What is the bug or the crash? What were your expectations and what actually happened?
Hello for clarity purpose, I asked ChatG to summarize the issue but it is a bug we found today. Take care!
Description
We observed what appears to be an authentication issue in QField Mobile when the authentication token expires.
Environment
- QField Mobile: 4.2.4 (Coral Sea)
- QFieldCloud: Self-hosted
- Authentication: Token-based
- Server configuration:
QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS=720 (30 days)
Expected behavior
When the authentication token has expired, QField should:
- Detect that the token is no longer valid.
- Discard the expired token.
- Prompt the user to authenticate again (or automatically request a new token after entering the password).
Actual behavior
When the token expires:
- QField displays "Wrong username or password", although the credentials are correct.
- The application continues attempting to use the expired token.
- Users believe their password is incorrect.
Server logs show:
AuthenticationViaTokenFailedError: Token has expired.
POST /api/v1/auth/token/ HTTP/1.1 -> 401 Unauthorized
Workaround
- We discovered the following workaround:
- Enter the correct username.
- Leave the password field empty.
- Press Login.
- QField displays "Session expired".
- Enter the correct password.
- Press Login again.
The application then successfully authenticates and generates a new token.
Why this seems like a bug
The server correctly reports that the authentication token has expired (401 Unauthorized with Token has expired), but the client initially reports a misleading "Wrong username or password" error instead of recognizing that the stored token is invalid.
This resulted in multiple users believing their credentials had become invalid, while the only issue was an expired token.
Suggested improvement
When receiving a 401 "Token has expired" response, QField should:
- invalidate the locally stored token,
- prompt the user to authenticate again (or automatically retry with credentials if available),
- display a message such as:
"Your session has expired. Please sign in again."
instead of
"Wrong username or password."
This would provide a much clearer user experience and avoid unnecessary confusion.
Steps to reproduce the issue
When your login token is passed the QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS
Version
Mobile: 4.2.4 (Coral Sea)
Operating system name
Android
Operating system version
Android 16
Reinstall QField
Additional context
No response
What is the bug or the crash? What were your expectations and what actually happened?
Hello for clarity purpose, I asked ChatG to summarize the issue but it is a bug we found today. Take care!
Description
We observed what appears to be an authentication issue in QField Mobile when the authentication token expires.
Environment
QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS=720 (30 days)
Expected behavior
When the authentication token has expired, QField should:
Actual behavior
When the token expires:
Server logs show:
AuthenticationViaTokenFailedError: Token has expired.
POST /api/v1/auth/token/ HTTP/1.1 -> 401 Unauthorized
Workaround
The application then successfully authenticates and generates a new token.
Why this seems like a bug
The server correctly reports that the authentication token has expired (401 Unauthorized with Token has expired), but the client initially reports a misleading "Wrong username or password" error instead of recognizing that the stored token is invalid.
This resulted in multiple users believing their credentials had become invalid, while the only issue was an expired token.
Suggested improvement
When receiving a 401 "Token has expired" response, QField should:
"Your session has expired. Please sign in again."
instead of
"Wrong username or password."
This would provide a much clearer user experience and avoid unnecessary confusion.
Steps to reproduce the issue
When your login token is passed the QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS
Version
Mobile: 4.2.4 (Coral Sea)
Operating system name
Android
Operating system version
Android 16
Reinstall QField
Additional context
No response