Ember.show API doesn't error if an invalid token is provided

RESOLVED FIXED

Status

()

bugzilla.mozilla.org
API
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Erik Bryn, Assigned: dkl)

Tracking

Development/Staging

Details

(Reporter)

Description

4 years ago
For example: https://bugzilla-dev.allizom.org/rest/ember/show/916522?Bugzilla_token=asdjklfjaslkdf

Ideally, this would fail as I would want to prompt the user to relogin if a token expired.
(Assignee)

Comment 1

4 years ago
Sorry meant to post this in IRC but my internet has been flakey today. We decided a while back that tokens would be treated similarly to cookies in that if a cookie/token is not valid it is simple ignored rather than throwing an error.

https://bugzilla.mozilla.org/show_bug.cgi?id=893195#c22

We added User.valid_login (GET /valid_login?token=XXXX&login=dkl@mozilla.com) webservice method that will confirm if a cookie or token is still valid for a given user.

What we need to do though is, if a token is invalid for /rest/ember/show, basically same as not being logged in, we do not provide an update_token for passing to Bug.update. I will do this and push to bugzilla-dev.

dkl
(Reporter)

Comment 2

4 years ago
So my main concern is I don't want to cache an unauthenticated Ember.show API response if the frontend thinks it's logged in. Since responses are specific to the current user, it would be bad to have the cache contain mixed authenticated/unauthenticated responses. Ideally any operation made with an invalid token would fail so the frontend knows it needs to reauthenticate. I don't think it's reasonable to have to hit the User.valid_login API prior to any cached API call for the client to detect it's token is no longer valid. 

If we can't remedy this in the API, I'm going to have to resort to some hacky mechanism for detecting whether every cached API response is an authenticated response or not.
(Reporter)

Comment 3

4 years ago
An idea just occurred to me: perhaps the API could provide an HTTP header that let's me detect whether the response was  authenticated or not.
(Reporter)

Comment 4

4 years ago
Another discovery: an error is thrown if the username/password is incorrect. Seems inconsistent.
(Assignee)

Comment 5

4 years ago
(In reply to Erik Bryn from comment #4)
> Another discovery: an error is thrown if the username/password is incorrect.
> Seems inconsistent.

yeah for background info see the comments in bug 893195.
(Assignee)

Comment 6

4 years ago
Ember.show will now throw invalid token error if one is provided but the user is not logged in.

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2
added extensions/Ember/template
modified extensions/Ember/lib/WebService.pm
added extensions/Ember/template/en
added extensions/Ember/template/en/default
added extensions/Ember/template/en/default/hook
added extensions/Ember/template/en/default/hook/global
added extensions/Ember/template/en/default/hook/global/user-error-errors.html.tmpl
Committed revision 9012. 

Committing to: bzr+ssh://dlawrence%40mozilla.com@bzr.mozilla.org/bmo/4.2-dev
added extensions/Ember/template
modified extensions/Ember/lib/WebService.pm
added extensions/Ember/template/en
added extensions/Ember/template/en/default
added extensions/Ember/template/en/default/hook
added extensions/Ember/template/en/default/hook/global
added extensions/Ember/template/en/default/hook/global/user-error-errors.html.tmpl
Committed revision 8553.
Assignee: nobody → dkl
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
OS: Mac OS X → All
Hardware: x86 → All
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.