Last Comment Bug 916955 - Ember.show API doesn't error if an invalid token is provided
: Ember.show API doesn't error if an invalid token is provided
Status: RESOLVED FIXED
:
Product: bugzilla.mozilla.org
Classification: Other
Component: API (show other bugs)
: Development/Staging
: All All
: -- normal (vote)
: ---
Assigned To: David Lawrence [:dkl]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-16 12:57 PDT by Erik Bryn
Modified: 2013-09-17 10:59 PDT (History)
4 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Erik Bryn 2013-09-16 12:57:42 PDT
For example: https://bugzilla-dev.allizom.org/rest/ember/show/916522?Bugzilla_token=asdjklfjaslkdf

Ideally, this would fail as I would want to prompt the user to relogin if a token expired.
Comment 1 David Lawrence [:dkl] 2013-09-16 13:36:20 PDT
Sorry meant to post this in IRC but my internet has been flakey today. We decided a while back that tokens would be treated similarly to cookies in that if a cookie/token is not valid it is simple ignored rather than throwing an error.

https://bugzilla.mozilla.org/show_bug.cgi?id=893195#c22

We added User.valid_login (GET /valid_login?token=XXXX&login=dkl@mozilla.com) webservice method that will confirm if a cookie or token is still valid for a given user.

What we need to do though is, if a token is invalid for /rest/ember/show, basically same as not being logged in, we do not provide an update_token for passing to Bug.update. I will do this and push to bugzilla-dev.

dkl
Comment 2 Erik Bryn 2013-09-16 13:47:55 PDT
So my main concern is I don't want to cache an unauthenticated Ember.show API response if the frontend thinks it's logged in. Since responses are specific to the current user, it would be bad to have the cache contain mixed authenticated/unauthenticated responses. Ideally any operation made with an invalid token would fail so the frontend knows it needs to reauthenticate. I don't think it's reasonable to have to hit the User.valid_login API prior to any cached API call for the client to detect it's token is no longer valid. 

If we can't remedy this in the API, I'm going to have to resort to some hacky mechanism for detecting whether every cached API response is an authenticated response or not.
Comment 3 Erik Bryn 2013-09-16 13:49:19 PDT
An idea just occurred to me: perhaps the API could provide an HTTP header that let's me detect whether the response was  authenticated or not.
Comment 4 Erik Bryn 2013-09-16 13:51:52 PDT
Another discovery: an error is thrown if the username/password is incorrect. Seems inconsistent.
Comment 5 David Lawrence [:dkl] 2013-09-16 14:08:27 PDT
(In reply to Erik Bryn from comment #4)
> Another discovery: an error is thrown if the username/password is incorrect.
> Seems inconsistent.

yeah for background info see the comments in bug 893195.
Comment 6 David Lawrence [:dkl] 2013-09-17 10:59:11 PDT
Ember.show will now throw invalid token error if one is provided but the user is not logged in.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
added extensions/Ember/template
modified extensions/Ember/lib/WebService.pm
added extensions/Ember/template/en
added extensions/Ember/template/en/default
added extensions/Ember/template/en/default/hook
added extensions/Ember/template/en/default/hook/global
added extensions/Ember/template/en/default/hook/global/user-error-errors.html.tmpl
Committed revision 9012. 

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2-dev
added extensions/Ember/template
modified extensions/Ember/lib/WebService.pm
added extensions/Ember/template/en
added extensions/Ember/template/en/default
added extensions/Ember/template/en/default/hook
added extensions/Ember/template/en/default/hook/global
added extensions/Ember/template/en/default/hook/global/user-error-errors.html.tmpl
Committed revision 8553.

Note You need to log in before you can comment on or make changes to this bug.