Catch token auth errors and present a friendly error message

[liffiton]

Earlier today I had a class of about 25 students do a dry-run of submitting an assignment through okpy today, and almost all attempts failed with errors from okpy. My attempts during class also mostly failed, though I have no problems running it by myself before or after. I have a few ideas about what might have caused it, and I'm wondering if you can provide some help understanding this:

• I had students going through the steps together, waiting for people to catch up in many cases, and so there may have been a minute or so between most students receiving their auth token and pasting it into their notebooks (we're using Jupyter). Is there a short time limit on the validity of those tokens?
• Or perhaps the fact that up to 25 auth requests were coming all at once from the same IP (a jupyterhub server behind a campus NAT) could cause a problem?
• Or finally, is it possibly just a load issue caused by 25 students trying to authorize at once? This seems least likely.

Thanks for any help or ideas you can provide.

[Sumukh]

Is it possible that the OK auth files are being written to same place (do students share a home directory?)

[liffiton]

That's a good thought, but no they don't. Each student has their own user and home directory.

I've tested it out a bit, and I think at least some of the trouble does come from the authorization codes timing out. If you get an auth code and wait a bit before pasting it in to use it, you end up with an auth error. I'm guessing that is by design, but if so, some more informative error message would be very helpful. If we had received a message telling us the code had timed out in some way, we would have known we should just try again.

[Sumukh]

Hmm. Our auth tokens should be valid for a while (certainly longer than an hour)

…

On Tue, Sep 4, 2018 at 3:21 PM Mark Liffiton ***@***.***> wrote: That's a good thought, but no they don't. Each student has their own user and home directory. I've tested it out a bit, and I think at least some of the trouble does come from the authorization codes timing out. If you get an auth code and wait a bit before pasting it in to use it, you end up with an auth error. I'm guessing that is by design, but if so, some more informative error message would be very helpful. If we had received a message telling us the code had timed out in some way, we would have known we should just try again. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#350 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA12zWCxwD5xBq5YpOCfGud6G9sSsa6kks5uXvz-gaJpZM4WV8mO> .

[Sumukh]

I’ll take a closer look soon

…

On Tue, Sep 4, 2018 at 4:49 PM Sumukh Sridhara ***@***.***> wrote: Hmm. Our auth tokens should be valid for a while (certainly longer than an hour) On Tue, Sep 4, 2018 at 3:21 PM Mark Liffiton ***@***.***> wrote: > That's a good thought, but no they don't. Each student has their own user > and home directory. > > I've tested it out a bit, and I think at least some of the trouble does > come from the authorization codes timing out. If you get an auth code and > wait a bit before pasting it in to use it, you end up with an auth error. > I'm guessing that is by design, but if so, some more informative error > message would be very helpful. If we had received a message telling us the > code had timed out in some way, we would have known we should just try > again. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <#350 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AA12zWCxwD5xBq5YpOCfGud6G9sSsa6kks5uXvz-gaJpZM4WV8mO> > . >

[liffiton]

I've tested it more, and it seems to be fairly consistent. I can't test it enough to find a clear cutoff, but if I wait maybe two minutes or more before entering the code, I get the following:

from client.api.notebook import Notebook
ok = Notebook('A1.ok')
import os
if not os.path.exists(os.path.join(os.environ.get("HOME"), ".config/ok/auth_refresh")):
    ok.auth(force=True)
else:
    ok.auth(inline=True)
_ = ok.submit()

=====================================================================
Assignment: Assignment 1: Writing Simple Programs
OK, version v1.13.11
=====================================================================


Open the following URL:

https://okpy.org/client/login/

After logging in, copy the code from the web page and paste it into the box.
Then press the "Enter" key on your keyboard.

Paste your code here:  [code pasted here]

ERROR  | auth.py:91 | {'error': 'invalid_grant'}

---------------------------------------------------------------------
Authentication error: invalid grant
---------------------------------------------------------------------
Javascript Error: IPython is not defined

Javascript Error: IPython is not defined

Saving notebook... Could not save your notebook. Make sure your notebook is saved before sending it to OK!
Performing authentication
Please enter your bCourses email.

bCourses email: 

The javascript errors are just due to incompatibility with JupyterLab, I believe.

[Sumukh]

You are right - we expire them after 100 seconds. We can increase this to be a bit more reasonable.

https://github.com/okpy/ok/blob/master/server/controllers/oauth.py#L37

[liffiton]

Ah, okay.

It was only an issue because of how the class waited for everyone to catch up before I told them to move on. It's probably not an issue in normal use, but if there's no problem with extending the expiration time, then it would save a few other people in situations like mine from a bit of trouble.

Thanks!

[Sumukh]

I've extended it to 5 min for now. okpy/ok@7e8928e

I'm going to leave this issue open & rename it so that we can present a better error message.

[liffiton]

Sounds good to me. Thanks!