STR: 1. Login to Treeherder with Persona from the top-left corner of the UI. Expected results: I'm authenticated and can perform tasks that require authentication. Actual results: The login fails silently with the following response body for /browserid/login/: > Forbidden <span>(403) > > CSRF verification failed. Request aborted. > > You are seeing this message because this site requires a CSRF cookie > when submitting forms. This cookie is required for security reasons, > to ensure that your browser is not being hijacked by third parties. > > If you have configured your browser to disable cookies, please > re-enable them, at least for this site, or for 'same-origin' requests. Further information: - This failure occurs also with a clean profile for both Firefox 40 and Chromium 44. - I'm not a Mozilla employee but the email I'm using to log into Persona is the same as for my level 1 commit access LDAP account (see my BMO email). - I've successfully logged in to Treeherder previously. - The request to browserid/login does not contain any cookies. The request headers are: > POST /browserid/login/ HTTP/1.1 > Host: treeherder.mozilla.org > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 > Accept: application/json, text/plain, */* > Accept-Language: fi-FI,fi;q=0.8,en-US;q=0.5,en;q=0.3 > Accept-Encoding: gzip, deflate > DNT: 1 > Content-Type: application/x-www-form-urlencoded; charset=UTF-8 > Referer: https://treeherder.mozilla.org/ > Content-Length: 1838 > Connection: keep-alive > Pragma: no-cache > Cache-Control: no-cache And the response headers: > HTTP/1.1 403 FORBIDDEN > Server: gunicorn/19.3.0 > X-Backend-Server: treeherder1.webapp.scl3.mozilla.com > Vary: Accept-Encoding > Cache-Control: max-age=900 > Content-Type: text/html; charset=UTF-8 > Content-Encoding: gzip > Date: Sun, 23 Aug 2015 04:15:00 GMT > Keep-Alive: timeout=5, max=1000 > Expires: Sun, 23 Aug 2015 04:30:00 GMT > Transfer-Encoding: chunked > Connection: Keep-Alive This seems to be very similar to bug 1197368 but since that only talks about creating a new account, I though to log a separate one.
I can repro too. STR: 1) Open private browsing mode (to ensure no existing cookies set) 2) Try to log into Treeherder prod using persona (in my case with a moco email) -> Not logged in, and 403s shown in console. Guessing due to bug 1159167.
Priority: -- → P1
Created attachment 8651880 [details] [review] PR 902
Assignee: nobody → mdoglio
Status: NEW → ASSIGNED
Attachment #8651880 - Flags: review?(emorley)
Comment on attachment 8651880 [details] [review] PR 902 Thank you :-)
Attachment #8651880 - Flags: review?(emorley) → review+
Commit pushed to master at https://github.com/mozilla/treeherder https://github.com/mozilla/treeherder/commit/7af7496b18bf916bbacc51b1ead29c0daf9aa7b8 Bug 1197550 - Fix csrf token validation on first persona login
Seems to be working fine now on stage post-push. I can login/out using Persona-gmail fine with Nightly and Chrome.
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.