Closed Bug 1696781 Opened 3 years ago Closed 3 years ago

Account creation redirects to login

Categories

(bugzilla.mozilla.org :: General, defect)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: ekr, Assigned: arai)

Details

Attachments

(1 file)

STR: go to https://bugzilla.mozilla.org/createaccount.cgi
Expected result: UI to create account
Actual result: bounced to https://bugzilla.mozilla.org/login

I am unable to reproduce this. Have you tried clear all cookies related to bugzilla.mozilla.org? What is the browser/version that this is happening on?

Flags: needinfo?(ekr)

I saw multiple people having this issue these days.

The steps they took were:

  1. Load https://bugzilla.mozilla.org/login page
  2. Click "New Account" button at the top of the page

Actual result:
It redirects to https://bugzilla.mozilla.org/login

And solutions they took are either:

  • a) Do the same thing in private window
  • b) Remove cookie

So, I guess in certain situation, an unexpected cookie is created and it affects how https://bugzilla.mozilla.org/createaccount.cgi URL or page acts.

So far what I found is that.

If $session->{override_login_target} is somehow set to "login" below, the behavior is reproducible.
https://github.com/mozilla-bteam/bmo/blob/11d14950157c202c87551e3f48c22d4b6b422197/Bugzilla.pm#L391-L398

  my $C = Bugzilla->request_cache->{mojo_controller};
  my $session = $C->session;
  if (!$on_token_page && $session->{override_login_target}) {
    my $override_login_target = delete $session->{override_login_target};
    my $cgi_params            = delete $session->{cgi_params};
    my $mojo_url              = Mojo::URL->new($override_login_target);
    $mojo_url->query($cgi_params);
    $C->redirect_to($mojo_url);
  }

This is due to OAuth2 module behaving unexpectedly.

This happens in the following STR:

  1. Startup Firefox with clean profile, to make sure no cookie
  2. Load https://phabricator.services.mozilla.com/conduit/login/
  3. Click "Log In or Register BMO" button shown in the page
  4. It jumps to https://bugzilla.mozilla.org/oauth/authorize?client_id=***&scope=user%3Aread&redirect_uri=https%3A%2F%2Fphabricator.services.mozilla.com%2Fauth%2Flogin%2Fbmo%3Abugzilla.mozilla.org%2F&state=***&response_type=code page, and it redirects to https://bugzilla.mozilla.org/login
  5. Click "New Account" button at the top of the page

This happens during following https://firefox-source-docs.mozilla.org/setup/windows_build.html
If the newcomer runs bootstrap.py, it asks for Phabricator token, with providing https://phabricator.services.mozilla.com/conduit/login/ URL.
We don't ask newcomers to create Bugzilla account before that point, so usually they don't have bugzilla account, and they needs to click "New Account" button at step 5.

Actual result:

  1. It goes to https://bugzilla.mozilla.org/createaccount.cgi
  2. It redirects to https://bugzilla.mozilla.org/oauth/authorize?client_id=***&redirect_uri=https%3A%2F%2Fphabricator.services.mozilla.com%2Fauth%2Flogin%2Fbmo%3Abugzilla.mozilla.org%2F&response_type=code&scope=user%3Aread&state=***
  3. It redirects to https://bugzilla.mozilla.org/login

So, I think somewhere in the steps, the following code is executed and $c->session->{override_login_target} is set to "login".

https://github.com/mozilla-bteam/bmo/blob/11d14950157c202c87551e3f48c22d4b6b422197/Bugzilla/App/Plugin/OAuth2.pm#L70

sub _resource_owner_logged_in {
  my (%args) = @_;
  my $c = $args{mojo_controller};

  $c->session->{override_login_target} = $c->url_for('current');

I guess we should disable the override behavior for new-account-related pages.

Flags: needinfo?(dkl)

I see that the redirect is disabled for token.cgi page:

https://github.com/mozilla-bteam/bmo/blob/11d14950157c202c87551e3f48c22d4b6b422197/Bugzilla.pm#L393

sub login {
...
  my $cgi           = Bugzilla->cgi;
  my $script_name   = $cgi->script_name;
...
  my $on_token_page = $script_name eq '/token.cgi';
...
  if (!$on_token_page && $session->{override_login_target}) {
    my $override_login_target = delete $session->{override_login_target};
    my $cgi_params            = delete $session->{cgi_params};
    my $mojo_url              = Mojo::URL->new($override_login_target);
    $mojo_url->query($cgi_params);
    $C->redirect_to($mojo_url);
  }

that is used in the confirmation email:

https://github.com/mozilla-bteam/bmo/blob/11d14950157c202c87551e3f48c22d4b6b422197/template/en/default/account/email/request-new.txt.tmpl#L35

[%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=request_new_account

I guess doing the same for createaccount.cgi script should solve the redirect issue, and newcomers can remain in createaccount.cgi page.

But now I have another question that how it goes back to OAuth2 process.
The page after entering real name and password in token.cgi is also token.cgi, with "The user account someone@somewhere has been created successfully." message on the bugzilla main page.
So, the redirect is still disabled, and I think newcomer will get stuck there
(I haven't tested the integration, so it might behave differently tho...)

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(ekr)
Flags: needinfo?(dkl)
Attached file GitHub Pull Request
Attachment #9245509 - Flags: review?(dkl)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Attachment #9245509 - Flags: review?(dkl)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: