Website login issue


michaelm

Member
Jun 20, 2019
5
4
Hi,
Login on desktop machine using SQRL app on my phone = no issues.
Login on the phone itself 'clicking' the QR code/sqrl logo = issues. See attached screenshot(s) - 2 steps (password screen in between these)

Needless to say, "login anyway" doesn't work and just takes you back to screen 1.

Any ideas what this might be? Pixel 2 phone, if relevant.
 

Attachments

Carl

Member
May 19, 2018
23
9
Ah, I hadn't seen those forum pages! :)
Anyway, it seems that there's too many characters being kept in the domain name string, since it was listed as: forums.grc.com/c
"/c" should not have been kept from the sqrl link "sqrl://forums.grc.com/cli.sqrl?x=2&nut=...&can=..."

Edit: well, since x=2 is used, on purpose, I guess they WANTED to keep that part in there! OK...
 

ahauser

Well-known member
Feb 22, 2019
222
57
Hi @michaelm, and thanks for taking the time to report this issue.

First question: Can you reproduce it?
Like @Carl said, this definitely looks like someone was messing with the x= parameter right at the time when you were hitting the "login with sqrl" button.

If you *can* reproduce it though, you might have found a nasty bug, and I'd definitely want to follow up on that then.
Looking forward to your feedback.
 

Chauncy

Member
May 30, 2018
5
1
I'm also having the same problem logging into the forum on my android phone, Galaxy S9+ to be exact, using Firefox. I thought that an update of some sort messed something up but didn't have time to look into it until now.

It was odd to see the spoof protection warning on a same device login. That "/c" at the end seems to have triggered it. There was no "/c" present at the password entry. The other strange thing is I can use the app to scan the QR Code on my desktop computer and it it works fine to log me in there.

There is something happening that the developers need to take a look at.
 
Last edited:

ahauser

Well-known member
Feb 22, 2019
222
57
Thanks for all the input, guys!

I guess it's fair to assume at this point that there indeed is a problem with the way the Android client handles the x=n parameter when performing the anti-spoof protection checks, so I've created a Github issue for this:


I might be stating the obvious here, but just want to remind everyone that the development of the Android client (and the SQRL development in general, with the exception of @Jeffa's iOS client) and has come to a grinding halt quite a while ago, after Steve has left the project in favour of his work on SpinRite 6.1. So, chances are that those issues are not going to get immediate attention from the devs.
 

ahauser

Well-known member
Feb 22, 2019
222
57
I've tried reproducing this issue on 3 different devices, but it worked flawlessly each and every time. Registered a new account, logged in, logged out and back in again, all without any troubles.

@michaelm and @Chauncy:
Any more clues on what could trigger the issue for me (non-standard identity settings, etc.) ??