Balena cli login expired very soon

Hi, I found a login issue in recent balena cli versions like 12.38.6 or 12.38.8:

Just after a successful login, I can run commands like balena devices or balena apps without any problem. But after about 1 hour, running any these commands will get error like:

> balena --debug apps
[debug] new argv=[/home/xxx/balena-cli-v12.38.8/balena,/snapshot/versioned-source/bin/balena,apps] length=3
BalenaRequestError: Request error: <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /whoami</pre>
</body>
</html>

BalenaRequestError: Request error: <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /whoami</pre>
</body>
</html>

    at Object.<anonymous> (/snapshot/versioned-source/node_modules/balena-request/build/request.js:190:27)
    at Generator.next (<anonymous>)
    at fulfilled (/snapshot/versioned-source/node_modules/tslib/tslib.js)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

For further help or support, visit:
https://www.balena.io/docs/reference/balena-cli/#support-faq-and-troubleshooting

From the log of HAProxy in open Balena server, I can see the whoami API URL path is /user/v1/whoami just after login. But after 1 hour, the URL path of whoami API becomes /whoami, which causing the 404 error, and cli existing after that.

The ~/.balena/token JWT token’s exp timestamp is 1 week later, so I think it is not due to the token expiration.

Hello! Can you try v12.38.5, does the issue persist?

Yes, same issue for cli v12.38.5.

From the log of HAProxy in open Balena server, I can see the whoami API URL path is /user/v1/whoami just after login. But after 1 hour, the URL path of whoami API becomes /whoami , which causing the 404 error, and cli existing after that.

@yechaooo, thank you for these details. What version of openBalena are you using? I ask so that I can try and reproduce the issue. I was looking at the source code and I don’t see what could cause the CLI or the Node SDK to change the whoami URL from /user/v1/whoami to /whoami after one hour. I tested with balenaCloud as well, and I believe that both openBalena and balenaCloud should be checking the /user/v1/whoami endpoint only.

Also:

  • When the request starts failing (after 1 hour), does the following command succeed? Replacing mydomain.com with your openBalena domain name:
$ curl -i api.mydomain.com/ping
...
OK
  • After 1 hour, when balena apps fails, does balena login succeed? I.e., are you able to login again after 1 hour with balena login, without having to restart the openBalena server?

  • You mentioned “From the log of HAProxy in open Balena server.” What about the logs of the api service, do they show anything at the time when the /whoami request fails? I understand that haproxy simply forwards the whoami request to the api service, so the api service logs may contain additional clues to the problem.

  • Is there any NAT router, port forwarding config, or “dynamic DNS” setup around the openBalena server? I am considering the possibility that some such configurations are expiring after one hour.

I am also considering that the /whoami message in logs or printed to the console may not really indicate that a request was made to /whoami instead of /user/v1/whoami. Perhaps it’s simply an imprecise error message. For example, I found the following CLI issue where another user reports the same error message “when not logged in”: Error handling when not logged in (openBalena) · Issue #2090 · balena-io/balena-cli · GitHub

Hi. After Paulo’s comments, are you still having trouble with tokens?

openBalena server version is v3.1.2.

curl ping’s response is OK.

  1. When balena apps fails after 1 hour from last login, balena login can do login again with user/password.

  2. I think the log of HAProxy is actually from the API server.

  3. No.