Page MenuHomePhabricator
Create Task
Maniphest T262712

Status 405 Method Not Allowed on /oauth2/request/profile with OPTIONS
Closed, ResolvedPublic
Actions

Description

The endpoint for fetching the user profile returns a 405 Method Not Allowed when hit with OPTIONS.

Since OPTIONS is used for pre-flight verification for CORS, this makes the endpoint unreachable from the browser.

Details

SubjectRepoBranchLines +/-
Handle CORS preflight request and prevent anon users from unsafe methodsmediawiki/coremaster+1 K -97
Customize query in gerrit

Event Timeline

eprodromou created this task.Sep 11 2020, 6:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 11 2020, 6:56 PM
eprodromou triaged this task as High priority.Sep 14 2020, 3:35 PM
Helga_sf moved this task from Backlog to Current sprint Backlog on the Platform Team Workboards (S&F Workboard) board.Sep 14 2020, 3:39 PM
eprodromou edited projects, added Platform Engineering; removed Platform Team Workboards (S&F Workboard).Sep 14 2020, 3:45 PM

I'm kicking this over to PET so we can review it for the correct routing. It's a bug in our OAuth implementation, so we could manage it either in Clinic Duty, Green Team, or Contractors Workboard. In any event, this is a real problem for the API Gateway.

eprodromou added a comment.Sep 14 2020, 3:46 PM

I also wonder if there's a mechanism to handle OPTIONS requests automatically in our REST Router code. If not, maybe we should add it. If so, it'd be interesting to find out why it doesn't apply for this endpoint.

Pchelolo subscribed.Sep 14 2020, 3:52 PM

Will be fixed when https://gerrit.wikimedia.org/r/c/mediawiki/core/+/621900 is landed.

Helga_sf subscribed.Sep 15 2020, 12:08 PM
gerritbot added a comment.Sep 15 2020, 8:31 PM

Change 621900 had a related patch set uploaded (by Daniel Kinzler; owner: Dbarratt):
[mediawiki/core@master] Handle CORS preflight request and prevent anon users from unsafe methods

https://gerrit.wikimedia.org/r/621900

eprodromou edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Engineering.Sep 15 2020, 8:31 PM
gerritbot added a project: Patch-For-Review.Sep 15 2020, 8:31 PM
gerritbot added a comment.Sep 21 2020, 11:57 PM

Change 621900 merged by BPirkle:
[mediawiki/core@master] Handle CORS preflight request and prevent anon users from unsafe methods

https://gerrit.wikimedia.org/r/621900

Maintenance_bot removed a project: Patch-For-Review.Sep 22 2020, 12:10 AM
Aklapper added a comment.Sep 23 2020, 2:55 PM
In T262712#6459271, @Pchelolo wrote:

Will be fixed when https://gerrit.wikimedia.org/r/c/mediawiki/core/+/621900 is landed.

Patch has been merged yesterday.

Clarakosi moved this task from External Code Review Needed to External Code Review Completed on the Platform Team Workboards (External Code Reviews) board.Sep 23 2020, 3:08 PM
Pppery closed this task as Resolved.Apr 4 2024, 4:47 AM
Pppery subscribed.
In T262712#6487599, @Aklapper wrote:
In T262712#6459271, @Pchelolo wrote:

Will be fixed when https://gerrit.wikimedia.org/r/c/mediawiki/core/+/621900 is landed.

Patch has been merged yesterday.

Three years later, assuming this is resolved.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits