Page MenuHomePhabricator
Create Task
Maniphest T230085

Verify OAuth callback URL with registered prefix
Closed, ResolvedPublic
Actions

Description

The ToolforgeBundle currently accepts any callback query string parameter and uses it for the OAuth initialization. However, if it doesn't match the URL prefix as registered on Meta, errors like the following are thrown:

Uncaught PHP Exception MediaWiki\OAuthClient\Exception: "Server returned error: oauth_callback must be set, and must be set to "oob" (case-sensitive), or the configured callback must be a prefix of the supplied callback." at /mnt/nfs/labstore-secondary-tools-project/svgtranslate/app/vendor/mediawiki/oauthclient/src/Client.php line 148

We could avoid this by adding a new config variable with which to compare the passed callback value, and if the value doesn't match just default to the unsuffixed URL.

Related Objects

Event Timeline

Samwilson created this task.Aug 8 2019, 12:53 AM
Restricted Application added a project: Community-Tech. · View Herald TranscriptAug 8 2019, 12:53 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Samwilson claimed this task.Aug 8 2019, 3:33 AM
Samwilson edited projects, added Community-Tech (Kanban (Q1 2019-20)); removed Community-Tech.

PR: https://github.com/wikimedia/ToolforgeBundle/pull/27

Samwilson moved this task from Ready to Needs Review/Feedback on the Community-Tech (Kanban (Q1 2019-20)) board.Aug 8 2019, 3:33 AM
Samwilson mentioned this in T223769: [BUG] Log-in https://tools.wmflabs.org/svgtranslate/ does not work.Aug 8 2019, 3:40 AM
JoKalliauer subscribed.Aug 12 2019, 3:19 PM
Samwilson moved this task from Needs Review/Feedback to QA on the Community-Tech (Kanban (Q1 2019-20)) board.Aug 14 2019, 2:28 AM

This has been fixed in the ToolforgeBundle, and svgtranslate updated (both staging and production).

dom_walden moved this task from QA to Product sign-off on the Community-Tech (Kanban (Q1 2019-20)) board.Aug 14 2019, 3:39 PM
dom_walden subscribed.

The problematic URL:
https://tools.wmflabs.org/svgtranslate/login?callback=http%3A%2F%2Ftools.wmflabs.org%2Fsvgtranslate%2Foauth_callback%3Fredirect%3Dhttp%3A%2F%2Ftools.wmflabs.org%2Fsvgtranslate%2FFile%3ACloud_types_en.svg

Just takes you to the regular meta login page then redirects you back to the svgtranslate front page.

This happens on both staging and production.

Other invalid input to the callback has the same outcome.

With valid input, you are redirected to the image page (as before).

ifried closed this task as Resolved.Aug 28 2019, 5:58 PM
ifried moved this task from Product sign-off to Done on the Community-Tech (Kanban (Q1 2019-20)) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL