Closed mauritsvanrees closed 8 months ago
Name | Link |
---|---|
Latest commit | 67fe0c55d99a363cecafe95750072e93a111b42e |
Latest deploy log | https://app.netlify.com/sites/plone-restapi/deploys/6541263e55b9e400080d6067 |
@mauritsvanrees thanks for creating this Pull Request and helping to improve Plone!
TL;DR: Finish pushing changes, pass all other checks, then paste a comment:
@jenkins-plone-org please run jobs
To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.
Happy hacking!
This fails because in the test_api_login_grants_zmi
test we get an Unauthorised.
What this test tries to do, and what no longer works with this PR:
@login
endpoint with login and password./manage_workspace
on the Zope root, with the __ac
cookie that is set.When I instead request /manage_workspace
on the Plone root, it does work. The initial response of the @login
POST does have an __ac
cookie, and its path is /
, so that should not be the problem. But something more happened before, that no longer happens if we remove these lines.
It has to do with ZODBUserManager.authenticateCredentials
which does not mind that it receives credentials from a different plugin, like ours. It happily uses them, and the Zope root acl_users
would authenticate us, as it finds the admin user. But now that our extractCredentials
no longer passes on these credentials, no user is found.
The @login
endpoint still does something that makes the user be authenticated in Plone, but it no longer works on the Zope root level.
So I guess this approach is not good enough. What do you think @davisagli ?
@mauritsvanrees Okay, makes sense: we need to extract the credentials in a PAS extract credentials plugin so that they are available for use by other authenticateCredentials plugins.
I still kind of feel like this would belong more cleanly in a separate plugin, since it is not really directly related to authenticating a JWT token. But let's leave it for now.
The result was never used, and it may fail when the request is too large to read. This is a problem since at least Zope 5.8.4, introduced in Plone 6.0.7. See https://github.com/plone/Products.CMFPlone/issues/3848 and https://github.com/zopefoundation/Zope/pull/1180.
This PR is an alternative to https://github.com/plone/plone.restapi/pull/1726. See discussion there.