"token invalid" when attempting to connect to google account

I believe I've set everything up correctly. Running in k8s (from github YAML, with modifications). I have enabled .../auth/userinfo.email, .../auth/userinfo.profile, openid, .../auth/calendar.events and ../auth/gmail.readonly in Google cloud console. When I try to log in, it sends me to google, where I authorise Twenty, then it shows a Cloudflare server error and in the server logs I see:
/app/packages/twenty-server/dist/src/engine/core-modules/auth/filters/auth-rest-api-exception.filter.js:32
throw new _common.InternalServerErrorException(exception.message);
^

InternalServerErrorException: Token invalid.
/app/packages/twenty-server/dist/src/engine/core-modules/auth/filters/auth-rest-api-exception.filter.js:32
throw new _common.InternalServerErrorException(exception.message);
^

InternalServerErrorException: Token invalid.
When I look at my granted Third-party apps & services here https://myaccount.google.com/u/2/connections, I don't see Twenty mentioned. What might I be doing wrong?
10 Replies
Malcolm Holmes
Malcolm HolmesOP2mo ago
Envvars:
PORT: 3000
SERVER_URL: https://twenty.example.com
FRONT_BASE_URL: https://twenty.example.com
PG_DATABASE_URL: postgres://twenty:twenty@twentycrm-db/default
REDIS_HOST: twentycrm-redis
REDIS_PORT: 6379
ENABLE_DB_MIGRATIONS: true
SIGN_IN_PREFILLED: true
STORAGE_TYPE: local
MESSAGE_QUEUE_TYPE: bull-mq
ACCESS_TOKEN_EXPIRES_IN: 7d
LOGIN_TOKEN_EXPIRES_IN: 1h
ACCESS_TOKEN_SECRET: <set to the key 'accessToken' in secret 'tokens'> Optional: false
LOGIN_TOKEN_SECRET: <set to the key 'loginToken' in secret 'tokens'> Optional: false
REFRESH_TOKEN_SECRET: <set to the key 'refreshToken' in secret 'tokens'> Optional: false
FILE_TOKEN_SECRET: <set to the key 'fileToken' in secret 'tokens'> Optional: false
LOG_LEVELS: log,warn,error
CALENDAR_PROVIDER_GOOGLE_ENABLED: true
AUTH_GOOGLE_ENABLED: true
MESSAGING_PROVIDER_GMAIL_ENABLED: true
MESSAGING_PROVIDER_GMAIL_CALLBACK_URL: https://twenty.example.com/auth/google-gmail/get-access-token
AUTH_GOOGLE_CLIENT_ID: xxxxxxxx
AUTH_GOOGLE_CLIENT_SECRET: yyyyyyyy
AUTH_GOOGLE_CALLBACK_URL: https://twenty.example.com/auth/google-apis/get-access-token
AUTH_GOOGLE_APIS_CALLBACK_URL: https://twenty.example.com/auth/google/redirect
FRONT_AUTH_CALLBACK_URL: https://twenty.example.com/verify
IS_SIGN_UP_DISABLED: false
PASSWORD_RESET_TOKEN_EXPIRES_IN: 5m
PORT: 3000
SERVER_URL: https://twenty.example.com
FRONT_BASE_URL: https://twenty.example.com
PG_DATABASE_URL: postgres://twenty:twenty@twentycrm-db/default
REDIS_HOST: twentycrm-redis
REDIS_PORT: 6379
ENABLE_DB_MIGRATIONS: true
SIGN_IN_PREFILLED: true
STORAGE_TYPE: local
MESSAGE_QUEUE_TYPE: bull-mq
ACCESS_TOKEN_EXPIRES_IN: 7d
LOGIN_TOKEN_EXPIRES_IN: 1h
ACCESS_TOKEN_SECRET: <set to the key 'accessToken' in secret 'tokens'> Optional: false
LOGIN_TOKEN_SECRET: <set to the key 'loginToken' in secret 'tokens'> Optional: false
REFRESH_TOKEN_SECRET: <set to the key 'refreshToken' in secret 'tokens'> Optional: false
FILE_TOKEN_SECRET: <set to the key 'fileToken' in secret 'tokens'> Optional: false
LOG_LEVELS: log,warn,error
CALENDAR_PROVIDER_GOOGLE_ENABLED: true
AUTH_GOOGLE_ENABLED: true
MESSAGING_PROVIDER_GMAIL_ENABLED: true
MESSAGING_PROVIDER_GMAIL_CALLBACK_URL: https://twenty.example.com/auth/google-gmail/get-access-token
AUTH_GOOGLE_CLIENT_ID: xxxxxxxx
AUTH_GOOGLE_CLIENT_SECRET: yyyyyyyy
AUTH_GOOGLE_CALLBACK_URL: https://twenty.example.com/auth/google-apis/get-access-token
AUTH_GOOGLE_APIS_CALLBACK_URL: https://twenty.example.com/auth/google/redirect
FRONT_AUTH_CALLBACK_URL: https://twenty.example.com/verify
IS_SIGN_UP_DISABLED: false
PASSWORD_RESET_TOKEN_EXPIRES_IN: 5m
thomast
thomast2mo ago
Hi @Malcolm Holmes , sorry for this huge delay. Do you still need help here?
Malcolm Holmes
Malcolm HolmesOP2mo ago
Hi, yes, we'd still like to evaluate Twenty, and this would unblock us.
thomast
thomast2mo ago
@Raphaël could you take this one? 🙏
Raphaël
Raphaël2mo ago
@martmull
martmull
martmull2mo ago
GitHub
Build exceptions and handler (#6459) · twentyhq/twenty@2abb6ad
Adding exceptions and handler for auth services. Tested with: - Workspace creation - Workspace signup - Workspace invitation - Reset password - Adding email account - Impersonation --------- Co-...
martmull
martmull2mo ago
restApiExceptionFilter should only be used for bearer token connection @thomast
Raphaël
Raphaël2mo ago
The error is overridden in packages/twenty-server/src/engine/core-modules/jwt/services/jwt-wrapper.service.ts line 81 throw new AuthException( 'Token invalid.', AuthExceptionCode.UNAUTHENTICATED, ); We should modify this to pass the correct error message, otherwise it is impossible to debug correctly @Malcolm Holmes did you set up your callback urls correctly and authorized them in the cloud console?
Malcolm Holmes
Malcolm HolmesOP2mo ago
I think so. They are in the envvars and shown in the console. I think it was under the "consent" screen, would have to take another look.
charles
charles2mo ago
Keep us posted 🙂
Want results from more Discord servers?
Add your server