284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
1.9 KiB
1.9 KiB
Support Escalation Runbook — Mobile Auth Issues
Date: 2026-02-03
Symptoms
- User can’t sign in (Sign In disabled / blocked)
- User returns from browser but app shows error (callback rejected)
- Login loop / frequent re-auth
- Session refresh fails / user is logged out unexpectedly
Quick triage checklist
- Confirm the user is on an Alga-hosted environment and using the correct base URL.
- Confirm the base URL host is allowlisted (if allowlist enabled).
- Confirm the tenant has at least one SSO provider configured (Microsoft/Google).
Common failure modes
“Host not allowlisted”
- Cause: mobile base URL host doesn’t match
hostedDomainAllowlist. - Fix: update allowlist, or correct mobile
EXPO_PUBLIC_ALGA_BASE_URL.
Callback “state mismatch” / “missing params”
- Cause: deep link was not the expected callback URL or
statewas lost. - Fix:
- Ensure app scheme is correct (
alga://). - Ensure the sign-in flow uses
/auth/mobile/handoffwithstate.
- Ensure app scheme is correct (
OTT exchange fails (400/401/429)
- 400 validation: incorrect payload; confirm mobile app version aligns with server contract.
- 401 auth: OTT expired or already used; check
ALGA_MOBILE_OTT_TTL_SECand user retry timing. - 429: rate limiting; verify if user is repeatedly triggering sign-in.
Refresh fails / session revoked
- Cause: refresh token rotated/revoked; user logged out.
- Fix:
- Verify refresh rotation tables/migrations are applied.
- Inspect audit log entries for refresh/revoke.
Data to collect for escalation
- Approximate timestamp (UTC) of the failure.
- Tenant id (from Settings → Account).
- Mobile app build/version (Settings → Diagnostics).
- Platform (iOS/Android) and device model/OS version.
- Correlation id(s) from server logs (
x-correlation-id) around the failure. - Server audit log events for mobile auth:
- OTT issued/exchanged
- Refresh succeeded/failed
- Revoke/logout