handle connection failures to token validation endpoint

[xavierroy]

When I tried using Quill after enabling Micropub, I get these errors:

HTTP/1.1 200 OK
Date: Fri, 24 Nov 2017 09:33:05 GMT
Server: Apache
Link: https://tokens.indieauth.com/token; rel="token_endpoint"
Cache-Control: max-age=3600
Expires: Fri, 24 Nov 2017 10:33:05 GMT
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: application/json

Notice: Undefined index: authorization in /hsphere/local/home/xavier/xavierroy.com/wp-content/plugins/micropub/micropub.php on line 968

Notice: Undefined index: scope in /hsphere/local/home/xavier/xavierroy.com/wp-content/plugins/micropub/micropub.php on line 159
"invalid access token: "

---

I am using the unreleased 1.3 version.

[snarfed]

hey xavier, sorry for the trouble! looks like this response returned 200 OK, and those are just log messages that didn't actually cause an error. i'm guessing posting with quill itself still worked ok?

if so, this is probably the same as #50. worthwhile, but not high priority.

[xavierroy]

No. The post did not get through.

[snarfed]

ok! sorry about that. looks like the key part is "invalid access token: ", which means your wordpress didn't get the Authorization HTTP header that Quill sent. this is often due to a host stripping that header. try https://github.com/snarfed/wordpress-micropub/#troubleshooting .

[xavierroy]

I had tried that already. My webhosters say that they aren't stripping the headers.
This is on a fresh install.

[snarfed]

sorry, you're right. looks like it's getting the token from the POST body, not from the header. invalid access token means indieauth rejected the token when we asked it to validate it, and we didn't get an explanation in indieauth's response body...but the micropub plubin should also have returned something other than 200, since it passes through the HTTP status code that it got from the indieauth verification request.

hey @aaronpk, https://indieauth.com/developers implies that the verification endpoint always returns a response body, even for errors. is that true?

[snarfed]

friendly ping @aaronpk!

[aaronpk]

This is actually hitting tokens.indieauth.com, not indieauth.com to check the token.

tokens.indieauth.com should be returning a response for every request even if there is an error with the token. I even checked with the access token that Quill has and I got a valid response from the token endpoint. The token that Quill has was from a couple days ago, so maybe this problem resolved itself? @xavierroy can you confirm whether this is still a problem for you or has it started working?

[xavierroy]

No @aaronpk. This issue still exists. I just tried out a test post from Quill and this is what I got:

HTTP/1.1 200 OK Date: Sun, 31 Dec 2017 16:58:32 GMT Server: Apache Link: https://tokens.indieauth.com/token; rel="token_endpoint", http://xavierroy.com/wp-json/webmention/1.0/endpoint; rel="webmention", http://xavierroy.com/wp-json/webmention/1.0/endpoint; rel="http://webmention.org/" Cache-Control: max-age=3600 Expires: Sun, 31 Dec 2017 17:58:32 GMT Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: application/json; charset=UTF-8 Notice: Undefined index: authorization in /hsphere/local/home/xavier/xavierroy.com/wp-content/plugins/micropub/micropub.php on line 939 Notice: Undefined index: scope in /hsphere/local/home/xavier/xavierroy.com/wp-content/plugins/micropub/micropub.php on line 173 "invalid access token: "

[aaronpk]

hmm I don't see a request to the token endpoint at that timestamp. That indicates to me that there's a problem with the Wordpress server hitting tokens.indieauth.com. I'm guessing it's an https error, that's usually the most common. Can you check whether your server can reach tokens.indieauth.com at all? If you have command line access to the server then usually curl https://tokens.indieauth.com/ will be a good first check, and if that works, then you'll need to check from PHP itself.

[aaronpk]

For the record, we did a little troubleshooting in chat. Installing this PHP script on the server helped give a little more insight into the problem. https://gist.github.com/aaronpk/001a5c91c823017241e8e2f66da7dd07

The specific curl error we were seeing was:

Unknown SSL protocol error in connection to tokens.indieauth.com:443

It might be helpful if this plugin could help surface those errors better instead of just silently failing.

This is a problem at the host level, which is using a super old version of OpenSSL and/or cURL, which first didn't support the cipher list in use, and also isn't sending the SNI header for the connection. There unfortunately isn't a good solution I can do on my end of tokens.indieauth.com, and will just have to be fixed by either the host upgrading their OpenSSL, or moving to a new host.

[snarfed]

thanks for the sleuthing and reporting! and absolutely right, we should surface these errors to the micropub client. will do.