-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1209148 - Stop using short-life token for internal REST API auth, which is problematic especially on My Dashboard, and rely on login cookie instead #782
Conversation
So... I tried, and looks like this is working. The real culprit is |
|
I encountered this today after updating Nightly (I skipped the broken-cookie build), and am glad to see we're resolving it. |
This is basically a removal so no code review needed. Just want to make sure this works as expected and no security issues introduced. |
@kyoshino What circumstances can activate this code block today? https://github.com/mozilla-bteam/bmo/pull/782/files#diff-e432c9f5510c145bfbb4a9eb373e5209L107
|
I meant: no review for newly added code is required...
|
(I'd planned to ask that question in any case, but thank you for clarifying all the same!) |
Maybe @floatingatoll is right. That particular part should not be removed after all. I'm reverting it and only remove the |
I think api_key only might just have been for preventing CSRF attacks, which is now mitigated by SameSite cookies. |
So can we remove the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/mozilla-bteam/bmo/blob/master/docs/en/rst/api/core/v1/general.rst
mentions Bugzilla_token and short form token= so the docs need to be updated as well.
It’s very confusing but |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since dkl requeted changes, I'll do the same so this drops off my radar.
This PR needs to be updated once #917 is merged. |
… which is problematic especially on My Dashboard, and rely on login cookie instead
Description
Bugzilla_api_token
is problematic and redundant. The existing login cookie can be used instead for API auth.Bugzilla_token
is a different thing, and it should not be affected by this change.Bug
Bug 1209148 - Stop using short-life token for internal REST API auth, which is problematic especially on My Dashboard, and rely on login cookie instead