diff options
| author | Dave Lawrence <dlawrence@mozilla.com> | 2013-08-29 23:25:24 +0200 |
|---|---|---|
| committer | Dave Lawrence <dlawrence@mozilla.com> | 2013-08-29 23:25:24 +0200 |
| commit | 99589d82d943bedcd9a8ade3d91f84d770fcd5c5 (patch) | |
| tree | 25d4f8baedfe28e592a7226b4276523423132963 /Bugzilla/WebService/Server | |
| parent | bbf877a6b1500f59988245954f40cee5ebec0a85 (diff) | |
| download | bugzilla-99589d82d943bedcd9a8ade3d91f84d770fcd5c5.tar.gz bugzilla-99589d82d943bedcd9a8ade3d91f84d770fcd5c5.tar.xz | |
Bug 909634 - backport upstream bug 893195 to bmo/4.2 for token auth support in webservices
Diffstat (limited to 'Bugzilla/WebService/Server')
| -rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 6 | ||||
| -rw-r--r-- | Bugzilla/WebService/Server/REST.pm | 38 | ||||
| -rw-r--r-- | Bugzilla/WebService/Server/REST/Resources/User.pm | 10 |
3 files changed, 37 insertions, 17 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 4bf3fb191..109c530b7 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -37,7 +37,7 @@ BEGIN { use Bugzilla::Error; use Bugzilla::WebService::Constants; -use Bugzilla::WebService::Util qw(taint_data); +use Bugzilla::WebService::Util qw(taint_data fix_credentials); use Bugzilla::Util; use HTTP::Message; @@ -385,6 +385,10 @@ sub _argument_type_check { } } + # Update the params to allow for several convenience key/values + # use for authentication + fix_credentials($params); + Bugzilla->input_params($params); if ($self->request->method eq 'POST') { diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm index 454749b5d..4145455ec 100644 --- a/Bugzilla/WebService/Server/REST.pm +++ b/Bugzilla/WebService/Server/REST.pm @@ -16,7 +16,7 @@ use Bugzilla; use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::WebService::Constants; -use Bugzilla::WebService::Util qw(taint_data); +use Bugzilla::WebService::Util qw(taint_data fix_credentials); use Bugzilla::Util qw(correct_urlbase html_quote); # Load resource modules @@ -69,7 +69,7 @@ sub handle { my $params = $self->_retrieve_json_params; - $self->_fix_credentials($params); + fix_credentials($params); # Fix includes/excludes for each call rest_include_exclude($params); @@ -131,7 +131,7 @@ sub response { # If accessing through web browser, then display in readable format if ($self->content_type eq 'text/html') { - $result = $self->json->pretty->canonical->encode($result); + $result = $self->json->pretty->canonical->allow_nonref->encode($result); my $template = Bugzilla->template; $content = ""; @@ -162,8 +162,15 @@ sub handle_login { # explicitly gives that site their username and password. (This is # particularly important for JSONP, which would allow a remote site # to use private data without the user's knowledge, unless we had this - # protection in place.) - if (!grep($_ eq $self->request->method, ('POST', 'PUT'))) { + # protection in place.) We do allow this for GET /login as we need to + # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we + # can also use for Bugzilla_token support. This is OK as it requires + # a login and password to be supplied and will fail if they are not + # valid for the user. + if (!grep($_ eq $self->request->method, ('POST', 'PUT')) + && !($self->bz_class_name eq 'Bugzilla::WebService::User' + && $self->bz_method_name eq 'login')) + { # XXX There's no particularly good way for us to get a parameter # to Bugzilla->login at this point, so we pass this information # around using request_cache, which is a bit of a hack. The @@ -424,15 +431,6 @@ sub _find_resource { return $handler_found; } -sub _fix_credentials { - my ($self, $params) = @_; - # Allow user to pass in &username=foo&password=bar - if (exists $params->{'username'} && exists $params->{'password'}) { - $params->{'Bugzilla_login'} = delete $params->{'username'}; - $params->{'Bugzilla_password'} = delete $params->{'password'}; - } -} - sub _best_content_type { my ($self, @types) = @_; return ($self->_simple_content_negotiation(@types))[0] || '*/*'; @@ -545,15 +543,23 @@ if you have a Bugzilla account by providing your login credentials. =over -=item Username and password +=item Login name and password Pass in as query parameters of any request: -username=fred@bedrock.com&password=ilovewilma +login=fred@example.com&password=ilovecheese Remember to URL encode any special characters, which are often seen in passwords and to also enable SSL support. +=item Login token + +By calling GET /login?login=fred@example.com&password=ilovecheese, you get back +a C<token> value which can then be passed to each subsequent call as +authentication. This is useful for third party clients that cannot use cookies +and do not want to store a user's login and password in the client. You can also +pass in "token" as a convenience. + =back =head1 ERRORS diff --git a/Bugzilla/WebService/Server/REST/Resources/User.pm b/Bugzilla/WebService/Server/REST/Resources/User.pm index 9424b517e..0a2fe455f 100644 --- a/Bugzilla/WebService/Server/REST/Resources/User.pm +++ b/Bugzilla/WebService/Server/REST/Resources/User.pm @@ -19,6 +19,16 @@ BEGIN { sub _rest_resources { my $rest_resources = [ + qr{^/login$}, { + GET => { + method => 'login' + } + }, + qr{^/logout$}, { + GET => { + method => 'logout' + } + }, qr{^/user$}, { GET => { method => 'get' |