Page MenuHomePhabricator

AuthProject
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Yesterday

epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

I landed everything so far to master. The new behavior in master should be:

Sun, Feb 23, 2:01 AM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21023: Read both older "key" and newer "accountId" identifiers from JIRA during authentication.
Sun, Feb 23, 1:36 AM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21022: Remove all readers and writers of "accountID" on "ExternalAccount".
Sun, Feb 23, 1:20 AM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": Restricted Differential Revision.
Sun, Feb 23, 1:17 AM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

I stumbled across what appears to be a very mild security issue in JIRA that impacts this flow. I've reported it to Atlassian's bug bounty program here (this link may or may not be visible to anyone else):

Sun, Feb 23, 12:45 AM · Auth

Sat, Feb 22

epriestley added a revision to T6703: Allow multiple copies of the same auth provider type: D21019: Remove all readers and all nontrivial writers for "accountType" and "accountDomain" on "ExternalAccount".
Sat, Feb 22, 10:30 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21019: Remove all readers and all nontrivial writers for "accountType" and "accountDomain" on "ExternalAccount".
Sat, Feb 22, 10:30 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

This change sequence is almost ready to remove readers and writers to accountID, but there's still a unique <accountType, accountDomain, accountID> key on the table. Removing accountID writers completely will mean that the second user to link an account of a particular type (say, an Asana account) will run into a unique key error (since they'll write a second "Asana" account with the same empty accountID as the first "Asana" account).

Sat, Feb 22, 8:54 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21018: Update Asana feed publishing integration for "ExternalAccountIdentifier".
Sat, Feb 22, 6:28 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21017: Migrate all "accountID" values to "ExternalAccountIdentifier" objects.
Sat, Feb 22, 4:56 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21015: Make AuthProvider, ExternalAccount, and ExternalAccountIdentifier all Destructible.
Sat, Feb 22, 3:19 AM · Auth

Fri, Feb 21

epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21014: Update unusual handling of external accounts in "Password" auth provider.
Fri, Feb 21, 3:54 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21013: Make external account identifier APIs return multiple identifiers.
Fri, Feb 21, 3:23 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21012: Remove an ancient no-op check for duplicated external accounts.
Fri, Feb 21, 12:11 AM · Auth

Thu, Feb 20

epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21011: Add an "ExternalAccountIdentifier" table.
Thu, Feb 20, 10:21 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21010: Stop exposing raw "accountID" values directly in the web UI.
Thu, Feb 20, 9:33 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21007: Remove old code for sending email to external users who create objects via inbound mail.
Thu, Feb 20, 8:29 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

These callers use accountId:

Thu, Feb 20, 8:24 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

I think the patch above is a piece of the solution here, but makes behavior worse for some installs: installs with a version of JIRA which returns both key and accountId will have worse behavior under the patch than without it (since it will break all the existing account links immediately). It also doesn't smoothly migrate these installs, even though it's theoretically easy/desirable to do that.

Thu, Feb 20, 5:43 PM · Auth

Wed, Feb 19

epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

If you're feeling ambitious, here's a likely patch:

Wed, Feb 19, 11:11 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

When a user logs in to "new" JIRA, we also can't easily tell if they have an existing account link based on the presence of an accountId.

Wed, Feb 19, 9:00 PM · Auth
epriestley renamed T13493: JIRA API has changed identifiers from "key" to "accountId" from JIRA API has changed identifiers from "accountId" to "key" to JIRA API has changed identifiers from "key" to "accountId".
Wed, Feb 19, 8:36 PM · Auth
epriestley triaged T13493: JIRA API has changed identifiers from "key" to "accountId" as Normal priority.
Wed, Feb 19, 8:26 PM · Auth

Tue, Feb 4

epriestley closed T13485: Update GitHub integration for "access_token" deprecation changes as Resolved by committing rP0f1acb6cef1d: Update GitHub API calls to use "Authorization" header instead of "access_token"….
Tue, Feb 4, 3:58 PM · Auth
epriestley added a revision to T13485: Update GitHub integration for "access_token" deprecation changes: D20964: Update GitHub API calls to use "Authorization" header instead of "access_token" URI parameter.
Tue, Feb 4, 3:51 PM · Auth
epriestley added a comment to T13485: Update GitHub integration for "access_token" deprecation changes.

The actual replacement is Authorization: token <token>, I believe:

Tue, Feb 4, 3:47 PM · Auth
epriestley triaged T13485: Update GitHub integration for "access_token" deprecation changes as Low priority.
Tue, Feb 4, 2:39 PM · Auth

Thu, Jan 30

epriestley closed T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body as Resolved.

I think D20905 is as good as we're going to get.

Thu, Jan 30, 4:44 PM · Auth
epriestley closed T13475: Fix incorrect MFA badge on some stories when MFA is not configured at all as Resolved by committing rP12c337098872: When issuing a "no-op" MFA token because no MFA is configured, don't give the….
Thu, Jan 30, 3:35 PM · Auth
epriestley added a revision to T13475: Fix incorrect MFA badge on some stories when MFA is not configured at all: D20958: When issuing a "no-op" MFA token because no MFA is configured, don't give the timeline story a badge.
Thu, Jan 30, 3:33 PM · Auth

Jan 15 2020

epriestley closed T13453: Update Asana Auth Adapter for "gid" API changes as Resolved.

These changes seem to have stuck.

Jan 15 2020, 2:40 AM · Asana, Auth
epriestley triaged T13475: Fix incorrect MFA badge on some stories when MFA is not configured at all as Low priority.
Jan 15 2020, 2:28 AM · Auth

Nov 13 2019

epriestley closed T13006: Passphrase can't distinguish between correct, mangled, and passphrase-encoded SSH keys, a subtask of T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body, as Resolved.
Nov 13 2019, 6:19 PM · Auth
epriestley added a revision to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: D20905: Correctly identify more SSH private key problems as "formatting" or "passphrase" related.
Nov 13 2019, 6:17 PM · Auth
epriestley added a subtask for T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: T13006: Passphrase can't distinguish between correct, mangled, and passphrase-encoded SSH keys.
Nov 13 2019, 6:12 PM · Auth
epriestley added a comment to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body.

On Ubuntu 14, the messages are a little less helpful:

Nov 13 2019, 4:01 AM · Auth
epriestley updated the task description for T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body.
Nov 13 2019, 3:11 AM · Auth

Nov 11 2019

epriestley added a revision to T13123: Plans: Improve SSH key parsing and handling: D20904: Perform a more sophisticated test for private keys with credentials.
Nov 11 2019, 7:19 PM · Plans, Auth
epriestley added a revision to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: D20904: Perform a more sophisticated test for private keys with credentials.
Nov 11 2019, 7:19 PM · Auth
epriestley triaged T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body as Low priority.
Nov 11 2019, 7:15 PM · Auth

Nov 8 2019

epriestley added a revision to T13453: Update Asana Auth Adapter for "gid" API changes: D20900: Update various Asana odds-and-ends for "gid" API changes.
Nov 8 2019, 5:01 PM · Asana, Auth
epriestley added a revision to T13453: Update Asana Auth Adapter for "gid" API changes: D20899: Update Asana Auth adapter for "gid" API changes.
Nov 8 2019, 5:00 PM · Asana, Auth
epriestley added a comment to T13453: Update Asana Auth Adapter for "gid" API changes.

This may also impact the Doorkeeper integration, which reads "id" fields from a few calls.

Nov 8 2019, 4:45 PM · Asana, Auth
epriestley triaged T13453: Update Asana Auth Adapter for "gid" API changes as Wishlist priority.
Nov 8 2019, 4:44 PM · Asana, Auth

Oct 28 2019

leoluk added a comment to T8787: Add support for U2F MFA once browser implementations improve and compatible hardware is more widely available.

Agreed that supporting YubiKey OTP is pointless - it's impractical and basically a dead legacy feature at this point. WebAuthn has emerged as the de-facto standard for hardware tokens.

Oct 28 2019, 11:36 AM · Haskell.org, Auth

Oct 25 2019

epriestley closed T13433: Continue showing custom login instructions on provider-specific login screens as Resolved by committing rP633aa5288c58: Persist login instructions onto flow-specific login pages (username/password….
Oct 25 2019, 1:38 AM · Auth
epriestley added a revision to T13433: Continue showing custom login instructions on provider-specific login screens: D20863: Persist login instructions onto flow-specific login pages (username/password and LDAP).
Oct 25 2019, 1:07 AM · Auth
epriestley triaged T13433: Continue showing custom login instructions on provider-specific login screens as Low priority.
Oct 25 2019, 12:56 AM · Auth

Sep 24 2019

epriestley closed T13420: Update "Change Username" to make it more friendly for non-administrators as Resolved by committing rP6af776f84a66: Allow installs to provide "Request a Username Change" instructions.
Sep 24 2019, 6:09 PM · People, Auth
epriestley added a revision to T13420: Update "Change Username" to make it more friendly for non-administrators: D20828: Allow installs to provide "Request a Username Change" instructions.
Sep 24 2019, 5:51 PM · People, Auth