Skip to content

docs(diagnosis): mobile auth method failure root-cause report (2026-05-30)#105

Merged
ahmetabdullahgultekin merged 1 commit into
masterfrom
claude/mobile-auth-diagnosis-2026-05-30
May 30, 2026
Merged

docs(diagnosis): mobile auth method failure root-cause report (2026-05-30)#105
ahmetabdullahgultekin merged 1 commit into
masterfrom
claude/mobile-auth-diagnosis-2026-05-30

Conversation

@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor

Summary

  • Comprehensive 12-section diagnosis of "no MFA method passes" symptom from ahabgu@gmail.com on FIVUCSAS Mobile v5.2.2 against prod identity-core-api today.
  • Backend is healthy — same user completed TOTP/EMAIL_OTP/FINGERPRINT successfully 7+ times in last 72h (audit_logs success=t). What's new is network conditions + active flow shape.
  • Primary cause: 4 server-side Malformed request body: I/O error while reading input message events at 16:16-16:31 UTC — request bodies aborting mid-stream on the user's ~1 Mbps cellular uplink. Methods with small JSON bodies (PASSWORD ~80 B, SMS_OTP ~110 B) succeed; methods with large bodies (FACE 20-200 KB, VOICE 100-500 KB, WebAuthn 2-5 KB) fail to upload.
  • Secondary cause: Tenant Fivucsas active flow is "Default 3-Step Flow" (PASSWORD + EMAIL_OTP + FACE) — step 3 binds FACE only; mobile picker shows all 9 enrolled methods, server returns METHOD_NOT_PERMITTED for non-FACE picks, app maps to generic error → user reads as "this method gives error".
  • Latent v5.2.2 bug (fixed in v5.2.3): cacheLoginData throw-inside-verify-try flips a 200 AUTHENTICATED into "Verification failed". Present on user's device but NOT today's blocker (only triggers on final-step success path).

Evidence (all verified live)

  • Server log timeline 16:03 → 16:31 UTC with request IDs.
  • audit_logs snapshot for ahabgu (3 events today: 2× USER_LOGIN, 1× MFA_STEP_COMPLETED SMS_OTP; zero MFA_STEP_FAILED — failures never reached the handler).
  • auth_flows + auth_flow_steps DB query confirming 3-step PASSWORD/EMAIL_OTP/FACE config.
  • Independent e2e-sweep@fivucsas.local login → HTTP 200, mfaRequired=false (pipeline healthy).
  • Mobile dispatch map from MfaFlowScreen.kt:439-531 (method → body-field → size estimate).

Recommendations (12 items, ranked)

  • P0 mobile: aggressive face-image compression (≤30 KB), retry-on-IOException with backoff.
  • P1 mobile: longer Ktor write timeout, HTTP/1.1 fallback on cellular, upload progress + low-signal banner, install v5.2.3.
  • P1 backend: log Content-Length + path in handleHttpMessageNotReadable, emit MFA_REQUEST_TRUNCATED audit row.
  • Operator: confirm 3-step flow is intentional; if yes, add TOTP/FINGERPRINT as alternatives at step 3 so users with broken camera/network can still finish.

Test plan

  • Review the verified vs. unverified separation in §7 — flag anything that needs deeper confirmation.
  • Confirm whether the "Default 3-Step Flow" superseding the prior 2-step CHOICE flow was intentional.
  • (Optional) Cross-check the FINGERPRINT dispatch field name (fingerprintData vs assertion) against FingerprintVerifyMfaStepHandler.java.
  • Adopt P0 fixes for v5.2.4 milestone.

🤖 Generated with Claude Code

…5-30)

Comprehensive 12-section diagnosis of "no MFA method passes" symptom from
ahabgu@gmail.com on FIVUCSAS Mobile v5.2.2 against prod identity-core-api.

Findings:
- 4 server-side "Malformed request body: I/O error while reading input message"
  events at 16:16-16:31 UTC — request bodies aborting mid-stream on user's
  ~1 Mbps cellular uplink. Confirms backend healthy (SMS_OTP completed
  step 2/3 at 16:25:36, audit_logs success=t).
- Tenant 'Fivucsas' active flow is "Default 3-Step Flow" (PASSWORD+EMAIL_OTP
  +FACE) — step 3 binds FACE only; picker shows all 9 enrolled methods, server
  rejects non-FACE with METHOD_NOT_PERMITTED, app maps to generic error.
- v5.2.2 has the cacheLoginData throw-inside-verify-try regression
  (fixed in v5.2.3) — present but NOT today's blocker.

Includes:
- Method-by-method body-size matrix (small bodies work, ≥20KB bodies don't).
- Full server log timeline + audit_logs evidence (verified vs. unverified
  separation).
- 12 ranked recommendations split across mobile / backend / flow-config.
- Live troubleshooting commands appendix.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 30, 2026 17:29
@ahmetabdullahgultekin ahmetabdullahgultekin merged commit f8ef518 into master May 30, 2026
1 of 2 checks passed
@ahmetabdullahgultekin ahmetabdullahgultekin deleted the claude/mobile-auth-diagnosis-2026-05-30 branch May 30, 2026 17:33

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@ahmetabdullahgultekin ahmetabdullahgultekin restored the claude/mobile-auth-diagnosis-2026-05-30 branch July 1, 2026 20:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants