I am currently getting signed out every minute from lemmy.world. This is not a client side cache issue. I tested making API calls from the command line (with curl) with no cache and the issue still occurs. One call I get the correct response, the next I get a 400 telling me im not signed in.

I’m primarily testing with the https://lemmy.world/api/v3/user/unread_count api endpoint. I’m not sure if this issue occurs with all endpoints.

Reproduction steps:

  1. Get a lemmy.world JWT token for your account using your desired method (eg. postman).
  2. curl https://lemmy.world/api/v3/user/unread_count?auth={JWT_TOKEN_HERE}
  3. Note the 400 error. If you do not get an error repeat step 2.

Edit

This issue only seems to affect lemmy.world so a temporary workaround is to use a different instance for the time being.

  • Antik 👾
    shield
    link
    33
    edit-2
    1 year ago

    Just a quick statement from the admins team to say that we are aware of the issue and yes we are looking into this.

    Thank you @[email protected] for the elaborate report and everyone else for their patience while we try to sort this one out!

    Edit: Lemmy was upgraded to 0.18.2

    • nosut
      link
      71 year ago

      Thank you for making a statement about it!

    • Sean
      link
      71 year ago

      Thank you for all that you do for this place. I am consistently amazed at how quickly y’all are able to resolve issues.

  • @Spaltovic
    link
    321 year ago

    Sounds like lemmy.world runs on 2 instances and the requests are being loadbalanced between those two. That and that the jwt secret is different between those two instances causing one to accept and the other to reject

    • @Zephyrix
      link
      171 year ago

      This is also my theory. I think you’re right on the money here. They probably rotated secrets from yesterday’s hack and forgot to restart both servers.

  • @Laticauda
    link
    271 year ago

    Same problem for me it seems, dunno if I’ll even be able to comment. Refuses to stay logged in.

    • idunnololz_testOP
      link
      fedilink
      11
      edit-2
      1 year ago

      From my tests, it’s almost perfectly a 50/50 whether any API requests you make will yield a 200 (success) or a 400 (not signed in). If you perform an action that takes 3 API requests, your chances of succeeding is (1/2)^3 or 1/8 because only 1 request needs to fail in the chain for the entire action to fail. So, as long as you make single API actions you can maximize your success rate :D

      • @marmarama
        link
        51 year ago

        Smells like two instances behind the load balancer, one is fine with the JWT, one is not.

      • @jennwiththesea
        link
        51 year ago

        What’s an example of something that would take more than one API request?

        • idunnololz_testOP
          link
          fedilink
          41 year ago

          Signing in. Most websites/apps will probably also grab your unread count, and maybe even your subscription feeds.

          Another example is checking your inbox. Lemmy actually has 3 inboxes: mentions, replies and PMs. A lot of websites/apps bundle these three so they will need to check all 3 inboxes via 3 API calls.

      • @Laticauda
        link
        51 year ago

        Seems like spamming actions also gets it to work eventually. It’s a pain in the arse though lol. I made some alt accounts on other instances, but I’m lazy and don’t wanna rebuild my subscription feed if I don’t have to, so hopefully it gets fixed at some point.

  • @[email protected]
    link
    fedilink
    101 year ago

    Yeah. Lemmy.world is currently unusable on the desktop. I don’t have that problem in Memmy. Growing pains but I hope the problem will be fixed soon. Do anyone know if one of the mods in North America are aware of the problem?

    • @[email protected]
      link
      fedilink
      41 year ago

      I was having trouble in liftoff and the browser. Cleared data and cache from liftoff thinking maybe something got messed up there and now I can’t even log back into my .world account 🤷‍♂️ I’ll hang here for a bit I guess.

      • @PriorProject
        link
        English
        21 year ago

        I’m choking in desktop browser and in liftoff. Jerboa seems ok. It’s weird to me how different clients react differently, I’m not sure how they interact differently.

  • dnvtr
    link
    fedilink
    101 year ago

    Same issue here, I’m being automatically logged out of my lemmy.world account in Firefox. If I refresh the page even immediately after logging in, I’m automatically logged out.

  • Sir_Digby
    link
    fedilink
    91 year ago

    I’m having to reauthenticate in safari and wefwef every time I load a new page. Furthermore, the login is frequently failing.

    • idunnololz_testOP
      link
      fedilink
      11
      edit-2
      1 year ago

      Login in likely always succeeding. The issue is that whatever app/website you use will make additional API calls afterwards (eg. fetch posts or fetch unread count). Each of those calls have a 1-in-2 chance to succeed and if any of them fail, they all fail and you will be booted out.

      Lemmy is now an RNG game. We must prayge to rngesus before making any actions.

  • @DelvianSeek
    link
    71 year ago

    FWIW, I can confirm I’m having this issue as well. The load balancing hypothesis seems sound given the behavior I’m seeing. Definitely making lemmy.world pretty much unusable at this point.

  • @krayj
    link
    61 year ago

    I’ve been experiencing something similar/related. If I am logged in and open something in a new browser window, it frequently (starting today) shows me as not logged in. If I refresh the page, I’m suddenly logged in. This doesn’t feel like a authentication problem as much as a timing issue while loading the page. Or maybe what I’m seeing is an entirely different issue.

  • @[email protected]
    link
    fedilink
    English
    51 year ago

    At least when you can’t log in on one instance you can just login on another. Downtime doesn’t mean you have to go do something else anymore!

    I’m seeing the same issues on my app, calling login, then immediately using that jwt to fetch the site details and it doesn’t give my_user half of the time, and if my app loads far enough to check the unread count I get not_logged_in

  • @TheGoldenGod
    link
    51 year ago

    Same here, it’s driving me mad. Also did the above and glad to see I’m not alone!

    • idunnololz_testOP
      link
      fedilink
      21 year ago

      The good news is it only appears to affect lemmy.world. If you have an account on another instance, you should switch to that account for now.

      • @TheGoldenGod
        link
        21 year ago

        I might do that at this point, with the attention world is getting, it might be smart to have a backup.

  • I can’t seem to comment on a couple specific posts on the instance. But as you can see, it works on this one. I am wondering if that’s related? I’m not even on my Lemmy.World account and get an unable to post error as soon as I hit the button, like it’s not even trying to do anything.

    • idunnololz_testOP
      link
      fedilink
      41 year ago

      From my experience it’s entirely random. You can make 5 actions and all 5 will work. Then have a string of 5 actions where none would work.