Closed Bug 1319450 Opened 9 years ago Closed 9 years ago

[stage] User is automatically logged in with LDAP account when trying to log in with email

Categories

(Participation Infrastructure :: Phonebook, defect)

Product:
Participation Infrastructure
Component:
Phonebook
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: viorela.ioia, Unassigned)

References

Details

Tested using: OS: Windows 7, Ubuntu 16.04 Browsers: FF50, Firefox Nightly STR: 1. Log in to https://mozillians.allizom.org with a valid LDAP account; 2. Logout; 3. Click Sign in button on homepage; 4. Select the option to log in with email (not LDAP); 5. Enter a valid email address(gmail, yahoo); 6. Click Send Email button. Expected: Passwordless confirmation message is displayed: "We sent you a link to sign in. Please check your e-mail and open the provided link in this web browser." Actual: Passwordless confirmation message is displayed for 2 seconds, then the user is automatically logged in with LDAP account and redirected to homepage. Note: Issue is not reproducible in Chrome.
Hi, Do you use Firefox Nightly as your default browser?
I'm realizing my comment 1 might be confusing, here's some context: I'm wondering if you usually use Firefox Nightly (default browser), ran into this issue, then tested with Firefox release/50 with the same profile and reproduced the issue. I have a profile that reproduces the same behavior, which I believe is somehow caused by Firefox Nightly (though this is currently just a guess and I may be wrong) Thanks!
You may disregard comment 1 and comment 2 as I finally could reproduce this. 1) User logs in via LDAP using a correct login/password and save their password with the Firefox password manager (or a similar password manager) 2) User logs out 3) User logs back in and clicks "login via email". Firefox will fill in the login/password automatically - this is invisible for the user because the form inputs are hidden (CSS "display: none") 4) User fills in email and submit the form, the login panel will both do a call to the passwordless API *and* to the usernamepassword API with the prefilled login/password (which are valid) 5) usernamepassword API responds login ok with a new session cookie and redirects the user as logged in 5bis) passwordless API sends an email to the user, though the user is already logged in at that point, using the saved LDAP login/password Possible solutionsthat I can think of: - Do not autofill hidden forms in Firefox or other login managers (or any input with autocomplete=off for example) - Change the lock behavior (including never calling both usernamepassword and passwordless APIs) Temporary work-around for comment 0: Remove the saved password from your password manager or disable autofill.
viorela, this should now be fixed in dev ( https://github.com/mozilla-iam/auth0-deploy/issues/52 ). Feel free to re-open this issue if you still encounter the problem.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.