Skip to content

Bug 2053269 - BMO API bugzilla.login helper needs to support Bugzilla_api_token + cookie for authenication support#2662

Open
dklawren wants to merge 2 commits into
mozilla-bteam:masterfrom
dklawren:2053269
Open

Bug 2053269 - BMO API bugzilla.login helper needs to support Bugzilla_api_token + cookie for authenication support#2662
dklawren wants to merge 2 commits into
mozilla-bteam:masterfrom
dklawren:2053269

Conversation

@dklawren

@dklawren dklawren commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Bug 2043733's native Mojo REST endpoint authenticates via the bugzilla.login helper (Bugzilla::App::Plugin::Login), which didn't understand the web UI's Bugzilla_api_token mechanism — so browser-originated requests (login cookie + Bugzilla_api_token query param, as sent by Bugzilla.API in JS) got a 401.

Fix — Bugzilla/App/Plugin/Login.pm

  • Added use Bugzilla::Error; and use Bugzilla::Token;.
  • Extended the cookie branch to also handle USAGE_MODE_MOJO_REST, mirroring the legacy Bugzilla::Auth::Login::Cookie (56-78):
    • If a Bugzilla_api_token param is present, validate it via GetTokenData — it must be an api_token whose userid matches the login cookie's user, else rate-limit + ThrowUserError('auth_invalid_token').
    • Login cookie present but no api-token → clear the cookie (REST requires the token as a CSRF guard), falling back to unauthenticated.
    • Valid cookie + token then flows through the existing DB cookie verification.

ThrowUserError works here because MOJO_REST sets ERROR_MODE_MOJO, which stashes the error and lets the app render it as JSON.

New test — qa/t/rest_native_login.t

A generic auth test (not tied to any feature) that drives a login-required native-Mojo REST endpoint (rest/search/needinfo_last_seen) and verifies all four paths: no-auth → 401, X-Bugzilla-API-Key header → 200, browser login cookie + Bugzilla_api_token → 200, cookie-without-token → 401, and invalid token → 400. It performs a real browser login over HTTP and reads the token from the page's #bugzilla-global config.

…_api_token + cookie for authenication support

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Mojolicious native REST authentication path to support the web UI’s “login cookie + Bugzilla_api_token” mechanism (in addition to existing API key header auth), aligning native endpoints with the legacy WebService cookie-auth behavior and preventing unexpected 401s for browser-originated REST calls.

Changes:

  • Extend Bugzilla::App::Plugin::Login cookie authentication to also apply in USAGE_MODE_MOJO_REST, requiring/validating Bugzilla_api_token as a CSRF guard.
  • Throw a structured auth_invalid_token error (with rate limiting) when the token is invalid/mismatched.
  • Add a new REST QA test that exercises unauthenticated, API key, cookie+token, cookie-without-token, and invalid-token flows against a login-required native endpoint.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
Bugzilla/App/Plugin/Login.pm Adds MOJO_REST cookie auth support gated by Bugzilla_api_token, mirroring legacy REST cookie auth semantics.
qa/t/rest_native_login.t New QA test covering native Mojolicious REST authentication paths including the cookie+token browser flow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread qa/t/rest_native_login.t
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants