`install-certificate` should use the provided token prior to saving (to verify, and to prevent it from expirying)
Categories
(Conduit :: moz-phab, defect)
Tracking
(Not tracked)
People
(Reporter: kats, Assigned: glob)
Details
Attachments
(1 file)
On a fresh system, if you run moz-phab install-certificate
to get a conduit token, it takes you to https://phabricator.services.mozilla.com/conduit/login and (after logging in) gives you a CLI token. The page that gives you the CLI token has the token, and it says "copy/paste this token blah blah blah" and then at the bottom there's a "Cancel" button.
If you just paste the token into moz-phab and close the browser window, the token doesn't actually get saved into phabricator, and you don't see it in the list at Settings -> Conduit API Tokens. You have to click the "Cancel" button on the /login page in order for it to actually be saved. This is quite counterintuitive since I would expect "Cancel" to cancel the token and abort the process, but it in fact does the opposite.
Clicking cancel has never been a required step – the token is generated and saved prior to the page being displayed.
I just ran through the process a couple of different ways and the token generated by that page was always immediately available without any further action.
Ah.
I suspect what happened is tokens generated via that page initially are set to expire in one hour (something I wasn't aware of until just now!).
The first time the token is used it is updated to never expire.
moz-phab should use the token when it is provided as part of the install-certificate
command; that will provide a sanity check as well as clearing the expiration date.
Verifying the api token not only ensures that the provided token is
valid, it also clears the default expiration date that Phabricator sets
on all new unused tokens.
Updated•3 years ago
|
Reporter | ||
Comment 4•3 years ago
|
||
When you tested, did you see the token appear in the list when you go to the Phabricator Settings -> Conduit API tokens immediately after it was created? Even if it's a one-hour token I would have expected to see it in the list there but I did not.
Reporter | ||
Comment 5•3 years ago
|
||
Hm, weird. If I try to repro the STR now I do see the 1-hour token in the list. Maybe user error on my part there.
Description
•