Issue 2414: Invalid authentication method.
Status:  Submitted
Owner:
Closed:  Oct 14
Reported by nic...@eriksson.cc, Jan 21, 2014
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version:

What steps will reproduce the problem?
1. Use new web interface.
2. Try to add an inline comment from diff view. Press "save".
3. Invalid authentication method. In order to authenticate, prefix the REST endpoint URL with /a/ (e.g. http://example.com/a/projects/

What is the expected output? What do you see instead?
The comment should be added as a draft.

Please provide any additional information below.
Broken using Firefox 26.0. Works from 
Jan 21, 2014
#1 nic...@eriksson.cc
*works from Chrome 32.0.1700.76.
Apr 18, 2014
#2 glar...@evernote.com
I'm seeing the same issue in Safari 7.0.2. Works in Chrome 34.0.1847.116.
Jul 14, 2014
#3 pkufra...@gmail.com
Same problem for me. But it doesn't always happen. After refreshing the page, it may become ok.
Jul 14, 2014
#4 pkufra...@gmail.com
chrome 37.0.2062.3 dev
gerrit 2.9-rc2
Sep 25, 2014
#5 lopez.ju...@gmail.com
Hit this with

- Chrome 37.0.2062.94
- gerrit 2.9.1.
May 4, 2015
#6 dean.whe...@gmail.com
Seen this issue with Chrome 42.0.2311.90 m and Gerrit 2.10.2
Aug 28, 2015
Project Member #7 dougk....@gmail.com
From what I've noticed, this seems like a session expiration, but testing that (both by deleting the Gerrit cookie and by flushing web_sessions) seems to give an "Authentication required" error.  Haven't yet found a reproduction case which will reliably give this error.
Aug 28, 2015
Project Member #8 dougk....@gmail.com
OK -- this error seems to make sense when X-Gerrit-Auth is missing from the request for some reason (or otherwise not valid -- deleting or changing a random character so it doesn't match the GerritAccount header will do that).  Funny that flushing web_sessions or letting a session expire doesn't cause this... I'm back to not knowing why this is happening. :(
Oct 13, 2015
Project Member #9 dougk....@gmail.com
Finally figured out the reproduction case on this:

1. Set up an authentication method that will give a persistent cookie. (As a result, Incognito mode won't work for purposes of this test, either.)  The development backend doesn't seem to work; I used OAuth for purposes of this testing (using DavidO's gerrit-oauth-provider connected to Google's OAuth service)
2. Log into Gerrit as a regular user.
3. Open a second tab as the same user, browse to a change and leave it on the diff screen.  Theoretically, you could do anything, but specifically doing something that's not a GET or HEAD is needed to cause this specific error.
4. Flush the web_sessions cache to log out everyone
5. Open the first tab and refresh the page to confirm you're logged out.  Log in again.
6. Attempt to add a comment to the patch.  Note the "Invalid authentication method" error is now displayed.

For more fun try using the "u" key to go back to the main change screen (not the change dashboard).  At least once, I received a query error "Error in operator has:draft".  Clicking on my open changes from the top did result in a "You are not signed in" error.  Unfortunately, once you get into this state, it seems what works and what doesn't is quite unpredictable, with the one exception being the "Invalid authentication method" being reproducible.  This seems to be because the /changes/#/edit?list is returning 403 forbidden, but /q/change:#+has:draft returns 400 bad request (a separate bug, perhaps).
Status: Accepted
Oct 13, 2015
Project Member #10 dougk....@gmail.com
https://gerrit-review.googlesource.com/71469

At least we can provide clearer information to users that their session is invalid.
Status: ChangeUnderReview
Owner: dougk....@gmail.com
Oct 14, 2015
Project Member #11 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.11.4