Bug 2053269 - BMO API bugzilla.login helper needs to support Bugzilla_api_token + cookie for authenication support#2662
Open
dklawren wants to merge 2 commits into
Open
Bug 2053269 - BMO API bugzilla.login helper needs to support Bugzilla_api_token + cookie for authenication support#2662dklawren wants to merge 2 commits into
dklawren wants to merge 2 commits into
Conversation
…_api_token + cookie for authenication support
There was a problem hiding this comment.
Pull request overview
This PR updates the Mojolicious native REST authentication path to support the web UI’s “login cookie + Bugzilla_api_token” mechanism (in addition to existing API key header auth), aligning native endpoints with the legacy WebService cookie-auth behavior and preventing unexpected 401s for browser-originated REST calls.
Changes:
- Extend
Bugzilla::App::Plugin::Logincookie authentication to also apply inUSAGE_MODE_MOJO_REST, requiring/validatingBugzilla_api_tokenas a CSRF guard. - Throw a structured
auth_invalid_tokenerror (with rate limiting) when the token is invalid/mismatched. - Add a new REST QA test that exercises unauthenticated, API key, cookie+token, cookie-without-token, and invalid-token flows against a login-required native endpoint.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
Bugzilla/App/Plugin/Login.pm |
Adds MOJO_REST cookie auth support gated by Bugzilla_api_token, mirroring legacy REST cookie auth semantics. |
qa/t/rest_native_login.t |
New QA test covering native Mojolicious REST authentication paths including the cookie+token browser flow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug 2043733's native Mojo REST endpoint authenticates via the bugzilla.login helper (Bugzilla::App::Plugin::Login), which didn't understand the web UI's Bugzilla_api_token mechanism — so browser-originated requests (login cookie + Bugzilla_api_token query param, as sent by Bugzilla.API in JS) got a 401.
Fix — Bugzilla/App/Plugin/Login.pm
ThrowUserError works here because MOJO_REST sets ERROR_MODE_MOJO, which stashes the error and lets the app render it as JSON.
New test — qa/t/rest_native_login.t
A generic auth test (not tied to any feature) that drives a login-required native-Mojo REST endpoint (rest/search/needinfo_last_seen) and verifies all four paths: no-auth → 401, X-Bugzilla-API-Key header → 200, browser login cookie + Bugzilla_api_token → 200, cookie-without-token → 401, and invalid token → 400. It performs a real browser login over HTTP and reads the token from the page's #bugzilla-global config.