Mastodon: reproducible HTTP 502 error in OAuth /oauth/authorize

Created on 21 Jan 2020 · 1Comment · Source: tootsuite/mastodon

Hi all! I keep hitting a 502 in /oauth/authorize in 3.0.1. Is this a known issue? Here are the steps to reproduce:

Create an app, eg:
POST https://mastodon.technology/api/v1/apps client_name=Bridgy&redirect_uris=http://localhost:8080/mastodon/delete/finish%0Ahttp://localhost:8080/delete/finish%0Ahttp://localhost:8080/publish/mastodon/finish%0Ahttp://localhost:8080/mastodon/callback&website=http://localhost:8080&scopes=read+read:accounts+read:blocks+read:favourites+read:filters+read:follows+read:lists+read:mutes+read:notifications+read:reports+read:search+read:statuses+write+write:accounts+write:blocks+write:favourites+write:filters+write:follows+write:lists+write:media+write:mutes+write:notifications+write:reports+write:statuses+follow+push
(I've URL-unescaped everything except the newlines, here and below, for readability.)
Authorize with an initial set of read only scopes, eg:
https://mastodon.technology/oauth/authorize?response_type=code&client_id=...&client_secret=...&scope=read:accounts read:accounts read:blocks read:search&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fmastodon%2Fcallback&state={"app_key":"...","state":"%257B%2522feature%2522%253A%2522listen%2522%252C%2522operation%2522%253A%2522add%2522%257D"}
...and get an access token with /oauth/token.
Authorize with an expanded set of scopes, including writes, eg:
https://mastodon.technology/oauth/authorize?response_type=code&client_id=...&client_secret=...&scope=read:accounts read:accounts read:blocks read:search write:statuses write:favourites write:media&redirect_uri=http://localhost:8080/mastodon/callback&state={"app_key":"...","state":"%7B%22feature%22%3A%22publish%22%2C%22operation%22%3A%22add%22%7D"}
...and get an access token with /oauth/token.
Authorize with the same expanded set of scopes and a longer state, eg:
https://mastodon.technology/oauth/authorize?response_type=code&client_id=...&client_secret=...&scope=read:accounts read:accounts read:blocks read:search write:statuses write:favourites write:media&redirect_uri=http://localhost:8080/publish/mastodon/finish&state={"app_key":"...","state":"%7B%22include_link%22%3A%22omit%22%2C%22source_key%22%3A%22...%22%2C%22source_url%22%3A%22http%3A%2F%2Flocalhost%2Fpost3.html%22%2C%22target_url%22%3A%22https%3A%2F%2Fbrid.gy%2Fpublish%2Fmastodon%22%7D"}

This last request 502s with the standard _We're sorry, but something went wrong on our end._ error page.

I tried three 3.0.1 instances just now - 2020-01-21 05:36:12 UTC on mastodon.technology, 05:49:03 mas.to, 06:10:37 mstdn.social - and they all behaved the same way.

Any idea what's going on? My only guess is that the state in the last request is longer than some limit, but that seems unlikely. (It was originally 331 chars before I redacted parts of it.)

@ashfurrow, any chance you could look through the mastodon.technology logs around that time ^ and see if you can correlate the /oauth/authorize 502 with anything?

Thanks in advance!

Source