diff options
| author | Dave Lawrence <dlawrence@mozilla.com> | 2013-09-26 17:06:28 +0200 |
|---|---|---|
| committer | Dave Lawrence <dlawrence@mozilla.com> | 2013-09-26 17:06:28 +0200 |
| commit | feeccb6a9e435932346d6a9ddeeb12c969362177 (patch) | |
| tree | a60fa68c9ca2ca8148de72764e2ac74d65a7cc72 /Bugzilla/Auth | |
| parent | 186374529e05a18e216ee96675d80488289c9c42 (diff) | |
| download | bugzilla-feeccb6a9e435932346d6a9ddeeb12c969362177.tar.gz bugzilla-feeccb6a9e435932346d6a9ddeeb12c969362177.tar.xz | |
Bug 917669 - invalid or expired authentication tokens and cookies should throw errors, not be silently ignored
r/a=glob
Diffstat (limited to 'Bugzilla/Auth')
| -rw-r--r-- | Bugzilla/Auth/Login/Cookie.pm | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 130fab8e3..3068331ea 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -14,6 +14,7 @@ use parent qw(Bugzilla::Auth::Login); use Bugzilla::Constants; use Bugzilla::Util; +use Bugzilla::Error; use List::Util qw(first); @@ -73,7 +74,9 @@ sub get_login_info { AND (ipaddr = ? OR ipaddr IS NULL)', undef, ($login_cookie, $user_id, $ip_addr)); - # If the cookie is valid, return a valid username. + # If the cookie or token is valid, return a valid username. + # If they were not valid and we are using a webservice, then + # throw an error notifying the client. if ($is_valid) { # If we logged in successfully, then update the lastused # time on the login cookie @@ -81,12 +84,16 @@ sub get_login_info { WHERE cookie = ?", undef, $login_cookie); return { user_id => $user_id }; } + elsif (i_am_webservice()) { + ThrowUserError('invalid_cookies_or_token'); + } } - # Either the he cookie is invalid, or we got no cookie. We don't want - # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to - # actually throw an error when it gets a bad cookie. It should just - # look like there was no cookie to begin with. + # Either the cookie or token is invalid and we are not authenticating + # via a webservice, or we did not receive a cookie or token. We don't + # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to + # actually throw an error when it gets a bad cookie or token. It should just + # look like there was no cookie or token to begin with. return { failure => AUTH_NODATA }; } @@ -97,9 +104,7 @@ sub login_token { return $self->{'_login_token'} if exists $self->{'_login_token'}; - if ($usage_mode ne USAGE_MODE_XMLRPC - && $usage_mode ne USAGE_MODE_JSON - && $usage_mode ne USAGE_MODE_REST) { + if (!i_am_webservice()) { return $self->{'_login_token'} = undef; } |