Closed Bug 555451 Opened 14 years ago Closed 14 years ago

Add support for single sign-on with BMO

Categories

(Webtools Graveyard :: BzAPI, enhancement)

x86
macOS
enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ehsan.akhgari, Assigned: gerv)

Details

I was planning on using the REST API in my Bugzilla Tweaks jetpack, but couldn't do so, because the api-dev.b.m.o host does not accept the authentication cookie set by BMO (Bugzilla_login and Bugzilla_logincookie cookies).

It would be extremely helpful if the API host accept those cookies as authentication tokens.  Without that, I would need to ask users for their login information every time in my Jetpack, which is impractical.
I started implementing support for this, but then stopped because the Bugzilla login cookies are marked as HTTP-only, and so I couldn't see a way for in-page JavaScript to get the cookie value. Does Jetpack have that ability?

Gerv
(In reply to comment #1)
> I started implementing support for this, but then stopped because the Bugzilla
> login cookies are marked as HTTP-only, and so I couldn't see a way for in-page
> JavaScript to get the cookie value. Does Jetpack have that ability?

I guess so.  At worst, we can query the cookie manager service for that.

*But*, if a cookie is set for bugzilla.mozilla.org, shouldn't it also be sent for api-dev.bugzilla.mozilla.org?  I mean, I would very much rather a solution which can be used using simple XHR on pages, especially now that the API supports jsonp.
(In reply to comment #2)
> *But*, if a cookie is set for bugzilla.mozilla.org, shouldn't it also be sent
> for api-dev.bugzilla.mozilla.org?

No; Bugzilla is configured to only send its cookies back to the originating website. It's possible to change this, although see below for why we might well not do that.

> I mean, I would very much rather a solution
> which can be used using simple XHR on pages, especially now that the API
> supports jsonp.

The API will never support Bugzilla cookie-based auth on the same request as JSONP. To do so would be a security risk.

Hey, Ehsan, visit this web page:

<script>
  function doEvil(data) {
    // Send data to my server
  }
</script>

<script src="https://bugzilla.mozilla.org/bug?content-type=text/javascript&callback=doEvil&search=all-the-security-bugs-ehsan-can-see">
</script>

Gerv
Yup, you're right.  So I guess the method you mentioned in comment 1 is the way to go, right?
If you have a way of getting hold of the cookies because your code is privileged, then I can certainly enhance the API implementation to take those cookies in e.g. a Bugzilla_cookie parameter and pass them through. Can you confirm you do have such a way of getting the cookies?

Gerv
(In reply to comment #5)
> If you have a way of getting hold of the cookies because your code is
> privileged, then I can certainly enhance the API implementation to take those
> cookies in e.g. a Bugzilla_cookie parameter and pass them through. Can you
> confirm you do have such a way of getting the cookies?

Yes, I can access it using the cookie service, if needed.
OK, I've fixed this on the trunk. Look for it in the 0.6 release. It is documented here:
https://wiki.mozilla.org/Bugzilla:REST_API#Authentication

You need to use the URL parameters "userid" for the User ID (contents of the  "Bugzilla_login" cookie) and "cookie" for the auth cookie (contents of the "Bugzilla_logincookie" cookie).

Note that you do _not_ use "username" and "cookie", you use "userid" (numeric) and "cookie".

Gerv
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Great, thanks Gerv!  Is there any tracking bug for the 0.6 release?
I have started to use this feature in my Bugzilla Tweaks jetpack:

http://hg.mozilla.org/users/jnightingale_mozilla.com/jetpacks/rev/9e7457da3a72

Thanks for providing this option!
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.