Closed Bug 916955 Opened 11 years ago Closed 11 years ago

Ember.show API doesn't error if an invalid token is provided

Categories

(bugzilla.mozilla.org :: API, defect)

Product:
bugzilla.mozilla.org
Component:
API
Version:
Development
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: erik.bryn, Assigned: dkl)

Details

For example: https://bugzilla-dev.allizom.org/rest/ember/show/916522?Bugzilla_token=asdjklfjaslkdf

Ideally, this would fail as I would want to prompt the user to relogin if a token expired.
Sorry meant to post this in IRC but my internet has been flakey today. We decided a while back that tokens would be treated similarly to cookies in that if a cookie/token is not valid it is simple ignored rather than throwing an error.

https://bugzilla.mozilla.org/show_bug.cgi?id=893195#c22

We added User.valid_login (GET /valid_login?token=XXXX&login=dkl@mozilla.com) webservice method that will confirm if a cookie or token is still valid for a given user.

What we need to do though is, if a token is invalid for /rest/ember/show, basically same as not being logged in, we do not provide an update_token for passing to Bug.update. I will do this and push to bugzilla-dev.

dkl
So my main concern is I don't want to cache an unauthenticated Ember.show API response if the frontend thinks it's logged in. Since responses are specific to the current user, it would be bad to have the cache contain mixed authenticated/unauthenticated responses. Ideally any operation made with an invalid token would fail so the frontend knows it needs to reauthenticate. I don't think it's reasonable to have to hit the User.valid_login API prior to any cached API call for the client to detect it's token is no longer valid. 

If we can't remedy this in the API, I'm going to have to resort to some hacky mechanism for detecting whether every cached API response is an authenticated response or not.
An idea just occurred to me: perhaps the API could provide an HTTP header that let's me detect whether the response was  authenticated or not.
Another discovery: an error is thrown if the username/password is incorrect. Seems inconsistent.
(In reply to Erik Bryn from comment #4)
> Another discovery: an error is thrown if the username/password is incorrect.
> Seems inconsistent.

yeah for background info see the comments in bug 893195.
Ember.show will now throw invalid token error if one is provided but the user is not logged in.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
added extensions/Ember/template
modified extensions/Ember/lib/WebService.pm
added extensions/Ember/template/en
added extensions/Ember/template/en/default
added extensions/Ember/template/en/default/hook
added extensions/Ember/template/en/default/hook/global
added extensions/Ember/template/en/default/hook/global/user-error-errors.html.tmpl
Committed revision 9012. 

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2-dev
added extensions/Ember/template
modified extensions/Ember/lib/WebService.pm
added extensions/Ember/template/en
added extensions/Ember/template/en/default
added extensions/Ember/template/en/default/hook
added extensions/Ember/template/en/default/hook/global
added extensions/Ember/template/en/default/hook/global/user-error-errors.html.tmpl
Committed revision 8553.
Assignee: nobody → dkl
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.