274073 - Authenticated RSS feed does not use authentication when displaying the message

Status: RESOLVED EXPIRED

(MailNews Core :: Feed Reader, defect)

Description

[William Stockall]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Thunderbird version 1.0 (20041206)

I set up an authenticated RSS feed to a community in Live Journal.  If I display
the message as "Simple HTML" I see the basic text of the posts to the community
(including the protected posts) but not the replies.  If I change the view to
"Original HTML" I see all the public posts and their replies, but the private
posts return the error
<quote>
Error

You must be logged in to view this protected entry.
</quote>

Reproducible: Always
Steps to Reproduce:
1. If you don't already have one, create a Live Journal account.
2. Create a private post and post some replies to it.
3. Set up an RSS feed in Thunderbird using the feed URL
http://www.livejournal.com/users/[your user name]/data/rss?auth=digest
4. "Get messages for account" in the RSS feeds (you will have to authenticate).
5. View the RSS feed for the account using the "Original HTML" option on the
"View/Message Body As" menu option

Actual Results:  
You will see the above noted error message.

Expected Results:  
You should see the post and any responses to it.

Comment 1

[Robert Sayre]

This is a duplicate of bug264482, but it is legitimate. The feed fails when <link> is absent or invalid in 
a given item.

Comment 2

[William Stockall]

(In reply to comment #1)
I've looked at the other bug.  It doesn't mention authentication at all.  How is
this a duplicate?

Comment 3

[Robert Sayre]

(In reply to comment #2)
> I've looked at the other bug.  It doesn't mention authentication at all.  How is
> this a duplicate?

oops, I got forwarded to this bug without noticing. the comment was supposed to go on bug273834. 
sorry.

Comment 4

[Robert Sayre]

Well, I ended up here, so I figured I'd check this one out. The "Simple HTML" view only shows content 
that comes in the feed. LJ only sends the original post and a link for the comments. Example:

<item>
  <guid isPermaLink='true'>http://www.livejournal.com/users/franklinmint/892.html</guid>
  <pubDate>Sun, 16 Jan 2005 23:52:46 GMT</pubDate>
  <title>test of auth</title>
  <link>http://www.livejournal.com/users/franklinmint/892.html</link>
  <description>test of auth test test</description>
  <comments>http://www.livejournal.com/users/franklinmint/892.html</comments>
</item>

Thunderbird will probably not be able to display comments in the Simple HTML view unless LJ starts 
sending comments in the feed. If you have an RSS program that does this, tell us about it. Sorry.

Comment 5

[William Stockall]

Actually, my point here was that when retrieving the "Original HTML" for the
page, Thunderbird doesn't send the authentication credentials.  I think it should.

Comment 6

[Robert Sayre]

Ah, I understand now. I've traced a session dealing with this issue. First off, Thunderbird doesn't send 
the digest credentials with the request to the HTML page. This is correct behavior, because LJ does not 
include a "domain" field in its WWW-Authenticate header. If, for example, LJ included a domain field of 
"/users/username/", then Thunderbird should send the creds to any request under that path. 

However, there is a second issue here, which is that LJ repeatedly attempts to set a cookie. Many, many 
sites do this, because checking digest credentials against an auth database is expensive. So, what they 
do is issue a cookie with a relatively short expiration time that servers as an auth ticket. Even some 
WebDAV servers do this. 

Now the question is whether Thunderbird should save cookies. I agree with William. It should.


--- begin header ---
Source: 192.168.000.003 : 54062 (-unknown-)
Destination: 066.150.015.150 : 80 (livejournal.com)

GET /users/franklinmint/data/rss?auth=digest HTTP/1.1

Host: www.livejournal.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041206 
Thunderbird/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/
png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Digest username="franklinmint", realm="lj", nonce="c0:1106002800:1087:180:
byPM4DfnfqLjukOwUdG7:0288494b9e74dd8884dce2e547239c72", uri="/users/franklinmint/data/rss?
auth=digest", algorithm=MD5, response="6692dda1bf19087687d5f9cef104fc15", qop=auth, 
nc=00000002, cnonce="9eec43761510a096"
Pragma: no-cache
Cache-Control: no-cache
---- end header ----

---- begin body ----

----- end body -----


--- begin header ---
From request: GET /users/franklinmint/data/rss?auth=digest HTTP/1.1

Source: 066.150.015.150 : 80 (livejournal.com)
Destination: 192.168.000.003 : 54062 (-unknown-)

HTTP/1.0 401 Authentication required

Date: Mon, 17 Jan 2005 23:21:39 GMT
Server: Apache
Set-Cookie: ljuniq=aI6fKt5y8Jm24Zj:1106004099; expires=Friday, 18-Mar-2005 23:21:39 GMT; 
domain=.livejournal.com; path=/
WWW-Authenticate: Digest realm="lj", nonce="c0:1106002800:1299:180:Cvbhvew13jaKTJLhNhMj:
de4f8c442f3d5be709ca109a6975adb6", algorithm=MD5, qop="auth", stale="true"
Connection: close
Content-Type: text/html
---- end header ----

---- begin body ----

<b>Digest authentication failed.</b>

----- end body -----

--- begin header ---
Source: 192.168.000.003 : 54065 (-unknown-)
Destination: 066.150.015.150 : 80 (livejournal.com)

GET /users/franklinmint/data/rss?auth=digest HTTP/1.1

Host: www.livejournal.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041206 
Thunderbird/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/
png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Authorization: Digest username="franklinmint", realm="lj", nonce="c0:1106002800:1299:180:
Cvbhvew13jaKTJLhNhMj:de4f8c442f3d5be709ca109a6975adb6", uri="/users/franklinmint/data/rss?
auth=digest", algorithm=MD5, response="f8f08575436a9278d69e5455735b7ad7", qop=auth, 
nc=00000001, cnonce="b642878a4233c70d"
Pragma: no-cache, no-cache
Cache-Control: no-cache, no-cache
---- end header ----

---- begin body ----

----- end body -----

--- begin header ---
From request: GET /users/franklinmint/data/rss?auth=digest HTTP/1.1

HTTP/1.0 200 OK

Date: Mon, 17 Jan 2005 23:21:40 GMT
Server: Apache
Set-Cookie: ljuniq=ZAJsQPFKauLP8Pd:1106004100; expires=Friday, 18-Mar-2005 23:21:40 GMT; 
domain=.livejournal.com; path=/
Last-Modified: Sun, 16 Jan 2005 23:52:46 GMT
Cache-Control: private, proxy-revalidate
Content-Encoding: gzip
Vary: Accept-Encoding
Content-length: 529
Keep-Alive: timeout=30, max=100
Connection: keep-alive
Content-Type: text/xml; charset=utf-8
---- end header ----

---- begin body ----
...
----- end body -----

--- begin header ---
GET /users/franklinmint/892.html HTTP/1.1

Host: www.livejournal.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.5) Gecko/20041206 
Thunderbird/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/
png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-None-Match: "90f36de9e5401074a0dc15d45c627fa2"
---- end header ----

---- begin body ----

----- end body -----

--- begin header ---
From request: GET /users/franklinmint/892.html HTTP/1.1

Source: 066.150.015.150 : 80 (livejournal.com)
Destination: 192.168.000.003 : 54065 (-unknown-)

HTTP/1.0 200 OK

Date: Mon, 17 Jan 2005 23:21:48 GMT
Server: Apache
Set-Cookie: ljuniq=rSpKI7O0CttfJzL:1106004108; expires=Friday, 18-Mar-2005 23:21:48 GMT; 
domain=.livejournal.com; path=/
Cache-Control: private, proxy-revalidate
ETag: "7b0a1571d14f52e64cad14abd7d8383b"
Content-Encoding: gzip
Vary: Accept-Encoding
Content-length: 2372
Keep-Alive: timeout=30, max=100
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Content-Language: en
---- end header ----

---- begin body ----
...
----- end body -----

Comment 7

[Scott MacGregor]

the cookie issue was just ifxed on the trunk. if that's the only bug here this
is a dupe of: Bug #275131

Comment 8

[Robert Sayre]

Attachment: traffic log

This is still busted because it seems Thunderbird is sending the wrong Cookie
back. The attached traffic log shows that LJ sent a "Set-Cookie" header twice,
but Thunderbird sent back some other value in "Cookie"...

Comment 9

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 10

[Gervase Markham [:gerv]]

This bug has been automatically resolved after a period of inactivity (see above
comment). If anyone thinks this is incorrect, they should feel free to reopen it.