Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User could not log in (came_from is missing for a cookie based login in) #65

Closed
jugmac00 opened this issue Mar 23, 2020 · 2 comments · Fixed by #93
Closed

User could not log in (came_from is missing for a cookie based login in) #65

jugmac00 opened this issue Mar 23, 2020 · 2 comments · Fixed by #93
Projects
Sprint 2021-04-23

Comments

@jugmac00
Copy link
Member

When a user tried to login, following log entry was created

2020-03-23 06:41:25,101 ERROR   [Zope.SiteErrorLog:252][waitress] 1584942085.10.20423314325 https://mysite.de/acl_users/cookie_auth/login
Traceback (innermost last):
  Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
  Module ZPublisher.WSGIPublisher, line 359, in publish_module
  Module ZPublisher.WSGIPublisher, line 262, in publish
  Module ZPublisher.mapply, line 85, in mapply
  Module ZPublisher.WSGIPublisher, line 63, in call_object
  Module Products.PluggableAuthService.plugins.CookieAuthHelper, line 276, in login
KeyError: 'came_from'

Setup
PluggableAuthService 2.4
Zope 4.3
...

I can only reproduce the problem when I manually delete the value of came_from from the URL

https://mysite.de/acl_users/cookie_auth/login_form?came_from=

Maybe that's what the user did.

My login form contains this code

    <input type="hidden" name="came_from" value=""
           tal:attributes="value came_from | string:"/>

I cannot remember exactly, but I think empty input fields are dropped somewhere in the publishing process?

This could explain why it then "crashes" in PAS' login method:

Products.PluggableAuthService/Products/PluggableAuthService/plugins/CookieAuthHelper.py

Line 276 in fbaac9f

came_from = request.form['came_from']

Should we test for came_from within the login method? Or rely there is some logic in login_form template?

I cannot hardcode an URL - as there are more than one instances.

I am also not sure about the control flow when logging in. The unauthorized method handles a missing came_from but I am not sure how these two methods connect.
@jugmac00 jugmac00 added this to To do in Sprint 2021-04-23 via automation Apr 21, 2021
@jugmac00
Copy link
Member Author

Added it to the next Zope sprint to clarify what to do...

@jugmac00
Copy link
Member Author

jugmac00 commented Apr 23, 2021
edited

decision at sprint:
redirect / stay at login form, but present the user a helpful message, as in "You have been successfully logged in, but we do not know where to redirect you."

jugmac00 added a commit that referenced this issue Apr 25, 2021
@jugmac00
make cookie based login more robust
dc6db7f 
The login did not work when `came_from` request parameter was missing.

This is now handled gracefully, as the user, who provided correct
credentials, now gets logged in and gets notified about the next steps.

This fixes #65
@jugmac00 jugmac00 mentioned this issue Apr 25, 2021
Merged
@dataflake dataflake moved this from To do to In progress in Sprint 2021-04-23 Apr 25, 2021
@jugmac00 jugmac00 moved this from In progress to Done in Sprint 2021-04-23 May 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Sprint 2021-04-23
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

make cookie based login more robust zopefoundation/Products.PluggableAuthService
1 participant
@jugmac00