workings of SSO-wat. I found the config in /etc/ssowat/conf.json
, can/should I add the token URI there? Or add a custom web app at the location (not sure whether syncserver-rsâs greedy âthis is my domainâ-needs would allow).
How can I prevent SSO-wat from blocking access to https://ffs.domain.tld/token/1.0/sync/1.5 ?