Login issues - 503

Hi there,

I have recently deployed my app to my production server on a DigitalOcean droplet. When I am now doing the request to login, I get the response ‘503 - Service Unavailable’. I wasn’t sure what was causing this, thought it might have been a cookie related issue as it was my 1st attempt to login to Smarkets on that box so I attempted to log in through the UI on that box.

Alas, this was to no avail. When I tried to log in through the UI, I get the same response:

However, if I login at the same time on my own device (which I have been using up until now), the request succeeds & I am logged in successfully.

I have tried browsers Firefox & Chrome.

Below is the response I got from the request outline here.

NOTE: It was a HTML page but when I pasted it in to the question this was the output

/]]>
</script>
</head>
<body id="iuam" class="">
   <header id="header">
      <div class="cf-browser-verification cf-im-under-attack">
         <noscript>
            <h1 data-translate="turn_on_js" style="color:#bd2426;">Please turn JavaScript on and reload the page.</h1>
         </noscript>
         <div id="cf-content" style="display:none">
            <div>
               <div class="bubbles"></div>
               <div class="bubbles"></div>
               <div class="bubbles"></div>
            </div>
            <h1><span data-translate="checking_browser">Checking your browser before accessing</span> smarkets.com.</h1>
            <p data-translate="process_is_automatic">This process is automatic. Your browser will redirect to your requested content shortly.</p>
            <p data-translate="allow_5_secs">Please allow up to 5 seconds&hellip;</p>
         </div>
         <form id="challenge-form" action="/?__cf_chl_jschl_tk__=05f4c64d6174b65f5a58f393721b9965347e5738-1581248173-0-AXaK-ccPwmF8bVzfb00lvn-M6---EMDIxqLGX7HeU7SdtkieQzgCUiTOrW2ODmEHFgOzUX7B5yBBrIr2T5E9i_IP0sSHrC918u4h$
         <input type="hidden" name="r" value="65dd487cdb6fefc2f5421cc2053668ec78b7801d-1581248173-0-AVvH77u64QV1/0U6RmGPxJQ6tAwxa9KOd6nBe4Ite4x1URAzy+tZ3b2Q3MaSMGVDzW0tx5bMD0wHvUCzVvtM/9jCGn6bgxg+0fRzt/w7Br3/Gsi11uy2c$
            <input type="hidden" name="jschl_vc" value="dff3387d6f82fe94c0017fc3defd907a"/>
         <input type="hidden" name="pass" value="1581248177.634-cvWC0BZAS3"/>
         <input type="hidden" id="jschl-answer" name="jschl_answer"/>
         </form>
      </div>
   </header>
   <div id="content">
      <h1>Checking your browser</h1>
      <img role="presentation" id="center-image" src="data:image/svg+xml;charset=us-ascii;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9Im5vIj8+Cjxzdmcgd2lkdGg9IjEyN3B4IiBoZWlnaHQ9IjEyN3B4I$
         <p>Please wait while we perform a quick security check. This should take no longer than 5 seconds.</p>
         <noscript>
         <p class="error">Please enable JavaScript to contiune.</p>
      </noscript>
   </div>
   <footer id="footer">
      <!-- Tel: <span class="tel">+44 (0)20 7617 7413</span> · <span class="adr"><span class="street-address">1 Commodity Quay</span> <span class="locality">St Katharine Docks</span> <span class="locality">London</$
   </footer>
</body>
</html>

I also tried to do the request to v0/sessions/ as is done in the browser but that came back with the same response.

If I go initially to smarkets.com, a 5 second page pops up labelled

Checking your browser before accessing smarkets.com

(As is highlighted in the above response)

I cannot see any differences in the requests between the browsers. Is there some sort of whitelisting of IPs going on in the background that I am not aware of? Why is it that I am getting 503s when attempting to login on my DO box?

NOTE: Javascript is enabled on the browsers

Thank you :slight_smile:

Will

Hi Will,

I think that your browser may be blocking resources coming from smarkets.com since the domain is different from your site’s domain (you can find more details about the same origin policy here). In order to check if this is the case, you could have a look at the network calls in your browser.

I hope this helps.

Isabel

Hi Isabel,

I’m sorry but I’m not quite following what you are saying (I’m not fantastic with CORS). Are you suggesting that the browser on my DO box has the same-origin policy enabled but the 1 on my local machine does not not? Both the browsers are running on the same OS (Ubuntu). Neither have had their configuration edited so I am unsure how 1 is able to resolve to login & the other not.

In any case, I disabled the web security for Chrome on the DO box & then I managed to successfully login via the browser. However, I am still getting a 503 when attempting to login via the API to v3/sessions/. This is my request using httpie:

http POST https://api.smarkets.com/v3/sessions/ 'Content-Type: application/json; Access-Control-Allow-Origin: *' username=willashworth@outlook.com password=<password> --download --output response.txt

(Ignore the --download section, that is just so I only get the headers in the response)

These are the response headers from a 201 response from the request done on my local machine:

HTTP/1.1 201 CREATED
CF-Cache-Status: DYNAMIC
CF-RAY: 5631ae0b4c52e59b-MAN
Cache-Control: no-cache, no-store
Connection: keep-alive
Content-Length: 144
Content-Type: application/json
Correlation-ID: 5631ae0b4c52e59b-MAN
Date: Mon, 10 Feb 2020 22:57:03 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cfduid=d17edfa496fe2f5b3a35c52283a4c58a21581375423; expires=Wed, 11-Mar-20 22:57:03 GMT; path=/; domain=.smarkets.com; HttpOnly; SameSite=Lax
Set-Cookie: User-Session-Token=WzIxMzY2NTEwLDg1MjAxNTA5XQ.JVzYcmxDCEc2ZzTNzD0_4hKiL6A; 
Domain=.smarkets.com; Expires=Wed, 11-Mar-2020 22:57:03 GMT; Secure; HttpOnly; Path=/
Set-Cookie: Logged-In=true; Domain=.smarkets.com; Expires=Wed, 11-Mar-2020 22:57:03 GMT; 
Secure; Path=/
X-Content-Type-Options: nosniff
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 9
X-RateLimit-Reset: 59

These are the headers from a 503 response done on my DO box:

HTTP/1.1 503 Service Temporarily Unavailable
CF-RAY: 5631a7d5987ee678-LHR
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Mon, 10 Feb 2020 22:52:48 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cfduid=d083aabcb6c3da21a6af22e538e4c27bc1581375168; expires=Wed, 11-Mar-20 22:52:48 GMT; path=/; domain=.smarkets.com; HttpOnly; SameSite=Lax
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN

I have set the Access-Control-Origin-Header to any origin so am unsure what else I could try. Can you offer any suggestions?

Thanks,

Will

Hi Will,

Access-Control-Origin-Header is a response header that indicates whether the response can be shared with the origin of the request, therefore setting it in the request header doesn’t have any effect. In any case, Cloudflare may be actually blocking requests coming from your DigitalOcean Droplet. You could send an email with your IP address to api@smarkets.com if you want us to check whether that’s the case.

Kind regards,
Isabel

Hi Isabel,

Thank you for the reply. Having played around for a bit with CORS request headers, I have thought to set every request header I know of & I am still getting a 503 response. The request/response headers are shown below:

POST /v3/sessions/ HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate
Access-Control-Request-Headers: Content-Type, Accept
Access-Control-Request-Methods: POST
Connection: keep-alive
Content-Length: 72
Content-Type: application/json
Host: api.smarkets.com
Origin: <my_ip>
User-Agent: HTTPie/0.9.8

HTTP/1.1 503 Service Temporarily Unavailable
CF-RAY: 564a3d465f4ace7b-LHR
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Date: Thu, 13 Feb 2020 22:29:08 GMT
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cfduid=db52cbd29883a467f05da8135833a60b31581632948; expires=Sat, 14-Mar-20 22:29:08 GMT; path=/; domain=.smarkets.com; HttpOnly; SameSite=Lax
Transfer-Encoding: chunked
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN

I am not sure if Cloudfare is the issue as I am able to access 2 other APIs from the same box whose servers are also hosted by Cloudfare. Nevertheless, the configuration may be different for different APIs so I will request a check anyway.

Thank you,
Will