docs(diagnosis): mobile auth method failure root-cause report (2026-05-30)#105
Merged
ahmetabdullahgultekin merged 1 commit intoMay 30, 2026
Merged
Conversation
…5-30) Comprehensive 12-section diagnosis of "no MFA method passes" symptom from ahabgu@gmail.com on FIVUCSAS Mobile v5.2.2 against prod identity-core-api. Findings: - 4 server-side "Malformed request body: I/O error while reading input message" events at 16:16-16:31 UTC — request bodies aborting mid-stream on user's ~1 Mbps cellular uplink. Confirms backend healthy (SMS_OTP completed step 2/3 at 16:25:36, audit_logs success=t). - Tenant 'Fivucsas' active flow is "Default 3-Step Flow" (PASSWORD+EMAIL_OTP +FACE) — step 3 binds FACE only; picker shows all 9 enrolled methods, server rejects non-FACE with METHOD_NOT_PERMITTED, app maps to generic error. - v5.2.2 has the cacheLoginData throw-inside-verify-try regression (fixed in v5.2.3) — present but NOT today's blocker. Includes: - Method-by-method body-size matrix (small bodies work, ≥20KB bodies don't). - Full server log timeline + audit_logs evidence (verified vs. unverified separation). - 12 ranked recommendations split across mobile / backend / flow-config. - Live troubleshooting commands appendix. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ahabgu@gmail.comon FIVUCSAS Mobile v5.2.2 against prod identity-core-api today.success=t). What's new is network conditions + active flow shape.Malformed request body: I/O error while reading input messageevents at 16:16-16:31 UTC — request bodies aborting mid-stream on the user's ~1 Mbps cellular uplink. Methods with small JSON bodies (PASSWORD ~80 B, SMS_OTP ~110 B) succeed; methods with large bodies (FACE 20-200 KB, VOICE 100-500 KB, WebAuthn 2-5 KB) fail to upload.Fivucsasactive flow is "Default 3-Step Flow" (PASSWORD + EMAIL_OTP + FACE) — step 3 binds FACE only; mobile picker shows all 9 enrolled methods, server returnsMETHOD_NOT_PERMITTEDfor non-FACE picks, app maps to generic error → user reads as "this method gives error".cacheLoginDatathrow-inside-verify-try flips a 200 AUTHENTICATED into "Verification failed". Present on user's device but NOT today's blocker (only triggers on final-step success path).Evidence (all verified live)
audit_logssnapshot for ahabgu (3 events today: 2× USER_LOGIN, 1× MFA_STEP_COMPLETED SMS_OTP; zero MFA_STEP_FAILED — failures never reached the handler).auth_flows+auth_flow_stepsDB query confirming 3-step PASSWORD/EMAIL_OTP/FACE config.e2e-sweep@fivucsas.locallogin → HTTP 200, mfaRequired=false (pipeline healthy).MfaFlowScreen.kt:439-531(method → body-field → size estimate).Recommendations (12 items, ranked)
handleHttpMessageNotReadable, emitMFA_REQUEST_TRUNCATEDaudit row.Test plan
fingerprintDatavsassertion) againstFingerprintVerifyMfaStepHandler.java.🤖 Generated with Claude Code