Bug 456261 - RFE: add API to verify cookie validity over XML-RPC
Summary: RFE: add API to verify cookie validity over XML-RPC
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Bugzilla
Classification: Community
Component: WebService
Version: 3.2
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Noura El hawary
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-22 14:59 UTC by Tomas Hoger
Modified: 2013-06-24 04:08 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-07-29 15:02:54 UTC
Embargoed:

Attachments (Terms of Use)
v1 for new xmlrpc function User.valid_cookie (1.39 KB, patch)
2008-07-23 03:06 UTC, Noura El hawary 		dkl: review+
Details | Diff
View All

Description Tomas Hoger 2008-07-22 14:59:23 UTC 
Description of problem:
Bugzilla XML-RPC interface should provide a method to verify if some cookie is
still valid for some bugzilla user.  The motivation is that user may log in
using User.login() and store authentication cookie in the cookie file an re-use
it in subsequent run of various scripts using XML-RPC.  Currently, there does
not seem to be an easy way to verify if cookie is still valid (possible
workaround is to verify if user names or email addresses are returned in query
results), and whether cookie is for specific user.

I used to (ab)use User.login without any argument to get (part of) that
information, which returned non-0 user id if cookie was still valid, or 0
otherwise.  However, that is no longer possible after following upstream change
was deployed on parter-bugzilla:

  https://bugzilla.mozilla.org/show_bug.cgi?id=445885

Possible API:
User.isValidCookie($bugzilla_login), possibly with $bugzilla_login being
optional, giving answer to a question whether cookie is valid for session of any
/ specified user.

Version-Release number of selected component (if applicable):
partner-bugzilla instance as of 2008-07-22
Comment 1 David Lawrence 2008-07-22 15:15:05 UTC 
Noura, with the latest change upstream that was requested and I applied the
patch, User.login() now requires that login/password be defined or else it
throws an user error. It is not likely that this patch will be reverted as I am
sure upstream will not deem this critical. So could you implement a method that
will silently call Bugzilla->login() and will return 1/0 if the user is
authenticated or not. The param { login => $email } could be required just as
some extra validation against any kind of spoofing attack.
I recommend we keep the method name short such as User.validCookie or
User.validLogin, doesn't matter.

So basically it would be

package Bugzilla::WebService::User;

sub validCookie {
    my ($self, $params) = @_;
    Bugzilla->login();
    if (Bugzilla->user->id && Bugzilla->user->login eq $params->{login}) {
        return 1;
    }
    else {
        return 0;
    }
}

What do you think?

Dave
Comment 2 Noura El hawary 2008-07-23 03:06:16 UTC 
Created attachment 312414 [details]
v1 for new xmlrpc function User.valid_cookie

Hi Dave,

Based on your suggestion, I created the attached patch with the function, I
think it a good idea. 

Thanks,
Noura
Comment 3 David Lawrence 2008-07-23 03:18:23 UTC 
Comment on attachment 312414 [details]
v1 for new xmlrpc function User.valid_cookie

Please add:

defined $params->{login}
    || ThrowCodeError('param_required', { param => 'login' });

before Bugzilla->login() and update the docs. Looks good so go ahead and
checkin after.

Dave
Comment 4 Noura El hawary 2008-07-23 03:52:33 UTC 
Thanks for the review Dave, Patch is committed now with your suggestions.

Noura
Comment 5 Tomas Hoger 2008-07-29 10:24:00 UTC 
Thanks!  Seems to work fine.
Note You need to log in before you can comment on or make changes to this bug.