Closed Bug 1125426 Opened 11 years ago Closed 10 years ago

Invalid FxA oauth requests are not handled in Webpay

Categories

(Marketplace Graveyard :: Payments/Refunds, defect, P4)

Product:
Marketplace Graveyard
Component:
Payments/Refunds
Version:
Avenir
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kumar, Unassigned)

Details

If you make an invalid oauth request to webpay it blows up in subtle ways. The exception is different for me locally then on the dev server. In either case, these invalid requests should be caught in a more upfront manner and should not cause a 500 because we don't want it to create noise in Sentry. STR: curl -v https://marketplace-dev.allizom.org/mozpay/auth/fxa-login -X POST -d 'state=nope&auth_response=youbetcha' http://sentry.dmz.phx1.mozilla.com/marketplace-dev/marketplace-dev-webpay/group/23308/ Stacktrace (most recent call last): File "django/core/handlers/base.py", line 113, in get_response response = callback(request, *callback_args, **callback_kwargs) File "newrelic/packages/wrapt/wrappers.py", line 452, in __call__ args, kwargs) File "newrelic/hooks/framework_django.py", line 485, in wrapper return wrapped(*args, **kwargs) File "webpay/base/decorators.py", line 11, in wrapper response = func(*args, **kw) File "webpay/auth/views.py", line 191, in fxa_login request.POST.get('auth_response')) File "webpay/auth/views.py", line 175, in _fxa_authorize client_secret=client_secret) File "requests_oauthlib/oauth2_session.py", line 143, in fetch_token state=self._state) File "oauthlib/oauth2/rfc6749/clients/web_application.py", line 173, in parse_request_uri_response response = parse_authorization_code_response(uri, state=state) File "oauthlib/oauth2/rfc6749/parameters.py", line 161, in parse_authorization_code_response raise InsecureTransportError() InsecureTransportError locally I get: Traceback (most recent call last): File "/usr/local/Cellar/python/2.7.6/Frameworks/Python.framework/Versions/2.7/lib/python2.7/wsgiref/handlers.py", line 85, in run self.result = application(self.environ, self.start_response) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/django/contrib/staticfiles/handlers.py", line 72, in __call__ return self.application(environ, start_response) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/django/core/handlers/wsgi.py", line 255, in __call__ response = self.get_response(request) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/django/core/handlers/base.py", line 176, in get_response response = self.handle_uncaught_exception(request, resolver, sys.exc_info()) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/django/core/handlers/base.py", line 113, in get_response response = callback(request, *callback_args, **callback_kwargs) File "/Users/kumar/dev/webpay/webpay/base/decorators.py", line 11, in wrapper response = func(*args, **kw) File "/Users/kumar/dev/webpay/webpay/auth/views.py", line 191, in fxa_login request.POST.get('auth_response')) File "/Users/kumar/dev/webpay/webpay/auth/views.py", line 175, in _fxa_authorize client_secret=client_secret) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/requests_oauthlib/oauth2_session.py", line 143, in fetch_token state=self._state) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/clients/web_application.py", line 173, in parse_request_uri_response response = parse_authorization_code_response(uri, state=state) File "/Users/kumar/.virtualenvs/webpay/lib/python2.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 167, in parse_authorization_code_response raise MissingCodeError("Missing code parameter in response.") MissingCodeError
A similar (maybe the same problem) occurs on zamboni intermittently. The impression we had was that FxA was not returning all the values. If it hadn't been going into Sentry, we probably wouldn't have spotted it. http://sentry.mktmon.services.phx1.mozilla.com/mkt/marketplacefirefoxcom/group/12490/
Priority: -- → P4
it might be that zamboni isn't handling error responses explicitly. I had to patch webpay for this: https://github.com/mozilla/webpay/blob/master/webpay/auth/views.py#L194-L197 In zamboni the code is a little safer but still doesn't really report error responses.
Based on the recently announced future plans for the Marketplace to remove payments, closing these bugs.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.