Token based authentication always results in 40101 Request mac does not match

[NanoSector]

Which version of the Ably SDK are you using?

1.2.3

On which platform does the issue happen?

iOS 14, iPadOS 14, macOS 11

Are you using Carthage?

No.

Are you using Cocoapods?

Yes, 1.10.0

Which version of Xcode are you using?

Xcode 12.2
Build version 12B45b

What did you do?

Trying to use token based authentication with a simple local authentication server does not work. The following code is used to generate a TokenRequest on the server side using the PHP library. I've attempted to disable some of the parameters passed to the TokenRequest object, like disabling the capabilities, but to no avail.

    public function createTokenRequest(User $user): TokenRequest
    {
        $params = new TokenParams();

        // Every user has USER_ROLE so set up the base capabilities based on that promise.
        $capabilities = [
          'chat:*' => ['publish', 'subscribe', 'presence', 'history'],
        ];

        $params->capability =  json_encode($capabilities);
        $params->clientId   = $user->getUsername();
        $params->ttl = 43200000; // 12 hours
        return $this->instance->auth->createTokenRequest($params->toArray());
    }

On the Cocoa side, I use this code to set up token authentication:

            let options = ARTClientOptions()
            options.authUrl = URL(string: "http://localhost:8000/ably/auth")
            options.authMethod = "POST"
            options.clientId = user.username
            options.authParams = [URLQueryItem(name: "clientKey", value: user.password)]

The request goes through fine to the authentication server and the server returns a seemingly valid TokenRequest.

I then instantiate an ARTRealtime instance with the autoConnect option turned off and call its connect() method later.

What did you expect to happen?

The token request is used to authenticate to Ably, successfully. The same authentication server works successfully with the Ably JavaScript SDK, which leads me to believe the Cocoa library has a fault.

What happened instead?

An exception is thrown with the description Error 40101 - Request mac does not match (reason: (null))

I stripped the TokenRequests and IDs from the following logs. If wanted I can send samples of those somewhere private.

2020-12-02 08:57:53.419394+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: (ARTAuth.m:156) RS:0x600001ea7cc0 validating <ARTClientOptions: 0x7fabb3612940> - 
	 key: (null); 
	 token: (null); 
	 authUrl: http://localhost:8000/ably/auth; 
	 authMethod: POST; 
	 hasAuthCallback: 0;
	 clientId: Henk;
2020-12-02 08:57:53.419553+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: (ARTAuth.m:177) RS:0x600001ea7cc0 setting up auth method Token with authUrl
2020-12-02 08:57:53.419952+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: RT:0x60000136d860 realtime is transitioning from 0 - Initialized to 1 - Connecting
2020-12-02 08:57:53.420212+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: (ARTRealtime.m:983) R:0x60000136d860 connecting with token auth; authorising (timeout of 10.000000)
2020-12-02 08:57:53.420969+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: (ARTAuth.m:354) RS:0x600001ea7cc0 using authUrl (POST http://localhost:8000/ably/auth)
2020-12-02 08:57:53.421290+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: (ARTRest.m:300) RS:0x600001ea7cc0 executing request <NSMutableURLRequest: 0x600002e6d500> { URL: http://localhost:8000/ably/auth }
2020-12-02 08:57:53.421518+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: --> POST http://localhost:8000/ably/auth
  Body: clientId=Henk&clientKey=testAccount&timestamp=1606895873420
  Headers: {
    Accept = "application/x-msgpack,application/json";
    "Content-Length" = 59;
    "Content-Type" = "application/x-www-form-urlencoded";
    "X-Ably-Lib" = "cocoa.ios-1.2.3";
    "X-Ably-Version" = "1.2";
}
2020-12-02 08:57:53.422610+0100 WebsocketsSwiftExampleApp[1346:19712] INFO: Reachability: started listening for host realtime.ably.io
2020-12-02 08:57:53.452926+0100 WebsocketsSwiftExampleApp[1346:19712] INFO: Reachability: host realtime.ably.io is reachable: true
2020-12-02 08:57:53.777309+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: <-- POST http://localhost:8000/ably/auth: statusCode 200
  Data: {"keyName":"","nonce":"","mac":"","ttl":43200000,"clientId":"Henk","timestamp":"1606895873773"}
  Headers: {
    "Cache-Control" = "max-age=0, must-revalidate, private";
    "Content-Length" = 185;
    "Content-Type" = "application/json";
    Date = "Wed, 02 Dec 2020 07:57:53 GMT";
    Expires = "Wed, 02 Dec 2020 07:57:53 GMT";
    "X-Powered-By" = "PHP/7.4.13";
    "X-Robots-Tag" = noindex;
}
2020-12-02 08:57:53.777560+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RS:0x600001ea7cc0 ARTAuth: authUrl response <NSHTTPURLResponse: 0x600002c7b600> { URL: http://localhost:8000/ably/auth } { Status Code: 200, Headers {
    "Cache-Control" =     (
        "max-age=0, must-revalidate, private"
    );
    "Content-Length" =     (
        185
    );
    "Content-Type" =     (
        "application/json"
    );
    Date =     (
        "Wed, 02 Dec 2020 07:57:53 GMT"
    );
    Expires =     (
        "Wed, 02 Dec 2020 07:57:53 GMT"
    );
    "X-Powered-By" =     (
        "PHP/7.4.13"
    );
    "X-Robots-Tag" =     (
        noindex
    );
} }
2020-12-02 08:57:53.777804+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RS:0x600001ea7cc0 ARTJsonLikeEncoder<json> decoding '{length = 185, bytes = ... }'; got: {
    clientId = Henk;
    keyName = "";
    mac = "";
    nonce = ;
    timestamp = 1606895873773;
    ttl = 43200000;
}
2020-12-02 08:57:53.777922+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RS:0x600001ea7cc0 ARTJsonLikeEncoder<json> decoding '{length = 185, bytes = ... }'; got: {
    clientId = Henk;
    keyName = "";
    mac = "";
    nonce = ;
    timestamp = 1606895873773;
    ttl = 43200000;
}
2020-12-02 08:57:53.778211+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RS:0x600001ea7cc0 ARTJsonLikeEncoder<msgpack> encoding '{
    clientId = Henk;
    keyName = "";
    mac = "";
    nonce = ;
    timestamp = 1606895873778;
    ttl = 43200000;
}'; got: {length = 155, bytes =  }
2020-12-02 08:57:53.779468+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: (ARTRest.m:300) RS:0x600001ea7cc0 executing request <NSMutableURLRequest: 0x600002e70f40> { URL: https://rest.ably.io:443/keys/.../requestToken?format=msgpack }
2020-12-02 08:57:53.779612+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: --> POST https://rest.ably.io:443/keys/.../requestToken?format=msgpack
  Body: ...
  Headers: {
    Accept = "application/x-msgpack,application/json";
    "Content-Type" = "application/x-msgpack";
    "X-Ably-Lib" = "cocoa.ios-1.2.3";
    "X-Ably-Version" = "1.2";
}
2020-12-02 08:57:54.522217+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: <-- POST https://rest.ably.io:443/keys/.../requestToken?format=msgpack: statusCode 401
  Data: {
	"error": {
		"message": "Request mac does not match",
		"code": 40101,
		"statusCode": 401,
		"href": "https://help.ably.io/error/40101",
		"serverId": "frontend.d083.1.eu-central-1-A.i-0af642271f8511959.e912reg5gAsEZv"
	}
}
  Headers: {
    "Access-Control-Allow-Origin" = "*";
    "Content-Length" = 227;
    "Content-Type" = "application/json";
    Date = "Wed, 02 Dec 2020 07:57:54 GMT";
    Vary = Origin;
    Via = "1.1 05ec74146f636de45e985d09f62976dd.cloudfront.net (CloudFront)";
    "access-control-allow-credentials" = true;
    "access-control-expose-headers" = "Link,Transfer-Encoding,Content-Length,X-Ably-ErrorCode,X-Ably-ErrorMessage,X-Ably-ServerId,Server";
    "x-ably-errorcode" = 40101;
    "x-ably-errormessage" = "Request mac does not match";
    "x-amz-cf-pop" = "AMS1-C1";
    "x-cache" = "Error from cloudfront";
}
2020-12-02 08:57:54.522514+0100 WebsocketsSwiftExampleApp[1346:33695] WARN: Request mac does not match
2020-12-02 08:57:54.522885+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RS:0x600001ea7cc0 ARTJsonLikeEncoder<json> decoding '{length = 227, bytes = 0x7b0a0922 6572726f 72223a20 7b0a0909 ... 5a76220a 097d0a7d }'; got: {
    error =     {
        code = 40101;
        href = "https://help.ably.io/error/40101";
        message = "Request mac does not match";
        serverId = "frontend.d083.1.eu-central-1-A.i-0af642271f8511959.e912reg5gAsEZv";
        statusCode = 401;
    };
}
2020-12-02 08:57:54.523001+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RS:0x600001ea7cc0 ARTAuthInternal [authorize.04CFA954-F6F0-4604-8F17-48AD95FB732B]: token request failed: Error 40101 - Request mac does not match (reason: (null))
2020-12-02 08:57:54.523092+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: (ARTRealtime.m:1020) R:0x60000136d860 authorized: (null) error: Error 40101 - Request mac does not match (reason: (null))
2020-12-02 08:57:54.523211+0100 WebsocketsSwiftExampleApp[1346:33695] ERROR: R:0x60000136d860 token auth failed with Error 40101 - Request mac does not match (reason: (null))
2020-12-02 08:57:54.524041+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: RT:0x60000136d860 realtime is transitioning from 1 - Connecting to 3 - Disconnected
2020-12-02 08:57:54.524571+0100 WebsocketsSwiftExampleApp[1346:19712] INFO: Reachability: stopped listening for host realtime.ably.io
2020-12-02 08:57:54.524681+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: RT:0x60000136d860 realtime is transitioning from 3 - Disconnected to 6 - Closed
2020-12-02 08:57:54.524754+0100 WebsocketsSwiftExampleApp[1346:19712] INFO: Reachability: stopped listening for host (null)
2020-12-02 08:57:54.524828+0100 WebsocketsSwiftExampleApp[1346:19712] DEBUG: (ARTAuth.m:617) RS:0x600001ea7cc0 authorization cancelled with (null)

Link to sample project

This is a private project, so I don't have a sample project.

┆Issue is synchronized with this Jira Bug by Unito

[ricardopereira]

Hello @Yoshi2889. The library is failing with "Request mac does not match" because the auth response is returning an invalid TokenRequest with an empty mac:

2020-12-02 08:57:53.777309+0100 WebsocketsSwiftExampleApp[1346:33695] DEBUG: <-- POST http://localhost:8000/ably/auth: statusCode 200
  Data: {"keyName":"","nonce":"","mac":"","ttl":43200000,"clientId":"Henk","timestamp":"1606895873773"}
  Headers: {
    "Cache-Control" = "max-age=0, must-revalidate, private";
    "Content-Length" = 185;
    "Content-Type" = "application/json";
    Date = "Wed, 02 Dec 2020 07:57:53 GMT";
    Expires = "Wed, 02 Dec 2020 07:57:53 GMT";
    "X-Powered-By" = "PHP/7.4.13";
    "X-Robots-Tag" = noindex;
}

Maybe the $this->instance->auth->createTokenRequest call is failing?

[NanoSector]

Thanks for your reply. I edited those values out for this report as I did not want to leak any information or keys, they are present however in the actual output.

As I mentioned this setup does work in conjunction with the TypeScript library so this leads me to believe this is an issue with the Cocoa library specifically.

[ricardopereira]

@Yoshi2889 I see, thanks for clarifying. I'll try to reproduce the issue.

[NanoSector]

I did some further testing and the Android or Java library works fine as well with the unchanged authentication server I posted. I have still been unable to get the Cocoa library working with token based authentication.

[ricardopereira]

@Yoshi2889 Thank you for your inputs. We already found the issue. It will be fixed in the next version.