MM Server: Personal Access Tokens invalid or expired until restart


#1

I’m hosting MM server 5.0.0 within a docker container on AWS. Our users all have personal access tokens used to integrate with a 3rd party application that we also host. We use these personal access tokens to make basic api requests (v4) on their behalf without requiring them to continuously re-login to both our application and the MM server.

A few days ago we started noticing that the personal access tokens started to return HTTP 401 unauthorized errors. An example:

Request URL: https://ourMMserver.com/api/v4/users/me
Request Method: GET
Authorization: BEARER examplePersonalAccessToken

Response Code: 401 
Response: {"id":"api.context.session_expired.app_error","message":"Invalid or expired session, please login again.","detailed_error":"token=examplePersonalAccessToken","request_id":"ytqe96wj53ys8r9unpyrr8mftc","status_code":401}

Server Log: {"level":"info","ts":1532541581.5667882,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=examplePersonalAccessToken, err=<no value>, "}

The personal access token will continue to return 401 errors until the MM server is restarted at which time the token immediately begins to work as expected again. It only effects a subset of personal access tokens at any given time and each time the subset is different.


#2

Pinging @pichouk as this sounds docker related (let me know if our devs should take a look).


#3

Hi @amy.blais, it seems not related to Docker here, more about how Mattermost token works.


#4

@smstromb Update: I have been doing research on this but at this point it looks like I will need to ping our devs to take a look at this.


#5

Thank you @amy.blais. Any help you can provide would be much appreciated.


#6

@amy.blais Update: The issue was that in our mobile app when I was using a user’s personal access token to attach a mobile device ID it was changing the default expiresAt date of the session from Session.CreateAt + SESSION_USER_ACCESS_TOKEN_EXPIRY (100 years) to Session.CreateAt + Config.ServiceSettings.SessionLengthMobileInDays (30 days).