Page MenuHomePhabricator

Verify OAuth callback URL with registered prefix
Closed, ResolvedPublic

Description

The ToolforgeBundle currently accepts any callback query string parameter and uses it for the OAuth initialization. However, if it doesn't match the URL prefix as registered on Meta, errors like the following are thrown:

Uncaught PHP Exception MediaWiki\OAuthClient\Exception: "Server returned error: oauth_callback must be set, and must be set to "oob" (case-sensitive), or the configured callback must be a prefix of the supplied callback." at /mnt/nfs/labstore-secondary-tools-project/svgtranslate/app/vendor/mediawiki/oauthclient/src/Client.php line 148

We could avoid this by adding a new config variable with which to compare the passed callback value, and if the value doesn't match just default to the unsuffixed URL.

Event Timeline

Restricted Application added a project: Community-Tech. · View Herald TranscriptAug 8 2019, 12:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

This has been fixed in the ToolforgeBundle, and svgtranslate updated (both staging and production).

dom_walden added a subscriber: dom_walden.

The problematic URL:
https://tools.wmflabs.org/svgtranslate/login?callback=http%3A%2F%2Ftools.wmflabs.org%2Fsvgtranslate%2Foauth_callback%3Fredirect%3Dhttp%3A%2F%2Ftools.wmflabs.org%2Fsvgtranslate%2FFile%3ACloud_types_en.svg

Just takes you to the regular meta login page then redirects you back to the svgtranslate front page.

This happens on both staging and production.

Other invalid input to the callback has the same outcome.

With valid input, you are redirected to the image page (as before).

ifried closed this task as Resolved.Aug 28 2019, 5:58 PM