Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1436943 - Login fails with "Unrecognized identity" when using Google authentication #3210

Merged
merged 2 commits into from Feb 9, 2018
Merged

Bug 1436943 - Login fails with "Unrecognized identity" when using Google authentication #3210

merged 2 commits into from Feb 9, 2018

Conversation

helfi92
Copy link
Contributor

@helfi92 helfi92 commented Feb 9, 2018

Presently, when you login with google you are prompted with a screen
that tells you to login using a different provider. However, if you try to
login with google using a "@mozilla.com", then there is a
blank page saying Unrecognized identity.

This commit will allow a user to login with Google when he tries to login with a mozilla.com email.

@helfi92
Allow Google login
0e2e3dc 
Presently, when you login with google you are prompted with a screen
that tells you to login using another provider. However, if you try to
login with google using an LDAP email "@mozilla.com", then there is a
blank page saying Unrecognized identity.
@helfi92 helfi92 self-assigned this Feb 9, 2018
@helfi92 helfi92 requested a review from edmorley February 9, 2018 14:12
@helfi92 helfi92 changed the title Allow Google login Bug 1436943 - Login fails with "Unrecognized identity" when using Google authentication Feb 9, 2018
edmorley
edmorley suggested changes Feb 9, 2018
View reviewed changes
Copy link
Contributor

@edmorley edmorley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for looking at this :-)

Could you add google (+ github) to the existing test_get_username_from_userinfo()?

@helfi92 helfi92 requested a review from edmorley February 9, 2018 14:38
edmorley
edmorley reviewed Feb 9, 2018
View reviewed changes
treeherder/auth/backends.py
@@ -73,6 +73,8 @@ def _get_username_from_userinfo(self, user_info):
return "email/" + email
elif "github" in subject:
return "github/" + email
elif "google" in subject:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be using .startswith() rather than checking if it's just a substring? Can there be user provided input at the end of the string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you login with LDAP, the subject will be of the form: ad|Mozilla-LDAP|haali. In this case, startswith would fail here since Mozilla-LDAP is in the middle of the string.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This is pre-existing, so needn't block this PR)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah but we could either:

  • use .startswith('ad|Mozilla-LDAP|')
  • only use startswith() on the others
  • not use startswith(), but adjust the substrings used to include the pipe operator (which would make it harder to fake since not valid email character etc)

Anyway perhaps there is no risk here, just wanted to check given I don't know what possible user provided values can end up in subject :-)

CC @djmitche

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good point. There's not a security concern here -- login uses a better approach -- but startsWith will be more effective against e.g., ad|Mozilla-LDAP|github@mozilla.com.

@helfi92 helfi92 merged commit a74003f into mozilla:master Feb 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djmitche djmitche djmitche left review comments

@edmorley edmorley edmorley approved these changes

Assignees

@helfi92 helfi92

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@helfi92 @djmitche @edmorley