Skip to content

Expired authentication token results in misleading "Wrong username or password" error instead of prompting re-authentication #7652

Description

@lartax

What is the bug or the crash? What were your expectations and what actually happened?

Hello for clarity purpose, I asked ChatG to summarize the issue but it is a bug we found today. Take care!

Description
We observed what appears to be an authentication issue in QField Mobile when the authentication token expires.

Environment

  • QField Mobile: 4.2.4 (Coral Sea)
  • QFieldCloud: Self-hosted
  • Authentication: Token-based
  • Server configuration:
    QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS=720 (30 days)

Expected behavior
When the authentication token has expired, QField should:

  1. Detect that the token is no longer valid.
  2. Discard the expired token.
  3. Prompt the user to authenticate again (or automatically request a new token after entering the password).

Actual behavior
When the token expires:

  • QField displays "Wrong username or password", although the credentials are correct.
  • The application continues attempting to use the expired token.
  • Users believe their password is incorrect.
    Server logs show:
    AuthenticationViaTokenFailedError: Token has expired.
    POST /api/v1/auth/token/ HTTP/1.1 -> 401 Unauthorized

Workaround

  1. We discovered the following workaround:
  2. Enter the correct username.
  3. Leave the password field empty.
  4. Press Login.
  5. QField displays "Session expired".
  6. Enter the correct password.
  7. Press Login again.

The application then successfully authenticates and generates a new token.

Why this seems like a bug

The server correctly reports that the authentication token has expired (401 Unauthorized with Token has expired), but the client initially reports a misleading "Wrong username or password" error instead of recognizing that the stored token is invalid.

This resulted in multiple users believing their credentials had become invalid, while the only issue was an expired token.

Suggested improvement

When receiving a 401 "Token has expired" response, QField should:

  • invalidate the locally stored token,
  • prompt the user to authenticate again (or automatically retry with credentials if available),
  • display a message such as:

"Your session has expired. Please sign in again."

instead of

"Wrong username or password."

This would provide a much clearer user experience and avoid unnecessary confusion.

Steps to reproduce the issue

When your login token is passed the QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS

Version

Mobile: 4.2.4 (Coral Sea)

Operating system name

Android

Operating system version

Android 16

Reinstall QField

  • I have a fresh install of the latest QField version, but the problem persists.
  • Problem can be reliably reproduced, doesn't happen randomly.
  • Problem happens with all files and projects, not only some files or projects.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions