Fix immediate log out #1
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Observed on Firefox Android
Grindr Web auth flow for desktop and Android:
POST https://web.grindr.com/v1/api-tokens/, both getGRINDR_WEB_SESSIONcookie in responseGET wss://grindr.mobi/v1/ws, Android skips it and loads much later (after step 6)PUT https://web.grindr.com/api/v3/me/location, Android skips it for some reasonGET https://web.grindr.com/api/v3/cascade/?nearbyGeoHash=<geohash>&pageNumber=1, Android does not send it because it has no geohashPOST https://web.grindr.com/v1/api-tokens/again, but Android's results in 400 Bad Request responseDELETE https://web.grindr.com/v1/api-tokens/and logs out locallyDesktop:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:150.0) Gecko/20100101 Firefox/150.0DNT: 1__cf_bm✅_ketch_consent_v1_✅_swb✅GRINDR_WEB_SESSION✅Mobile:
User-Agent: Mozilla/5.0 (Android 16; Mobile; rv:151.0) Gecko/151.0 Firefox/151.0DNT: 1__cf_bm✅_ketch_consent_v1_✅_swb✅_swb_consent_⚠️GRINDR_WEB_SESSION✅usprivacy⚠️us_privacy⚠️Update: I permanently allowed web.grindr.com to access my location and the mobile flow changed:
3. Android connects to WS (though the connection is aborted due to redirect)
5. Android sends correctly formatted location
6. Android still does not query cascade
Everything else is the same
Confirmed: the issue is
_swb_consent_cookie presence. If it's passed tohttps://web.grindr.com/v1/api-tokens/, the backend returns 400 Bad Request and client logs out.Interestingly, the cookie value is a base64-encoded object about GDPR complience. Here is an example observed:
Fixed in
1548fb7a42