search

plone / plone.restapi

RESTful API for Plone.
http://plonerestapi.readthedocs.org/
84 stars 73 forks source link

extractCredentials: do not read json from the request. #1727

Closed mauritsvanrees closed 8 months ago

mauritsvanrees commented 8 months ago

The result was never used, and it may fail when the request is too large to read. This is a problem since at least Zope 5.8.4, introduced in Plone 6.0.7. See https://github.com/plone/Products.CMFPlone/issues/3848 and https://github.com/zopefoundation/Zope/pull/1180.

This PR is an alternative to https://github.com/plone/plone.restapi/pull/1726. See discussion there.

netlify[bot] commented 8 months ago

Deploy Preview for plone-restapi canceled.

Name Link
Latest commit 67fe0c55d99a363cecafe95750072e93a111b42e
Latest deploy log https://app.netlify.com/sites/plone-restapi/deploys/6541263e55b9e400080d6067
mister-roboto commented 8 months ago

@mauritsvanrees thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

mauritsvanrees commented 8 months ago

This fails because in the test_api_login_grants_zmi test we get an Unauthorised.

What this test tries to do, and what no longer works with this PR:

When I instead request /manage_workspace on the Plone root, it does work. The initial response of the @login POST does have an __ac cookie, and its path is /, so that should not be the problem. But something more happened before, that no longer happens if we remove these lines.

It has to do with ZODBUserManager.authenticateCredentials which does not mind that it receives credentials from a different plugin, like ours. It happily uses them, and the Zope root acl_users would authenticate us, as it finds the admin user. But now that our extractCredentials no longer passes on these credentials, no user is found.

The @login endpoint still does something that makes the user be authenticated in Plone, but it no longer works on the Zope root level.

So I guess this approach is not good enough. What do you think @davisagli ?

davisagli commented 8 months ago

@mauritsvanrees Okay, makes sense: we need to extract the credentials in a PAS extract credentials plugin so that they are available for use by other authenticateCredentials plugins.

I still kind of feel like this would belong more cleanly in a separate plugin, since it is not really directly related to authenticating a JWT token. But let's leave it for now.