Closed Bug 555451 Opened 15 years ago Closed 15 years ago

Add support for single sign-on with BMO

Categories

(Webtools Graveyard :: BzAPI, enhancement)

Product:
Webtools Graveyard
Component:
BzAPI
Platform:
x86
macOS
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ehsan.akhgari, Assigned: gerv)

Details

I was planning on using the REST API in my Bugzilla Tweaks jetpack, but couldn't do so, because the api-dev.b.m.o host does not accept the authentication cookie set by BMO (Bugzilla_login and Bugzilla_logincookie cookies). It would be extremely helpful if the API host accept those cookies as authentication tokens. Without that, I would need to ask users for their login information every time in my Jetpack, which is impractical.
I started implementing support for this, but then stopped because the Bugzilla login cookies are marked as HTTP-only, and so I couldn't see a way for in-page JavaScript to get the cookie value. Does Jetpack have that ability? Gerv
(In reply to comment #1) > I started implementing support for this, but then stopped because the Bugzilla > login cookies are marked as HTTP-only, and so I couldn't see a way for in-page > JavaScript to get the cookie value. Does Jetpack have that ability? I guess so. At worst, we can query the cookie manager service for that. *But*, if a cookie is set for bugzilla.mozilla.org, shouldn't it also be sent for api-dev.bugzilla.mozilla.org? I mean, I would very much rather a solution which can be used using simple XHR on pages, especially now that the API supports jsonp.
(In reply to comment #2) > *But*, if a cookie is set for bugzilla.mozilla.org, shouldn't it also be sent > for api-dev.bugzilla.mozilla.org? No; Bugzilla is configured to only send its cookies back to the originating website. It's possible to change this, although see below for why we might well not do that. > I mean, I would very much rather a solution > which can be used using simple XHR on pages, especially now that the API > supports jsonp. The API will never support Bugzilla cookie-based auth on the same request as JSONP. To do so would be a security risk. Hey, Ehsan, visit this web page: <script> function doEvil(data) { // Send data to my server } </script> <script src="https://bugzilla.mozilla.org/bug?content-type=text/javascript&callback=doEvil&search=all-the-security-bugs-ehsan-can-see"> </script> Gerv
Yup, you're right. So I guess the method you mentioned in comment 1 is the way to go, right?
If you have a way of getting hold of the cookies because your code is privileged, then I can certainly enhance the API implementation to take those cookies in e.g. a Bugzilla_cookie parameter and pass them through. Can you confirm you do have such a way of getting the cookies? Gerv
(In reply to comment #5) > If you have a way of getting hold of the cookies because your code is > privileged, then I can certainly enhance the API implementation to take those > cookies in e.g. a Bugzilla_cookie parameter and pass them through. Can you > confirm you do have such a way of getting the cookies? Yes, I can access it using the cookie service, if needed.
OK, I've fixed this on the trunk. Look for it in the 0.6 release. It is documented here: https://wiki.mozilla.org/Bugzilla:REST_API#Authentication You need to use the URL parameters "userid" for the User ID (contents of the "Bugzilla_login" cookie) and "cookie" for the auth cookie (contents of the "Bugzilla_logincookie" cookie). Note that you do _not_ use "username" and "cookie", you use "userid" (numeric) and "cookie". Gerv
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Great, thanks Gerv! Is there any tracking bug for the 0.6 release?
I have started to use this feature in my Bugzilla Tweaks jetpack: http://hg.mozilla.org/users/jnightingale_mozilla.com/jetpacks/rev/9e7457da3a72 Thanks for providing this option!
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.