Closed Bug 1678134 Opened 3 years ago Closed 3 years ago

`install-certificate` should use the provided token prior to saving (to verify, and to prevent it from expirying)

Categories

(Conduit :: moz-phab, defect)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kats, Assigned: glob)

Details

Attachments

(1 file)

On a fresh system, if you run moz-phab install-certificate to get a conduit token, it takes you to https://phabricator.services.mozilla.com/conduit/login and (after logging in) gives you a CLI token. The page that gives you the CLI token has the token, and it says "copy/paste this token blah blah blah" and then at the bottom there's a "Cancel" button.

If you just paste the token into moz-phab and close the browser window, the token doesn't actually get saved into phabricator, and you don't see it in the list at Settings -> Conduit API Tokens. You have to click the "Cancel" button on the /login page in order for it to actually be saved. This is quite counterintuitive since I would expect "Cancel" to cancel the token and abort the process, but it in fact does the opposite.

Clicking cancel has never been a required step – the token is generated and saved prior to the page being displayed.

I just ran through the process a couple of different ways and the token generated by that page was always immediately available without any further action.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME

Ah.

I suspect what happened is tokens generated via that page initially are set to expire in one hour (something I wasn't aware of until just now!).
The first time the token is used it is updated to never expire.

moz-phab should use the token when it is provided as part of the install-certificate command; that will provide a sanity check as well as clearing the expiration date.

Status: RESOLVED → REOPENED
Component: Phabricator → moz-phab
Resolution: WORKSFORME → ---
Summary: Generating a conduit token from moz-phab has confusing UX → `install-certificate` should use the provided token prior to saving (to verify, and to prevent it from expirying)

Verifying the api token not only ensures that the provided token is
valid, it also clears the default expiration date that Phabricator sets
on all new unused tokens.

Assignee: nobody → glob

When you tested, did you see the token appear in the list when you go to the Phabricator Settings -> Conduit API tokens immediately after it was created? Even if it's a one-hour token I would have expected to see it in the list there but I did not.

Hm, weird. If I try to repro the STR now I do see the 1-hour token in the list. Maybe user error on my part there.

Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: