summaryrefslogtreecommitdiffstats
path: root/Bugzilla/WebService/Server
diff options
context:
space:
mode:
authorDave Lawrence <dlawrence@mozilla.com>2013-08-29 23:25:24 +0200
committerDave Lawrence <dlawrence@mozilla.com>2013-08-29 23:25:24 +0200
commit99589d82d943bedcd9a8ade3d91f84d770fcd5c5 (patch)
tree25d4f8baedfe28e592a7226b4276523423132963 /Bugzilla/WebService/Server
parentbbf877a6b1500f59988245954f40cee5ebec0a85 (diff)
downloadbugzilla-99589d82d943bedcd9a8ade3d91f84d770fcd5c5.tar.gz
bugzilla-99589d82d943bedcd9a8ade3d91f84d770fcd5c5.tar.xz
Bug 909634 - backport upstream bug 893195 to bmo/4.2 for token auth support in webservices
Diffstat (limited to 'Bugzilla/WebService/Server')
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm6
-rw-r--r--Bugzilla/WebService/Server/REST.pm38
-rw-r--r--Bugzilla/WebService/Server/REST/Resources/User.pm10
3 files changed, 37 insertions, 17 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 4bf3fb191..109c530b7 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -37,7 +37,7 @@ BEGIN {
use Bugzilla::Error;
use Bugzilla::WebService::Constants;
-use Bugzilla::WebService::Util qw(taint_data);
+use Bugzilla::WebService::Util qw(taint_data fix_credentials);
use Bugzilla::Util;
use HTTP::Message;
@@ -385,6 +385,10 @@ sub _argument_type_check {
}
}
+ # Update the params to allow for several convenience key/values
+ # use for authentication
+ fix_credentials($params);
+
Bugzilla->input_params($params);
if ($self->request->method eq 'POST') {
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index 454749b5d..4145455ec 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -16,7 +16,7 @@ use Bugzilla;
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::WebService::Constants;
-use Bugzilla::WebService::Util qw(taint_data);
+use Bugzilla::WebService::Util qw(taint_data fix_credentials);
use Bugzilla::Util qw(correct_urlbase html_quote);
# Load resource modules
@@ -69,7 +69,7 @@ sub handle {
my $params = $self->_retrieve_json_params;
- $self->_fix_credentials($params);
+ fix_credentials($params);
# Fix includes/excludes for each call
rest_include_exclude($params);
@@ -131,7 +131,7 @@ sub response {
# If accessing through web browser, then display in readable format
if ($self->content_type eq 'text/html') {
- $result = $self->json->pretty->canonical->encode($result);
+ $result = $self->json->pretty->canonical->allow_nonref->encode($result);
my $template = Bugzilla->template;
$content = "";
@@ -162,8 +162,15 @@ sub handle_login {
# explicitly gives that site their username and password. (This is
# particularly important for JSONP, which would allow a remote site
# to use private data without the user's knowledge, unless we had this
- # protection in place.)
- if (!grep($_ eq $self->request->method, ('POST', 'PUT'))) {
+ # protection in place.) We do allow this for GET /login as we need to
+ # for Bugzilla::Auth::Persist::Cookie to create a login cookie that we
+ # can also use for Bugzilla_token support. This is OK as it requires
+ # a login and password to be supplied and will fail if they are not
+ # valid for the user.
+ if (!grep($_ eq $self->request->method, ('POST', 'PUT'))
+ && !($self->bz_class_name eq 'Bugzilla::WebService::User'
+ && $self->bz_method_name eq 'login'))
+ {
# XXX There's no particularly good way for us to get a parameter
# to Bugzilla->login at this point, so we pass this information
# around using request_cache, which is a bit of a hack. The
@@ -424,15 +431,6 @@ sub _find_resource {
return $handler_found;
}
-sub _fix_credentials {
- my ($self, $params) = @_;
- # Allow user to pass in &username=foo&password=bar
- if (exists $params->{'username'} && exists $params->{'password'}) {
- $params->{'Bugzilla_login'} = delete $params->{'username'};
- $params->{'Bugzilla_password'} = delete $params->{'password'};
- }
-}
-
sub _best_content_type {
my ($self, @types) = @_;
return ($self->_simple_content_negotiation(@types))[0] || '*/*';
@@ -545,15 +543,23 @@ if you have a Bugzilla account by providing your login credentials.
=over
-=item Username and password
+=item Login name and password
Pass in as query parameters of any request:
-username=fred@bedrock.com&password=ilovewilma
+login=fred@example.com&password=ilovecheese
Remember to URL encode any special characters, which are often seen in passwords and to
also enable SSL support.
+=item Login token
+
+By calling GET /login?login=fred@example.com&password=ilovecheese, you get back
+a C<token> value which can then be passed to each subsequent call as
+authentication. This is useful for third party clients that cannot use cookies
+and do not want to store a user's login and password in the client. You can also
+pass in "token" as a convenience.
+
=back
=head1 ERRORS
diff --git a/Bugzilla/WebService/Server/REST/Resources/User.pm b/Bugzilla/WebService/Server/REST/Resources/User.pm
index 9424b517e..0a2fe455f 100644
--- a/Bugzilla/WebService/Server/REST/Resources/User.pm
+++ b/Bugzilla/WebService/Server/REST/Resources/User.pm
@@ -19,6 +19,16 @@ BEGIN {
sub _rest_resources {
my $rest_resources = [
+ qr{^/login$}, {
+ GET => {
+ method => 'login'
+ }
+ },
+ qr{^/logout$}, {
+ GET => {
+ method => 'logout'
+ }
+ },
qr{^/user$}, {
GET => {
method => 'get'