Open Bug 1670418 Opened 4 years ago Updated 1 year ago

For CalDAV calendar setup, TB does not prompt for authentication in spite of unchecked option `This location does not require credentials`. Should not require 401 to prompt.

Categories

(Calendar :: Provider: CalDAV, defect)

Product:
Calendar
Component:
Provider: CalDAV
Version:
Thunderbird 82
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: dpa-mozilla, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0

Steps to reproduce:

In TB 82b02 I click "+ add calendars”, enter as username aaa@bapha.be and server https://aaa.bapha.be and leave unticked 'This location does not require credentials' (so it does require credentials). Then I click to ’Find Calendars'. TB does not ask me for password, TB does not authenticate voluntary, the server does not ask for password and TB discovers the calendars for the anonymous user.

In this particular case, the anonymous user has two calendar-home-sets, but the authenticated user has one. When TB sees during discovery two calendar-home-sets, as described at https://bugzilla.mozilla.org/show_bug.cgi?id=1670415, TB finds nothing.

Actual results:

TB finds the principal-url of the anonymous (unauthenticated user).

Expected results:

When “This location does not require credentials” is not ticked, TB must authenticate.

The caldav server is entitled to provide valid, albeit distinct, answers to authenticated and unauthenticated users.

Reporter, can you reproduce this issue with the latest Thunderbird 91 beta?

Flags: needinfo?(dpa-mozilla)

TB91b5 still does not ask for password, when the location requires credentials. in fact the dialog text “requires credentials” is misleading: the server does not require credentials, but returns totally different results, when credentials are present vs absent.

Flags: needinfo?(dpa-mozilla)

Geoff, does the behavior described in this bug report sound familiar to you after having fixed bug 1720862, which for me sounds kind of related?

Flags: needinfo?(geoff)

Bug 1720862 is about prompting for password. This bug is in the first place about not prompting for password.

If the server does not return a HTTP 401 response, we won't ask for credentials. I have no intention of changing that.

However, you are right that the "this location doesn't require credentials" text is a bit odd. I never quite understood what purpose it serves or why it's not next to the user name field.

Flags: needinfo?(geoff)

Exposing public data over CalDAV or CardDAV, which data is awailable in non-standard format in the web as html, is valid. To expose such data over CalDAV or CardDAV no password is necessary, as the data is anyway public. E.g https://my.aegee.eu/bodies contains contacts data, and the CardDAV server mail.aegee.org exposes the same data over CardDAV without requiring username/password. To be precise, for clients which insist on username to complete the setup, anonymous@aegee.org with any password can be provided.

After authentication the server may expose more data over CardDAV, which data is visible at https://my.aegee.eu/bodies after authentication.

The same applies also for calendars. The CalDAV server exposes the events visible at https://my.aegee.eu/calendar without authentication, but if the user authenticates, the server exposes more calendars over CalDAV.

In these legitimate use-cases the server is never supposed to return 401, when no user-name is provided. Even if the server exposes a bootstrap-URL - k.bapha.be, where the server returns 401 on unauthenticated requests, during calendar setup, when the user provides as username aaa@bapha.be and as server k.bapha.be the bootstrap URL is ignored by Thunderbird. During the initial account setup, TB even does not use the domain of the provided username, but the domain of the mail imap/smtp server, so the user gets the public calendars for a different domain.

The criterion, whether the user agent shall authenticate, is first of all if the user has instructed the user-agent to authenticate. If the user has not instructed the user agent to authenticate, but the server returns 401, the user agent shall authenticate, too.

Please reconsider the logic, to authenticate or not to authenticate, in the case when the user wants to authenticate, and the server does not return 401.

The Evolution and DavX⁵ user agents, ask the user too, if the user wants to authenticate.

If the user wants to authenticate, Evolution and DavX⁵ do authenticate, even if the server has not returned 401.

In its user interface for the account setup DavX⁵ asks either for:

  • email address and password, and optionally a bootstrap URL, or
  • bootstrap URL, and optionally username/password.

If the user provides password, DavX⁵ does authenticate, if the user provides no password DavX⁵ does not authenticate.

See Also: → 1720086
See Also: → 1670415, 1581321
Severity: -- → S3
Summary: User name not sent → For CalDAV calendar setup, TB does not prompt for authentication in spite of unchecked option `This location does not require credentials`. Should not require 401 to prompt.
You need to log in before you can comment on or make changes to this bug.