Bug Bounty: Unveiling the Token Confusion in ILiv App

July 19, 2025 #frontend #debugging #auth0 #mobile #backend

TL;DR

Interviewing for an exciting front-end engineering role centered on AI workflows at GitLab.
Encountered a watchful bird’s-eye view bug in ILiv mobile app related to Auth0 tokens.
Devised a plan to troubleshoot the cohort content endpoint error and user authorization issues.
Identified a frontend issue due to stale tokens causing app loading failures.
Mission: clear expired tokens on frontend upon failure to maintain seamless user experience.

This morning, my inbox graced me with an email from GitLab’s recruiter about moving to the fourth round of interviews for the intermediate front-end engineer role, targeted at crafting a feature-rich workflow catalog for AI implementations. This is exciting stuff, considering the potential of integrating seamless DevOps workflows with AI support!

Meanwhile, reality snapped me back to a quirky bug we had post-deployment of the ILiv mobile app. The new build was out, and as it often goes with these things, an elusive error popped up—related to the surveys endpoint on the backend. When the app checks for available surveys, the expected smooth 204 response instead returned a 404 error, stringing along a peculiar narrative of “cohort not found.”

As the detective of today’s tale, I stepped into AWS logs, confirming the suspicion that the cohort linked to the 404 error was, oddly enough, connected to my user ID. I went down the rabbit hole via AWS logs and MongoDB Compass to confirm this user ID issue. Upon verifying, the trail led me to consider checking if the cohort in question actually existed—it shockingly did not.

Next, I meandered through the auth layers and reached Auth0, where my searches uncovered a labyrinth of exchange failures and a peculiar absence of devices linked to the problematic user. This token mystery was crying out for redemption, leading into a token authorization maze: the client had a stale Auth0 token, missing in their logs but stubbornly camping out on the frontend.

Resolution? Shift the spotlight to the app—scrutinize the frontend’s token management and ensure expired tokens flush away on errors. Clearing stale tokens on the client side for seamless retry or updated sessions will be the goal here, ensuring smoother user re-authentication and negating the jarring “cohort not found” pitfalls due to expired tokens.

For now, the loop closes with newfound action items—striking a balance between cleanliness of backend data and robustness in the client-side experience. With early preparations underway for the next phase of GitLab interviews and Nana watching over the boisterous lads, today’s lessons ring strong: hurdles are simply stepping stones mapped out in code.