BzAPI no longer able to perform actions which require including a token derived from an update_token.

RESOLVED DUPLICATE of bug 929704

Status

Webtools
BzAPI
--
major
RESOLVED DUPLICATE of bug 929704
4 years ago
4 years ago

People

(Reporter: jhford, Assigned: gerv)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

I'm unsure if this is strictly a BzAPI issue or a b.m.o issue, but my understanding is that b.m.o just had a push but BzAPI and my code haven't changed in months.  If this should be moved to BzAPI, please do so!

In the BzAPI, you need to fetch a bug to get an 'update_token'.  When submitting to the api, that token is copied into the new skeleton bug object as 'token'.

This is currently blocking our ability to uplift bugs for the Firefox OS project on our gecko branch as it's impractical to comment on > 100 bugs every couple days by hand.
> I'm unsure if this is strictly a BzAPI issue or a b.m.o issue, but my
> understanding is that b.m.o just had a push but BzAPI and my code haven't
> changed in months.

we push weekly :)

> If this should be moved to BzAPI, please do so!

this is most likely related security fixes that went into the latest bugzilla release.  as bzapi hits process_bug.cgi directly, it'll be impacted by any CSRF protection changes.
Assignee: nobody → gerv
Component: General → BzAPI
Product: bugzilla.mozilla.org → Webtools
Version: Production → other
Hi jhford,

(In reply to John Ford [:jhford] -- please use 'needinfo?' instead of a CC from comment #0)
> In the BzAPI, you need to fetch a bug to get an 'update_token'.  When
> submitting to the api, that token is copied into the new skeleton bug object
> as 'token'.

Or "update_token"; either will work.

I cannot reproduce this, so you will need to supply more details of exactly what URLs and API calls you are using, with what data. I downloaded a bug as JSON using a URL like:

GET https://api-dev.bugzilla.mozilla.org/tip/bug/652502?username=gerv@mozilla.org&password=XXXX

and then uploaded the same data exactly (plus an added comment) using:

PUT https://api-dev.bugzilla.mozilla.org/tip/bug/652502?username=gerv@mozilla.org&password=XXXX

and successfully added two comments to bug 652502 - one using "token" and one using "update_token", to make sure both worked. This is using the BzAPI install called "tip", which is the very tip BzAPI code pointed at BMO, but I'm fairly sure it has no significant differences from the "latest" endpoint which most people use.

> This is currently blocking our ability to uplift bugs for the Firefox OS
> project on our gecko branch as it's impractical to comment on > 100 bugs
> every couple days by hand.

I'm gratified that, in general, BzAPI is saving you significant effort :-)

Gerv
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 929704
(In reply to Gervase Markham [:gerv] from comment #2)
> Hi jhford,
> 
> (In reply to John Ford [:jhford] -- please use 'needinfo?' instead of a CC
> from comment #0)
> > In the BzAPI, you need to fetch a bug to get an 'update_token'.  When
> > submitting to the api, that token is copied into the new skeleton bug object
> > as 'token'.
> 
> Or "update_token"; either will work.
> 
> I cannot reproduce this, so you will need to supply more details of exactly
> what URLs and API calls you are using, with what data. I downloaded a bug as
> JSON using a URL like:
> 
> GET
> https://api-dev.bugzilla.mozilla.org/tip/bug/652502?username=gerv@mozilla.
> org&password=XXXX
> 
> and then uploaded the same data exactly (plus an added comment) using:
> 
> PUT
> https://api-dev.bugzilla.mozilla.org/tip/bug/652502?username=gerv@mozilla.
> org&password=XXXX
> 
> and successfully added two comments to bug 652502 - one using "token" and
> one using "update_token", to make sure both worked. This is using the BzAPI
> install called "tip", which is the very tip BzAPI code pointed at BMO, but
> I'm fairly sure it has no significant differences from the "latest" endpoint
> which most people use.

I can reproduce this with /1.3, /latest and /tip.  I have more details here: https://bugzilla.mozilla.org/show_bug.cgi?id=929704#c8

But suffice to say that I'm setting the token I get from a GET /bug/XXXXXX and PUTing to https://api-dev.bugzilla.mozilla.org/1.3/bug/916231?username=&password= with a json blob of:

"{\"cf_status_b2g_1_2\": \"fixed\", \"token\": \"1382550415-fa3bc13912c0c5adac508e70574987b6\", \"comments\": [{\"text\": \"Uplifted c7803c6a23057cd3b3613f315d2fe5a5d4c83a51 to:\\nv1.2: 85adf28ddaac0985108b482f2babc71d83508718\\n\"}]}"

The code that did this worked a week ago, so I think something is happening on the server side which has broken either Bugzilla or BzAPI.  If BzAPI and my code hasn't changed in a while, then that suggests to me that Bugzilla is what broke.

> > This is currently blocking our ability to uplift bugs for the Firefox OS
> > project on our gecko branch as it's impractical to comment on > 100 bugs
> > every couple days by hand.
> 
> I'm gratified that, in general, BzAPI is saving you significant effort :-)

it is, thanks for writing it!

> Gerv
With the checkin of bug 930013, this should now be fixed.

Gerv
You need to log in before you can comment on or make changes to this bug.