I’ve been trying to track down the cause of the following gnome-software bug:
The following error message is being returned by snapd from a non-login API call:
cannot authenticate to snap store: Provided email/password is not correct.
It looks like the final Provided email/password is not correct
part is from the store, and judging by the tests this would be accompanied by the INVALID_CREDENTIALS
code. From what I’ve discovered, I believe this is the code path that leads to the error:
- client makes an API call to snapd providing a valid snapd macaroon for authentication.
- to process the API call, snapd makes a request to the store using the store macaroon corresponding to the client’s snapd macaroon.
- store responds with a 401 response with
WWW-Authenticate
- snapd calls
Store.refreshUser
, which attempts to refresh the discharges on that store macaroon. - store detects that the user has changed their password since the original macaroon was issued and responds with the
Provided email/password is not correct
error - snapd forwards that error on to the client
From what I can tell, the cannot authenticate to snap store:
prefix is added when snapd is forwarding a generic error from the store:
Since it is seen as a generic error gnome-software can’t do anything more useful than present it to the user, which is a bit unsatisfying.
So part of the solution would be to pass this error through in a way that gnome-software / snapd-glib can recognise. I can put together a PR for that easy enough. But there is still the open question of how this error should be handled exactly.
My first thought was to just throw out the stored snapd macaroon and start over. But this has the effect of leaving behind an non-viable snapd user ID. Will this lead to snapd making spurious calls to the store when refreshing snaps? What would happen to purchased snaps made using the old snapd login?
From a look through the snapd source, it looks like the right solution might be to call /v2/login
again with the existing snapd macaroon. It looks like this should associate a new store macaroon with the existing snapd login. Does that sound about right?