Fixed
Found (& Fixed) A Critical Bug In Authentication Process
We found a critical and frustrating bug in the authentication process where users were starting to get logged out intermittently. We started seeing this around November sporadically, but it was for less than 1% users so it was deferred to be fixed later.
However, after Anuradha, the issue suddenly started spiking for a lot of users, where it could no longer be ignored.
The toughest task was finding the issue, it was like finding a needle in a haystack given the enormous codebase we now have. It took a lot of time going through each of the code layer (frontend and backend).
The issue was first fixed on the website by end of December, fixed in the TV apps by January first week.
However, even though the issue is fixed on the mobile apps, some very new and unforeseen requirements by both Apple and Google have given rise to the "app rejected" scenarios we tackled earlier.
For e.g. out of nowhere, Google is asking for dummy login credentials (which they didn't ask for the last 6 months through multiple updates). However, since our login system is extremely secure and robust, only authenticating through a mobile based OTP, it's not possible to create a "fake" login.
So we have to now bypass the login system, create an entirely new "login status token" in the backend, and then "fake authenticate" Google's employees to workaround this.
The mobile apps still await the approval due to this new requirement.
However, after Anuradha, the issue suddenly started spiking for a lot of users, where it could no longer be ignored.
The toughest task was finding the issue, it was like finding a needle in a haystack given the enormous codebase we now have. It took a lot of time going through each of the code layer (frontend and backend).
The issue was first fixed on the website by end of December, fixed in the TV apps by January first week.
However, even though the issue is fixed on the mobile apps, some very new and unforeseen requirements by both Apple and Google have given rise to the "app rejected" scenarios we tackled earlier.
For e.g. out of nowhere, Google is asking for dummy login credentials (which they didn't ask for the last 6 months through multiple updates). However, since our login system is extremely secure and robust, only authenticating through a mobile based OTP, it's not possible to create a "fake" login.
So we have to now bypass the login system, create an entirely new "login status token" in the backend, and then "fake authenticate" Google's employees to workaround this.
The mobile apps still await the approval due to this new requirement.