Getting "Too many HTTP redirects" when attempting to file radars

[ZevEisenberg]

I'm assuming they made changes at WWDC 2016? Reproduced on two machines with two different developer accounts. It happens on the "Signing in to RadarWeb" step.

[orta]

I don't have the time to do a full PR, but running this in debug mode brings up this:

2016-06-15 17:56:03.107429 QuickRadar[10053:763605] Found no element //img[@id='alert_icon']/@src
2016-06-15 17:56:06.863055 QuickRadar[10053:761345] Failure by QRRadarSubmissionServiceIdentifier

Likely this is the change

[keith]

It looks like at this state the entire xmlDocument only contains this:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Apple</title><meta http-equiv="REFRESH" content="0;URL=http://www.apple.com/filenotfound" /></head><body bgcolor="#FFFFFF"></body></html>

[abbeycode]

I'm getting this also.

[orta]

Digging in a bit further, now I'm back in NYC, this is the new re-direction path ( had to write a quick app ) - will see about wrapping this up and making a PR

2016-06-19 13:52:07.318 LinkChecker[6856:956926] action: {
    WebActionModifierFlagsKey = 0;
    WebActionNavigationTypeKey = 5;
    WebActionOriginalURLKey = "https://idmsa.apple.com/IDMSWebAuth/login.html?appIdKey=77e2a60d4bdfa6b7311c854a56505800be3c24e3a27a670098ff61b69fc5214b&sslEnabled=true&rv=3";
}
2016-06-19 13:52:32.895 LinkChecker[6856:956926] action: {
    WebActionButtonKey = 0;
    WebActionElementKey =     {
       ...
    };
    WebActionFormKey = "<DOMHTMLFormElement [FORM]: 0x10cbe3a80 ''>";
    WebActionModifierFlagsKey = 0;
    WebActionNavigationTypeKey = 1;
    WebActionOriginalURLKey = "https://idmsa.apple.com/IDMSWebAuth/authenticate;jsessionid=6A6F10E58CA810EC1D701A4C466351A1";
}
2016-06-19 13:52:33.444 LinkChecker[6856:956926] action: {
    WebActionButtonKey = 0;
    WebActionElementKey =     {
      ...
    };
    WebActionModifierFlagsKey = 0;
    WebActionNavigationTypeKey = 1;
    WebActionOriginalURLKey = "https://idmsa.apple.com/IDMSWebAuth/authenticate;jsessionid=6A6F10E58CA810EC1D701A4C466351A1";
}
2016-06-19 13:52:33.883 LinkChecker[6856:956926] action: {
    WebActionButtonKey = 0;
    WebActionElementKey =     {
    ...
    };
    WebActionModifierFlagsKey = 0;
    WebActionNavigationTypeKey = 1;
    WebActionOriginalURLKey = "https://idmsa.apple.com/IDMSWebAuth/authenticate;jsessionid=6A6F10E58CA810EC1D701A4C466351A1";
}
2016-06-19 13:52:34.278 LinkChecker[6856:956926] action: {
    WebActionButtonKey = 0;
    WebActionElementKey =     {
    ...
    };
    WebActionModifierFlagsKey = 0;
    WebActionNavigationTypeKey = 1;
    WebActionOriginalURLKey = "https://idmsa.apple.com/IDMSWebAuth/authenticate;jsessionid=6A6F10E58CA810EC1D701A4C466351A1";
}
2016-06-19 13:52:35.573 LinkChecker[6856:956926] action: {
    WebActionModifierFlagsKey = 0;
    WebActionNavigationTypeKey = 5;
    WebActionOriginalURLKey = "about:blank";
}

[orta]

I threw an hour or two at this before calling it for the evening, looks like in late may authentication changed:

I couldn't find the CRSF token in the new urls

[steipete]

Thanks for looking into this! Gotta love open source!

Also note this comment that hints on a undocumented radar JavaScript API that might be less fragile:
http://www.openradar.me/26886178

[matej]

After some digging around I managed to get the app running again. By deleting some code.

Specifically I removed the code that manually sets the Host field:

• QuickRadar/QuickRadar/QRURLConnection.m

  Line 131 in e63a16d

  [request addValue:request.URL.host forHTTPHeaderField:@"Host"];

• QuickRadar/QuickRadar/QRURLConnection.m

  Line 141 in e63a16d

  if (existingHeaders[@"Host"]) [orderedDict setObject:existingHeaders[@"Host"] forKey:@"Host"];

Doing that messes up the redirect we get after sending our authentication data, directing us to https://idmsa.apple.com/logon instead of https://bugreport.apple.com/logon.

I noticed this by comparing the reqests Safari and QuickRadar make during login.

Safari / request:

GET / HTTP/1.1
Host: bugreport.apple.com
DNT: 1
Cookie: <redacted>
Connection: keep-alive
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17
Accept-Language: en-us
Referer: https://idmsa.apple.com/IDMSWebAuth/login.html?appIdKey=77e2a60d4bdfa6b7311c854a56505800be3c24e3a27a670098ff61b69fc5214b&sslEnabled=true&rv=3
Accept-Encoding: gzip, deflate

Safari / respnse:

HTTP/1.1 302 Moved Temporarily
Date: Thu, 23 Jun 2016 12:24:14 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-API-Version: 1.8
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://bugreport.apple.com/logon
Content-Language: en-US
Content-Length: 0
Keep-Alive: timeout=15, max=4998
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1

QuickRadar / request:

GET / HTTP/1.1
Host: idmsa.apple.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Accept-Language: en-us
Proxy-Connection: keep-alive
Cookie: <redacted>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
Referer: https://idmsa.apple.com/IDMSWebAuth/login.html?appIdKey=77e2a60d4bdfa6b7311c854a56505800be3c24e3a27a670098ff61b69fc5214b&sslEnabled=true&rv=3
Accept-Encoding: gzip, deflate

QuickRadar / response:

HTTP/1.1 302 Moved Temporarily
Date: Thu, 23 Jun 2016 12:15:43 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-API-Version: 1.8
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Set-Cookie: JSESSIONID=elPy-v0NpECJPBgkApiTfhci.nwk-radarp-lapp57; Path=/; Secure; HttpOnly
Location: https://idmsa.apple.com/logon
Content-Language: en-US
Content-Length: 0
Keep-Alive: timeout=15, max=5000
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1

Notice the difference for Host and Location.

I don't know the background here - why this has been done in the first place. But simply deleting those lines seems to do the trick for me. I can open up a PR for that, unless someone has a better idea.

[amyworrall]

If it works, I say go for it!

Most of the stuff QuickRadar sends just came from me observing a lot of sessions in Charles, and trying adding things until it worked. So this is exactly in keeping with the way the app has been built :)

Amy

On 23 Jun 2016, at 14:35, Matej Bukovinski notifications@github.com wrote:

After some digging around I managed to get the app running again. By deleting some code.

Specifically I removed the code that manually sets the Host field:

QuickRadar/QuickRadar/QRURLConnection.m

Line 131 in e63a16d

[request addValue:request.URL.host forHTTPHeaderField:@"Host"];

QuickRadar/QuickRadar/QRURLConnection.m

Line 131 in e63a16d

[request addValue:request.URL.host forHTTPHeaderField:@"Host"];

QuickRadar/QuickRadar/QRURLConnection.m

Line 141 in e63a16d

if (existingHeaders[@"Host"]) [orderedDict setObject:existingHeaders[@"Host"] forKey:@"Host"];

QuickRadar/QuickRadar/QRURLConnection.m

Line 141 in e63a16d

if (existingHeaders[@"Host"]) [orderedDict setObject:existingHeaders[@"Host"] forKey:@"Host"];

Doing that messes up the redirect we get after sending our authentication data, directing us to https://idmsa.apple.com/logon instead of https://bugreport.apple.com/logon.

I noticed this by comparing the reqests Safari and QuickRadar make during login.

Safari / request:

GET / HTTP/1.1
Host: bugreport.apple.com
DNT: 1
Cookie:
Connection: keep-alive
Proxy-Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17
Accept-Language: en-us
Referer: https://idmsa.apple.com/IDMSWebAuth/login.html?appIdKey=77e2a60d4bdfa6b7311c854a56505800be3c24e3a27a670098ff61b69fc5214b&sslEnabled=true&rv=3
Accept-Encoding: gzip, deflate
Safari / respnse:

HTTP/1.1 302 Moved Temporarily
Date: Thu, 23 Jun 2016 12:24:14 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-API-Version: 1.8
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://bugreport.apple.com/logon
Content-Language: en-US
Content-Length: 0
Keep-Alive: timeout=15, max=4998
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
QuickRadar / request:

GET / HTTP/1.1
Host: idmsa.apple.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Connection: keep-alive
Accept-Language: en-us
Proxy-Connection: keep-alive
Cookie:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
Referer: https://idmsa.apple.com/IDMSWebAuth/login.html?appIdKey=77e2a60d4bdfa6b7311c854a56505800be3c24e3a27a670098ff61b69fc5214b&sslEnabled=true&rv=3
Accept-Encoding: gzip, deflate
QuickRadar / response:

HTTP/1.1 302 Moved Temporarily
Date: Thu, 23 Jun 2016 12:15:43 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-API-Version: 1.8
Cache-Control: no-cache, no-store, must-revalidate, private
Pragma: no-cache
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Set-Cookie: JSESSIONID=elPy-v0NpECJPBgkApiTfhci.nwk-radarp-lapp57; Path=/; Secure; HttpOnly
Location: https://idmsa.apple.com/logon
Content-Language: en-US
Content-Length: 0
Keep-Alive: timeout=15, max=5000
Connection: Keep-Alive
Content-Type: text/html;charset=ISO-8859-1
Notice the difference for Host and Location.

I don't know the background here - why this has been done in the first place. But simply deleting those lines seems to do the trick for me. I can open up a PR for that, unless someone has a better idea.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub #89 (comment), or mute the thread https://github.com/notifications/unsubscribe/AAlA-rstUpox5NrN67mkpxVOU9dCbVm6ks5qOouMgaJpZM4I1Yil.

[abbeycode]

Is there any ETA on when a new build will be released?

[chockenberry]

I'm building from master using #90 and still seeing these errors.

One thing I have noticed is that the errors occur after I submit my first Radar (e.g. first one works fine, but subsequent ones do not.) Maybe there's something getting cached in the URL connection?

[ZevEisenberg]

@chockenberry confirmed: success the first time, "too many HTTP redirects" the second time.

[chockenberry]

@amyworrall Sounds like this issue should be reopened. I'm wondering if @steipete and @matej are seeing the same "works the first time, not the second" behavior.

[amyworrall]

I'm so sorry that I haven't had any time to look at this yet. I'm a bit swamped at the moment (plus my country is imploding politically, which is distracting). Thanks to everyone who is helping!

Sent from my iPhone

On 29 Jun 2016, at 17:17, Craig Hockenberry notifications@github.com wrote:

@amyworrall Sounds like this issue should be reopened. I'm wondering if @steipete and @matej are seeing the same "works the first time, not the second" behavior.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[steipete]

True. Noticed this as well today. This works once but then it's trouble again... probably won't be as easy to fix than just deleting a line. But it went from not working at all to at least somewhat working :)

[matej]

Looks like that's their way to rate limit you guys. ;)

The requests do differ between the first and second attempt.

One thing I noticed is that the authenticate action on the login page no longer has the session ID the second time around.

This leads to a different authenticate URL being invoked and things go south from there on.

First:

Second:

There is probably no need to even login at this point (the session could be reused). But since that would require even more and special casing, I just decided to purge cookies before we start. That should make every request equal to the first one. Seems to work.

Just deleting the "myacinfo" cookie appears to be enough, so this could be limited a bit, if anyone has any good arguments on why we should keep the remaining ones.