Discovery Pane logged in mode not working in prod

RESOLVED FIXED in 5.12.3

Status

addons.mozilla.org Graveyard
Discovery Pane
P3
normal
RESOLVED FIXED
7 years ago
2 years ago

People

(Reporter: fligtar, Assigned: clouserw)

Tracking

Dependency tree / graph

Details

(Whiteboard: [disco-final], URL)

(Reporter)

Description

7 years ago
While logged into AMO, the disco pane (https://services.addons.mozilla.org/en-US/firefox/discovery/3.7pre/Darwin) doesn't show me as logged in.

This worked on preview, so guessing there's a problem with services reading the cookie.
addons.mozilla.org tells me this: Set-Cookie: AMOv3=xxx; path=/; secure; HttpOnly
(Assignee)

Updated

7 years ago
Target Milestone: --- → 5.12.2
(Assignee)

Updated

7 years ago
Assignee: nobody → clouserw
(Assignee)

Comment 2

7 years ago
We're using standard domain cookies which means they are only accessible on AMO.  We could switch them to *.AMO but that means any other subdomain could see them, including FAMO, BAMO, PAMO, LAMO, and all the rest.  I don't trust any of those to see sessions.

We may need to XHR this data in after the page load.
(Reporter)

Comment 3

7 years ago
Why don't you trust those to see sessions? It seems like accessing the AMO session from other subdomains will be desirable and possibly necessary in the future.
(Assignee)

Comment 4

7 years ago
FAMO is one of the most widely targeted and exploited forums on the market, BAMO has a questionable past regarding security, PAMO is not always tested code and can have exploits on it.  I don't see lifting the restriction.
(Assignee)

Comment 5

7 years ago
So, -> potch for front end stuff.  If you need someone to make you a back end chunk, let us know.
Assignee: clouserw → thepotch
Priority: P2 → P3
(Assignee)

Comment 6

7 years ago
I'm taking this.  Our cookie issues aren't resolved yet, but we're doing it the right way so it'll make this much better once we solve it.
Assignee: thepotch → clouserw
Target Milestone: 5.12.2 → 5.12.3
(Assignee)

Updated

7 years ago
Depends on: 608475, 608476
(Assignee)

Updated

7 years ago
Depends on: 608797
(Assignee)

Updated

7 years ago
Depends on: 608839
(Assignee)

Comment 7

7 years ago
Well, the cookie is cross domain now, so this should just work.  We won't know until it's in production though and you'll probably need to log out/in.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Depends on: 611863
Although I can't verify this _in prod_, I've verified that https://addons.allizom.org/en-US/firefox/discovery/3.6/Linux and the like pay attention to our logged-in/logged-out state, and reflect that correctly, on next/preview.

I'll verify post-push.
I spun off bug 613574 to cover SAMO.

Updated

6 years ago
Blocks: 710193
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.