allow cookie+api-token GET REST requests

RESOLVED FIXED in Bugzilla 6.0

Status

()

Bugzilla
WebService
--
enhancement
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: glob, Assigned: glob)

Tracking

({relnote})

unspecified
Bugzilla 6.0
relnote
Bug Flags:
approval +

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

3 years ago
currently we don't have any way for javascript which is part of the bugzilla UI to make an authenticated GET REST request.

the rest server has the following comment:

# If we're being called using GET, we don't allow cookie-based or Env
# login, because GET requests can be done cross-domain, and we don't
# want private data showing up on another site unless the user
# explicitly gives that site their username and password. (This is
# particularly important for JSONP, which would allow a remote site
# to use private data without the user's knowledge, unless we had this
# protection in place.)

this stems from bug 550732:

> Both Cookie and Env auth are denied during GET requests (for future
> JSONP protection and because I just don't like the idea of external
> websites being able to get private bug data even now when they can't
> do anything with it)

imho this is an unnecessary restriction, and is preventing us from migrating internal code to the REST api.

using sessions/cookies for internal requests is the standard mechanism of authenticating internal requests (ie. most other frameworks operate this way).


we should allow any REST request to authenticate using cookie + api-token.
extract the user-id out of the cookie and use it to validate the api-token.
(Assignee)

Comment 1

3 years ago
Created attachment 8572410 [details] [diff] [review]
1139257_1.patch
Attachment #8572410 - Flags: review?(dkl)
(Assignee)

Comment 2

3 years ago
Created attachment 8572417 [details] [diff] [review]
1139257_2.patch

the first patch doesn't _require_ an api-token.

this revision will drop down to an unauthenticated request when doing a REST request using cookie auth but not api-token.

note: i haven't restricted this logic to GET requests only; i'm not sure if this is the right thing to do.
Attachment #8572410 - Attachment is obsolete: true
Attachment #8572410 - Flags: review?(dkl)
Attachment #8572417 - Flags: review?(dkl)
Comment on attachment 8572417 [details] [diff] [review]
1139257_2.patch

Review of attachment 8572417 [details] [diff] [review]:
-----------------------------------------------------------------

Works as expected. r=dkl

Here is the patch I used for testing if curious:

diff --git a/js/field.js b/js/field.js
index 167ab49..1343287 100644
--- a/js/field.js
+++ b/js/field.js
@@ -808,26 +808,14 @@ function browserCanHideOptions(aSelect) {
  * The Autoselect
  */
 YAHOO.bugzilla.userAutocomplete = {
-    counter : 0,
     dataSource : null,
-    generateRequest : function ( enteredText ){ 
-      YAHOO.bugzilla.userAutocomplete.counter = 
-                                   YAHOO.bugzilla.userAutocomplete.counter + 1;
-      YAHOO.util.Connect.setDefaultPostHeader('application/json', true);
-      var json_object = {
-          method : "User.get",
-          id : YAHOO.bugzilla.userAutocomplete.counter,
-          params : [ { 
-            Bugzilla_api_token: BUGZILLA.api_token,
-            match : [ decodeURIComponent(enteredText) ],
-            include_fields : [ "name", "real_name" ]
-          } ]
-      };
-      var stringified =  YAHOO.lang.JSON.stringify(json_object);
-      var debug = { msg: "json-rpc obj debug info", "json obj": json_object, 
-                    "param" : stringified}
+    generateRequest : function ( enteredText ) {
+      var params = "Bugzilla_api_token=" + BUGZILLA.api_token +
+                   "&match=" + decodeURIComponent(enteredText) +
+                   "&include_fields=name,real_name";
+      var debug = { msg: "rest debug info", "params" : params };
       YAHOO.bugzilla.userAutocomplete.debug_helper( debug );
-      return stringified;
+      return params;
     },
     resultListFormat : function(oResultData, enteredText, sResultMatch) {
         return ( YAHOO.lang.escapeHTML(oResultData.real_name) + " ("
@@ -839,16 +827,17 @@ YAHOO.bugzilla.userAutocomplete = {
             console.log("debug helper info:", arguments);
         }
         return true;
-    },    
+    },
     init_ds : function(){
-        this.dataSource = new YAHOO.util.XHRDataSource("jsonrpc.cgi");
+        YAHOO.util.Connect.initHeader('Accept', 'application/json', true);
+        this.dataSource = new YAHOO.util.XHRDataSource("rest.cgi/user?");
+        this.dataSource.responseType = YAHOO.util.XHRDataSource.TYPE_JSON;
         this.dataSource.connTimeout = 30000;
-        this.dataSource.connMethodPost = true;
         this.dataSource.connXhrMode = "cancelStaleRequests";
         this.dataSource.maxCacheEntries = 5;
         this.dataSource.responseSchema = {
-            resultsList : "result.users",
-            metaFields : { error: "error", jsonRpcId: "id"},
+            resultsList : "users",
+            metaFields : { error: "error" },
             fields : [
                 { key : "name" },
                 { key : "real_name"}
@@ -857,9 +846,9 @@ YAHOO.bugzilla.userAutocomplete = {
     },
     init : function( field, container, multiple ) {
         if( this.dataSource == null ){
-            this.init_ds();  
-        }            
-        var userAutoComp = new YAHOO.widget.AutoComplete( field, container, 
+            this.init_ds();
+        }
+        var userAutoComp = new YAHOO.widget.AutoComplete( field, container,
                                 this.dataSource );
         // other stuff we might want to do with the autocomplete goes here
         userAutoComp.maxResultsDisplayed = BUGZILLA.param.maxusermatches;
@@ -876,7 +865,6 @@ YAHOO.bugzilla.userAutocomplete = {
         if( multiple == true ){
             userAutoComp.delimChar = [","];
         }
-        
     }
 };
Attachment #8572417 - Flags: review?(dkl) → review+

Updated

3 years ago
Flags: approval?
(Assignee)

Comment 4

3 years ago
on irc lpsolit asked why the login_cookie is being cleared.

as per bug 726696, all authenicated webservice calls should require a token for authentication, so we cannot allow just cookie auth to succeed.

in other words, if a rest request includes a cookie but not an api-token we need to treat that as not-authenticated.  by first revision didn't do this -- you could make authenticated rest requests without an api-token as long as you provided a valid session cookie.

in order to prevent cookie-only auth, the cookie is removed from token-less rest requests.  the net effect is "ignore the login cookie on rest requests unless there's also an api-token".
(Assignee)

Comment 5

3 years ago
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   4a900ca..243d66a  master -> master
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: approval? → approval+
Resolution: --- → FIXED

Updated

3 years ago
Keywords: relnote
(Assignee)

Updated

3 years ago
Duplicate of this bug: 1206022

Updated

2 years ago
Blocks: 1268989
You need to log in before you can comment on or make changes to this bug.