33 Commits

• Do not forcibly log out user if user retrieval fails with a server error code (#36897)

  * Do not forcibly log out user if user retrieval fails with a server error code
  
  This behaviour caused users to get forcibly logged out of the game
  during yesterday's redis outage.
  
  From one case where logs were provided
  (https://discord.com/channels/188630481301012481/1097318920991559880/1480201862610423933):
  
  - User had repeated timeouts on API requests; consequently, API went
    into failing state
  - On one of the login retries `/api/v2/me` returned a 500 with no error
    details (`{"error":"null}` JSON response) which resulted in
    an instant logout as per
  
    https://github.com/ppy/osu/blob/7263551aa868911a7d9148cf2cb16f9e0325f531/osu.Game/Online/API/APIAccess.cs#L323-L324
  
  This PR intends to only forcibly log the user out if the returned error
  code indicates a client error. If it is a server error, the login is
  preserved and a normal retry loop proceeds.
  
  This can be tested with a local web instance via following steps:
  
  1. Start `osu-web` and a client instance connected to it.
  2. Log in on the client instance.
  3. Kill (`^C`) `osu-web`.
  4. Trigger a few requests in the client and wait for enough of them to
     fail for the API to change to `Failing` state.
  5. Apply
  
  ```diff
  diff --git a/app/Http/Controllers/UsersController.php b/app/Http/Controllers/UsersController.php
  index db34639abf2..392a844882a 100644
  --- a/app/Http/Controllers/UsersController.php
  +++ b/app/Http/Controllers/UsersController.php
  @@ -581,6 +581,8 @@ class UsersController extends Controller
        */
       public function me($mode = null)
       {
  +        abort(500);
  +
           $user = \Auth::user();
           $currentMode = $mode ?? $user->playmode;
  
  ```
  
  6. Start `osu-web` again.
  7. On master this will log the user out forcibly. On this PR, the user
     will remain in `Failing` state.
  8. Undo patch from step (5) (restarting web is not required).
  9. On this PR, the client will be logged back in.
  
  * Update framework
  
  ---------
  
  Co-authored-by: Dean Herbert <pe@ppy.sh>

  Bartłomiej Dach · 2026-03-10 15:12:43 +09:00
  caffc7238b
• Fix broken locking in OAuth

  Closes https://github.com/ppy/osu/issues/26824... I think?
  
  Can be reproduced via something like
  
  diff --git a/osu.Game/Online/API/OAuth.cs b/osu.Game/Online/API/OAuth.cs
  index 485274f349..e6e93ab4c7 100644
  --- a/osu.Game/Online/API/OAuth.cs
  +++ b/osu.Game/Online/API/OAuth.cs
  @@ -151,6 +151,11 @@ internal string RequestAccessToken()
           {
               if (!ensureAccessToken()) return null;
  
  +            for (int i = 0; i < 10000; ++i)
  +            {
  +                _ = Token.Value.AccessToken;
  +            }
  +
               return Token.Value.AccessToken;
           }
  
  The cause is `SecondFactorAuthForm` calling `Logout()`, which calls
  `OAuth.Clear()`, _while_ the `APIAccess` connect loop is checking if
  `authentication.HasValidAccessToken` is true, which happens to
  internally check `Token.Value.AccessToken`, which the clearing of
  tokens can brutally interrupt.

  Bartłomiej Dach · 2024-01-30 21:05:23 +01:00
  000ddc14ac
• Fix OAuth refresh attempt when no network available causing full logout (part 2)

  This time for `SocketException`s. I seem to recall looking at this and
  deciding there was a reason to not catch socket exceptions, but on
  revisiting it seems sane to do so.
  
  This covers a fail case like reported:
  
  ```
  2023-10-06 03:24:17 [verbose]: Request to https://lazer.ppy.sh/oauth/token failed with System.Net.Http.HttpRequestException: No such host is known. (lazer.ppy.sh:443)
  2023-10-06 03:24:17 [verbose]: ---> System.Net.Sockets.SocketException (11001): No such host is known.
  2023-10-06 03:24:17 [verbose]: at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
  ```
  
  Closes https://github.com/ppy/osu/issues/24890 (again).

  Dean Herbert · 2023-10-06 18:24:22 +09:00
  c78b5112c6
• Fix OAuth refresh attempt when no network available causing full logout
  Dean Herbert · 2023-09-24 10:50:07 +09:00
  3c62521e69
• Automated #nullable processing
  Dan Balasescu · 2022-06-17 16:37:17 +09:00
  f8830c6850
• Fix intendation in a way it doesn't regress with older inspectcode
  Dean Herbert · 2021-10-18 14:28:29 +09:00
  ad112cbbc5
• Fix new indentation inspections
  Dean Herbert · 2021-10-18 14:00:35 +09:00
  6d6eed61aa
• Add fallback to use Message when Hint is not available
  Dean Herbert · 2021-10-04 16:18:55 +09:00
  3a0b7ba8ff
• Make AuthenticateWithLogin throw instead of return a bool success status
  Dean Herbert · 2021-10-04 15:40:00 +09:00
  5aaafce597
• Fix json web requests having incorrect user agents
  smoogipoo · 2020-01-17 19:21:27 +09:00
  2187523bf3
• Adjust namespaces
  smoogipoo · 2019-02-21 19:05:52 +09:00
  d8c55bc729
• Update licence header (and remove year)
  Dean Herbert · 2019-01-24 17:43:03 +09:00
  8617aaa2a7
• Add wildcard scope to oauth requests
  Dean Herbert · 2018-11-28 19:02:23 +09:00
  f42d4a9382
• Update chat to work with new API version
  Dean Herbert · 2018-09-25 20:53:24 +09:00
  7cd547a760
• Normalize all the line endings
  Dean Herbert · 2018-04-13 18:26:38 +09:00
  32a74f95a5
• Move string-token property to OAuth
  smoogipoo · 2018-04-12 14:30:28 +09:00
  baae4427ff
• Save OAuth token to config on every token change
  smoogipoo · 2018-04-12 14:23:49 +09:00
  e007365916
• Merge branch 'master' into update-branch
  smoogipoo · 2018-02-08 23:35:48 +09:00
  b500b76407
• Update licence headers
  Dean Herbert · 2018-01-05 20:21:19 +09:00
  37d393bca0
• Merge master into netstandard
  smoogipoo · 2017-11-21 16:39:21 +09:00
  b3bf6e7bee
• Make many internal classes and methods public

  This is important when using dynamic compiling to rapidly iterate. Until we actually split projects out into pieces (like the abstract ruleset project we have talked about) there is no advantage to using internal in the osu! game code.

  Dean Herbert · 2017-11-21 12:06:16 +09:00
  4f6263ef86
• Disable resharper inspections on case-by-case basis
  smoogipoo · 2017-11-20 18:55:48 +09:00
  aac41d2de6
• Fix a possible horrendous endless auth loop
  Dean Herbert · 2017-11-02 20:26:26 +09:00
  b0785b2f09
• Update API code to use the new Add* methods on requests
  smoogipoo · 2017-10-30 21:33:44 +09:00
  cd5324f1d1
• Update WebRequest usage in line with framework changes
  Dean Herbert · 2017-10-23 14:46:17 +09:00
  8fab6abf90
• Dispose IDisposable object before method returns
  TocoToucan · 2017-09-16 15:10:24 +03:00
  51a5e963bb
• Fix typo
  Dean Herbert · 2017-05-11 19:49:28 +09:00
  c3d2cdd2f2
• Add thread-safety on access token validation logic.
  Dean Herbert · 2017-05-11 19:39:01 +09:00
  4e881644f6
• Remove unnecessary using statements
  Thomas Müller · 2017-02-23 21:38:10 +01:00
  a5dfa7ab06
• Update and standardise license headers.
  Dean Herbert · 2017-02-07 14:27:41 +09:00
  50bd80cb0c
• Update client id/secret and bring API endpoints up-to-date.
  Dean Herbert · 2016-11-30 18:30:24 +09:00
  3fa80d2376
• Update framework again.
  Dean Herbert · 2016-09-21 17:37:33 +09:00
  997c6f45f6
• Add basic online API support.
  Dean Herbert · 2016-08-31 20:14:01 +09:00
  8870935a4b