Closed Bug 1093622 Opened 10 years ago Closed 10 years ago

authenticated calls from bzapi are failing: 'Untrusted Authentication Request'

Categories

(bugzilla.mozilla.org :: API, defect)

Product:
bugzilla.mozilla.org
Component:
API
Version:
Production
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: glob, Assigned: glob)

References

Details

this is caused by bug 1090427. i'm going to back out those changes so we can figure out what we can do to provide csrf protection in a way which doesn't break bzapi.
Depends on: 1090427
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git 64fc523..ede3ced master -> master
BzAPI, for some operations such as search, etc., is using the normal cgi's such as buglist.cgi to get data back. It takes username=foo@bar.com&password=password and converts it to Bugzilla_login=foo@bar.com&Bugzilla_password=password before calling buglist.cgi. buglist.cgi thinks the user is using the login form at the top of each Bugzilla page since it doesn't know the user is a webservice. The form normally has a token embedded that is missing in this case so the error is being thrown. 1) We can leave this out until api-dev is decommissioned soon 2) Fix BzAPI to use the native REST search function instead of buglist.cgi as WebServices do not need the embedded token to work. 3) Hack the BMO code to not look for the token if referrer is api-dev 4) or fix BzAPI to obtain a login token and pass it along with the credentials. 1) obviously is the easiest fix. I would need to talk to Gerv and see how much effort would be involved with 2-4. Thoughts? dkl
1) We're aiming to decommission api-dev starting in a couple of weeks. Because we plan to replace with a redirect, we don't have to have zero usage before we decommission. But it may take a little while longer to get the alternative (redirecting) server stood up and in place. 2) is not possible unless the native REST search function has received a substantial upgrade such that it's as powerful as buglist.cgi. Last I heard, this hadn't happened, but I could be out of date. 3) That sounds fairly simple. 4) This would slow down BzAPI by one RTT for every search. Given 1), this doesn't sound like a great solution. So I'd suggest 1). Are you guys OK with that? Gerv
(In reply to Gervase Markham [:gerv] from comment #4) > 1) We're aiming to decommission api-dev starting in a couple of weeks. > Because we plan to replace with a redirect, we don't have to have zero usage > before we decommission. But it may take a little while longer to get the > alternative (redirecting) server stood up and in place. > > 2) is not possible unless the native REST search function has received a > substantial upgrade such that it's as powerful as buglist.cgi. Last I heard, > this hadn't happened, but I could be out of date. Bug.search (and therefore /bzapi/bug) supports full search functionality similar to buglist.cgi (minus saved searches) for quite a bit now. > 3) That sounds fairly simple. Rather not do this as it is a customization which we would need to maintain. > 4) This would slow down BzAPI by one RTT for every search. Given 1), this > doesn't sound like a great solution. This would also break getting a single bug as well I think since I remember you use show_bug.cgi?ctype=xml for that and it also requires a embedded login token. > So I'd suggest 1). Are you guys OK with that? I am fine with 1) as well. dkl
looks like a WONTFIX is required here.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.