Closed
Bug 1109178
Opened 10 years ago
Closed 9 years ago
Thunderbird OAuth implementation does not work with Evernote
Categories
(Thunderbird :: FileLink, defect)
Thunderbird
FileLink
Tracking
(thunderbird38 fixed, thunderbird39 fixed, thunderbird40 fixed)
RESOLVED
FIXED
Thunderbird 40.0
People
(Reporter: mkaply, Assigned: mkaply)
References
Details
Attachments
(1 file, 3 obsolete files)
3.97 KB,
patch
|
mkaply
:
review+
rkent
:
approval-comm-aurora+
rkent
:
approval-comm-beta+
|
Details | Diff | Splinter Review |
I was attempting to use oauth.jsm and found a couple bugs. 1. oauth_token is passed even if it is empty (intial request). This breaks Evernote because Evernote uses the same oauth entrypoint for all requests and uses the presence of this parameter to determine if it is an initial request or not. oauth_token should not be sent if empty. 2. http://mxr.mozilla.org/comm-central/source/mail/base/modules/oauth.jsm#194 is incorrect. It's checking for data.oauth_token_secret, but there is no oauth_token_secret if you are using PLAINTEXT auth.
Assignee | ||
Comment 1•10 years ago
|
||
Also, if authorizeMethod or requestCredentialsMethod isn't specified, defaults are used. Again, this breaks evernote which uses one oAuth endpoint. You should be required to specify the individual endpoints, or there should be a way to specify empty endpoints. Right now null is treated the same as "".
Assignee | ||
Comment 2•10 years ago
|
||
Also, success callback after connection should return the response (excluding token and token_secret) because some services (like evernote) return data back after the authentication.
Comment 3•10 years ago
|
||
The OAUTH implementation is certainly a work in progress, unfortunately each implementation is slightly different (as you're seeing with Evernote). I've CCed Philipp, who (with me) seem to be the current maintainers of this code.
Summary: Bugs in the Thunderbird OAuth implementation → Thunderbird OAuth implementation does not work with Evernote
Assignee | ||
Comment 4•10 years ago
|
||
I have fixes for some of these and I will post.
Comment 5•10 years ago
|
||
Great! Thanks. Feel free to r? me.
Comment 6•9 years ago
|
||
(In reply to Mike Kaply [:mkaply] from comment #4) > I have fixes for some of these and I will post. Mike, we're close to release but we still might be able to sneak them in
Flags: needinfo?(mozilla)
Assignee | ||
Comment 7•9 years ago
|
||
Here's a patch that fixes the issues I found. It shouldn't change any existing behavior.
Flags: needinfo?(mozilla)
Assignee | ||
Updated•9 years ago
|
Attachment #8596237 -
Flags: review?(clokep)
Comment 8•9 years ago
|
||
Comment on attachment 8596237 [details] [diff] [review] Fixes for my issues Review of attachment 8596237 [details] [diff] [review]: ----------------------------------------------------------------- ::: mail/base/modules/oauth.jsm @@ +45,5 @@ > + if (typeof aRequestCredentialsMethod === "undefined") { > + this.requestCredentialsMethod = "oauth/access_token"; > + } else { > + this.requestCredentialsMethod = aRequestCredentialsMethod > + } Why this change? If we are going to do this doesn't it make more sense to do (e.g.): if (aTempCredentialsMethod === undefined) { @@ +306,5 @@ > > this.token = result.oauth_token; > this.tokenSecret = result.oauth_token_secret; > + delete(result.oauth_token); > + delete(result.oauth_token_secret); I'm not against deleting this from the result, but I'm not convinced it's necessary either.
Attachment #8596237 -
Flags: review?(clokep) → review-
Assignee | ||
Comment 9•9 years ago
|
||
(In reply to Patrick Cloke [:clokep] from comment #8) > Comment on attachment 8596237 [details] [diff] [review] > Fixes for my issues > > Review of attachment 8596237 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: mail/base/modules/oauth.jsm > @@ +45,5 @@ > > + if (typeof aRequestCredentialsMethod === "undefined") { > > + this.requestCredentialsMethod = "oauth/access_token"; > > + } else { > > + this.requestCredentialsMethod = aRequestCredentialsMethod > > + } > > Why this change? If we are going to do this doesn't it make more sense to do > (e.g.): > if (aTempCredentialsMethod === undefined) { This change is because there's currently no way to say "This API doesn't need an additional requestCredentialsMethod". If you pass empty string (which means don't add anything), it's interpreted as null, so you get "oauth/access_token" appended. So there needs to be a way to use oauth/access_token when you don't define anything, but don't use it if you specify empty string. And yes, there's probably a better way to do it. Wasn't sure which was the best way. Is === undefined a better option for detecting unpassed parameters? > > @@ +306,5 @@ > > > > this.token = result.oauth_token; > > this.tokenSecret = result.oauth_token_secret; > > + delete(result.oauth_token); > > + delete(result.oauth_token_secret); > > I'm not against deleting this from the result, but I'm not convinced it's > necessary either. Yeah, I realized that after I did the patch. They aren't really secret to the consumer.
Assignee | ||
Comment 10•9 years ago
|
||
Attachment #8596237 -
Attachment is obsolete: true
Attachment #8596856 -
Flags: review?(clokep)
Comment 11•9 years ago
|
||
Comment on attachment 8596856 [details] [diff] [review] Address review comments Review of attachment 8596856 [details] [diff] [review]: ----------------------------------------------------------------- This looks fine to me!
Attachment #8596856 -
Flags: review?(clokep) → review+
Comment 12•9 years ago
|
||
Why not use js default parameters? function OAuth(aDisplayName, aBaseUri, aAuthUri, aAuthToken, aAuthTokenSecret, aAppKey, aAppSecret, aSignatureMethod="HMAC-SHA1", aTempCredentialsMethod="oauth/request_token", aAuthorizeMethod="oauth/authorize", aRequestCredentialsMethod="oauth/access_token") { ...
Comment 13•9 years ago
|
||
(In reply to Philipp Kewisch [:Fallen] from comment #12) > Why not use js default parameters? > > > function OAuth(aDisplayName, aBaseUri, aAuthUri, aAuthToken, > aAuthTokenSecret, > aAppKey, aAppSecret, aSignatureMethod="HMAC-SHA1", > aTempCredentialsMethod="oauth/request_token", > aAuthorizeMethod="oauth/authorize", > aRequestCredentialsMethod="oauth/access_token") { ... Exactly what I was about to suggest! :-)
Assignee | ||
Comment 14•9 years ago
|
||
> Why not use js default parameters?
I didn't even know they existed. New patch coming.
Assignee | ||
Comment 15•9 years ago
|
||
I don't think we should use it for signature method, otherwise you would have to specify the signature method if you wanted to redefine the credentials. So I would keep the old way for HMAC_SHA1 (so null defaults to that) and use default parameters for the rest.
Assignee | ||
Comment 16•9 years ago
|
||
One more time.
Assignee: nobody → mozilla
Attachment #8596856 -
Attachment is obsolete: true
Attachment #8597237 -
Flags: review?(clokep)
Comment 17•9 years ago
|
||
Comment on attachment 8597237 [details] [diff] [review] 1109178.diff Review of attachment 8597237 [details] [diff] [review]: ----------------------------------------------------------------- I totally blanked on the default parameters, sorry about that! r+ with a few nits fixed. ::: mail/base/modules/oauth.jsm @@ +20,5 @@ > function OAuth(aDisplayName, aBaseUri, aAuthUri, aAuthToken, aAuthTokenSecret, > + aAppKey, aAppSecret, aSignatureMethod, > + aTempCredentialsMethod="oauth/request_token", > + aAuthorizeMethod="oauth/authorize", > + aRequestCredentialsMethod="oauth/access_token") Nit: Spaces around =. @@ +35,5 @@ > > this.signatureMethod = aSignatureMethod || "HMAC-SHA1"; > + this.tempCredentialsMethod = aTempCredentialsMethod > + this.authorizeMethod = aAuthorizeMethod > + this.requestCredentialsMethod = aRequestCredentialsMethod Nit: Add a semi-colon to the end of each of these lines before check-in. @@ +107,5 @@ > ]); > + if (this.token) { > + params = params.concat([ > + ["oauth_token", this.token], > + ]); This can just be params.push(["oauth_token, this.token]) since there's only one value being added.
Attachment #8597237 -
Flags: review?(clokep) → review+
Assignee | ||
Comment 18•9 years ago
|
||
Forgotten semicolons? It's amateur hour over here. So what are the checkin rules here? Is there a comm-central-inbound?
Comment 19•9 years ago
|
||
Commit to comm-central directly if it is open after starring things on treeherder [1], otherwise mark checkin-needed (but upload a new patch with the nits fixed). Looks like stuff is pretty unstarred / red right now, so maybe checkin-needed might be your best bet? [1] https://treeherder.mozilla.org/#/jobs?repo=comm-central
Assignee | ||
Comment 20•9 years ago
|
||
Attachment #8597237 -
Attachment is obsolete: true
Assignee | ||
Comment 21•9 years ago
|
||
Comment on attachment 8597307 [details] [diff] [review] Final patch for checkin Review of attachment 8597307 [details] [diff] [review]: ----------------------------------------------------------------- Carrying over r+ from :clokep
Attachment #8597307 -
Flags: review+
Assignee | ||
Updated•9 years ago
|
Keywords: checkin-needed
Comment 22•9 years ago
|
||
Fixed -> https://hg.mozilla.org/comm-central/rev/6b81e33574d0
Status: NEW → RESOLVED
Closed: 9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 40.0
Comment 23•9 years ago
|
||
Comment on attachment 8597307 [details] [diff] [review] Final patch for checkin [Approval Request Comment] Regression caused by (bug #): User impact if declined: Testing completed (on c-c, etc.): Risk to taking this patch (and alternatives if risky): Could somebody who is familiar with the issues here fill in some of the approval form for targeting tb-38? I'll consider this for beta 4 or beta 5.
Attachment #8597307 -
Flags: approval-comm-beta?
Attachment #8597307 -
Flags: approval-comm-aurora?
Assignee | ||
Comment 24•9 years ago
|
||
This patch is very low risk because it doesn't change existing behavior. It will allow the oauth module to be used for other services (evernote) by addons.
Comment 25•9 years ago
|
||
Comment on attachment 8597307 [details] [diff] [review] Final patch for checkin http://hg.mozilla.org/releases/comm-aurora/rev/ef2dc070e814 http://hg.mozilla.org/releases/comm-beta/rev/891622c58ed2
Attachment #8597307 -
Flags: approval-comm-beta?
Attachment #8597307 -
Flags: approval-comm-beta+
Attachment #8597307 -
Flags: approval-comm-aurora?
Attachment #8597307 -
Flags: approval-comm-aurora+
Updated•9 years ago
|
status-thunderbird38:
--- → fixed
status-thunderbird39:
--- → fixed
status-thunderbird40:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•