Closed
Bug 1477163
Opened 7 years ago
Closed 7 years ago
REST API authentication fails with X-Bugzilla-Token header
Categories
(bugzilla.mozilla.org :: API, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: kohei, Assigned: kohei)
References
Details
Attachments
(1 obsolete file)
REST API with `X-Bugzilla-API-Key` HTTP header: OK
REST API with `X-Bugzilla-Token` HTTP header: *NG*
REST API with `Bugzilla_api_key` param: OK
REST API with `Bugzilla_api_token` param: OK
JSON-RPC API with `X-Bugzilla-API-Key` HTTP header: OK
JSON-RPC API with `X-Bugzilla-Token` HTTP header: OK
JSON-RPC API with `Bugzilla_api_key` param: OK
JSON-RPC API with `Bugzilla_api_token` param: OK
|
||
Comment 1•7 years ago
|
||
On most accounts, API token will only work if cookies are also sent.
|
Assignee | |
Comment 2•7 years ago
|
||
I think I’ve found the culprit: https://github.com/mozilla-bteam/bmo/blob/master/Bugzilla/Auth/Login/Cookie.pm#L57-L77
Assignee: nobody → kohei.yoshino
Status: NEW → ASSIGNED
|
|
||
Comment 3•7 years ago
|
||
Which fixes a security bug.
Here's what we should actually do (in about that place)
trust cookies for API calls, if a custom header is set and the Origin header is valid.
|
|
Assignee | |
Comment 4•7 years ago
|
||
Maybe I shouldn’t touch this stuff 😉
Basically removing the `elsif` clause solves the issue: trust cookies for REST API calls just like JSON-RPC.
There are too many authentication methods... Should we remove the token support in favour of cookies?
|
|
Assignee | |
Comment 5•7 years ago
|
||
Some context in Bug 1139257.
If we fix the issue straightforwardly, these 2 lines have to be altered to check the header as well:
```Perl
if (exists Bugzilla->input_params->{Bugzilla_api_token}) {
my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
```
|
|
||
Comment 6•7 years ago
|
||
| thumbs-up | ||
(In reply to Kohei Yoshino [:kohei] from comment #4)
> Maybe I shouldn’t touch this stuff 😉
>
> Basically removing the `elsif` clause solves the issue: trust cookies for
> REST API calls just like JSON-RPC.
>
> There are too many authentication methods... Should we remove the token
> support in favour of cookies?
The landscape changed a bit with SameSite cookies too.. I'll tell you what, I'll fix this so that the REST api just uses cookies + the current recommendations for preventing request forgery.
Assignee: kohei.yoshino → dylan
|
|
Assignee | |
Comment 7•7 years ago
|
||
Bug 1380437 should be solved first so the `Bugzilla_api_token` param can be removed easily from JavaScript at one place.
|
|
Assignee | |
Updated•7 years ago
|
Summary: REST API authentication fails with X-Bugzilla-Token header → Remove REST API token authentication (Bugzilla_api_token URL query param) to simply trust login cookies
|
|
Assignee | |
Comment 8•7 years ago
|
||
I thought tokens had been used only on this site, but just realized it was available via the API [1]. In that case, I assume we can’t remove the support now. Deprecating it is fine though. Maybe we should fix the original issue I reported so the X-Bugzilla-Token HTTP request header works as expected, as said in Comment 5.
[1] https://bmo.readthedocs.io/en/latest/api/core/v1/user.html
|
|
Assignee | |
Comment 9•7 years ago
|
||
Also, an interesting fact is, according to the document, the official query param name is not `Bugzilla_api_token` used on Bugzilla but `Bugzilla_token` or `token`. Both don’t work.
https://bmo.readthedocs.io/en/latest/api/core/v1/general.html#authentication
|
|
Assignee | |
Comment 10•7 years ago
|
||
Reverting the summary and adding the facts mentioned in my Comment 9.
Summary: Remove REST API token authentication (Bugzilla_api_token URL query param) to simply trust login cookies → REST API authentication fails with X-Bugzilla-Token header or token/Bugzilla_token query param
|
|
Assignee | |
Comment 11•7 years ago
|
||
Sent a PR to solve the original issue.
Assignee: dylan → kohei.yoshino
|
|
Assignee | |
Comment 12•7 years ago
|
||
Hmm, `token` and `Bugzilla_token` query params are somewhat different, so the tests are failing. I’m just fixing the header issue then.
Summary: REST API authentication fails with X-Bugzilla-Token header or token/Bugzilla_token query param → REST API authentication fails with X-Bugzilla-Token header
|
|
Assignee | |
Comment 13•7 years ago
|
||
Then the `X-Bugzilla-Token` header is also different.
The token returned by `/rest/login` is Bugzilla_login + Bugzilla_logincookie:
https://github.com/mozilla-bteam/bmo/blob/master/Bugzilla/WebService/User.pm#L472
It's called _login_ token, not an API token :(
https://github.com/mozilla-bteam/bmo/blob/master/Bugzilla/Auth/Login/Cookie.pm#L146
In that case, this bug is INVALID. Or we could support a different header, like `X-Bugzilla-API-Token`.
|
|
Assignee | |
Comment 14•7 years ago
|
||
Let’s revisit the auth methods while designing REST API v2.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8996521 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•6 years ago
|
Type: enhancement → defect
You need to log in
before you can comment on or make changes to this bug.
Description
•