MM Server: Personal Access Tokens invalid or expired until restart

smstromb · July 25, 2018, 6:51pm

I’m hosting MM server 5.0.0 within a docker container on AWS. Our users all have personal access tokens used to integrate with a 3rd party application that we also host. We use these personal access tokens to make basic api requests (v4) on their behalf without requiring them to continuously re-login to both our application and the MM server.

A few days ago we started noticing that the personal access tokens started to return HTTP 401 unauthorized errors. An example:

Request URL: https://ourMMserver.com/api/v4/users/me
Request Method: GET
Authorization: BEARER examplePersonalAccessToken

Response Code: 401 
Response: {"id":"api.context.session_expired.app_error","message":"Invalid or expired session, please login again.","detailed_error":"token=examplePersonalAccessToken","request_id":"ytqe96wj53ys8r9unpyrr8mftc","status_code":401}

Server Log: {"level":"info","ts":1532541581.5667882,"caller":"mux/mux.go:162","msg":"Invalid session","error":"GetSession: Invalid session token=examplePersonalAccessToken, err=<no value>, "}

The personal access token will continue to return 401 errors until the MM server is restarted at which time the token immediately begins to work as expected again. It only effects a subset of personal access tokens at any given time and each time the subset is different.

amy.blais · July 25, 2018, 11:49pm

Pinging @pichouk as this sounds docker related (let me know if our devs should take a look).

pichouk · July 26, 2018, 8:35am

Hi @amy.blais, it seems not related to Docker here, more about how Mattermost token works.

amy.blais · July 26, 2018, 11:20pm

@smstromb Update: I have been doing research on this but at this point it looks like I will need to ping our devs to take a look at this.

smstromb · July 26, 2018, 11:32pm

Thank you @amy.blais. Any help you can provide would be much appreciated.

smstromb · July 27, 2018, 7:01pm

@amy.blais Update: The issue was that in our mobile app when I was using a user’s personal access token to attach a mobile device ID it was changing the default expiresAt date of the session from Session.CreateAt + SESSION_USER_ACCESS_TOKEN_EXPIRY (100 years) to Session.CreateAt + Config.ServiceSettings.SessionLengthMobileInDays (30 days).

Topic		Replies	Views
[Solved] Invalid or expired session, please login again Troubleshooting	2	15355	March 1, 2019
Invalid or expired session, please login again Troubleshooting	2	990	April 28, 2020
Post API for bot using mattermost-preview docker image returns 401 error Troubleshooting	3	2872	July 30, 2019
Http://192.168.99.100:8065/api/v3/users/0/0 using postman, when i call this mattermost api i am getting "message": "Invalid or expired session, please login again.", error Troubleshooting	1	1807	January 21, 2017
Invalid or expired session after changing Settings Troubleshooting	2	1269	March 9, 2020

MM Server: Personal Access Tokens invalid or expired until restart

Related topics