Page MenuHomePhabricator

AuthProject
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Sep 4 2020

epriestley triaged T13578: Provide `bin/user approve` to approve an account from the CLI as Wishlist priority.
Sep 4 2020, 5:52 PM · Setup, Auth

May 13 2020

epriestley added a revision to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: D21245: Fix an issue where passphrase-protected private keys were stored without discarding passphrases.
May 13 2020, 3:09 PM · Auth

Apr 25 2020

epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

At time of writing, calls to rest/api/3/myself now return this:

Apr 25 2020, 9:04 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21170: Use "rest/api/3/myself" to retrieve JIRA profile details, not "rest/auth/1/session".
Apr 25 2020, 9:01 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

At time of writing, calls to rest/auth/1/session return a result like this:

Apr 25 2020, 8:59 PM · Auth

Apr 24 2020

epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

See private correspondence ("Re: Contributing / Jira Oauth Patch"), which suggests the call to rest/auth/1/session should be (and may urgently need to be) replaced with a call to rest/api/2/myself. See also https://developer.atlassian.com/cloud/jira/platform/deprecation-notice-basic-auth-and-cookie-based-auth/#which-apis-and-methods-will-be-restricted-.

Apr 24 2020, 4:45 AM · Auth

Feb 24 2020

epriestley added a comment to T6703: Allow multiple copies of the same auth provider type.

Couple of notes on the state of affairs here:

Feb 24 2020, 9:27 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21028: Read both email addresses and Google Account IDs from Google OAuth.
Feb 24 2020, 9:23 PM · Auth
epriestley added a comment to T5591: Add default domain to Google auth.

As of early 2020, this change works:

Feb 24 2020, 9:20 PM · Restricted Project, Restricted Project, Auth
epriestley closed T4289: JIRA authenticator JIRA version 5 compatibility as Wontfix.

JIRA did this (changed how accounts are identified) again recently (key is now accountId), see T13493.

Feb 24 2020, 9:10 PM · Auth

Feb 23 2020

epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

I landed everything so far to master. The new behavior in master should be:

Feb 23 2020, 2:01 AM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21023: Read both older "key" and newer "accountId" identifiers from JIRA during authentication.
Feb 23 2020, 1:36 AM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21022: Remove all readers and writers of "accountID" on "ExternalAccount".
Feb 23 2020, 1:20 AM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": Restricted Differential Revision.
Feb 23 2020, 1:17 AM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

I stumbled across what appears to be a very mild security issue in JIRA that impacts this flow. I've reported it to Atlassian's bug bounty program here (this link may or may not be visible to anyone else):

Feb 23 2020, 12:45 AM · Auth

Feb 22 2020

epriestley added a revision to T6703: Allow multiple copies of the same auth provider type: D21019: Remove all readers and all nontrivial writers for "accountType" and "accountDomain" on "ExternalAccount".
Feb 22 2020, 10:30 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21019: Remove all readers and all nontrivial writers for "accountType" and "accountDomain" on "ExternalAccount".
Feb 22 2020, 10:30 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

This change sequence is almost ready to remove readers and writers to accountID, but there's still a unique <accountType, accountDomain, accountID> key on the table. Removing accountID writers completely will mean that the second user to link an account of a particular type (say, an Asana account) will run into a unique key error (since they'll write a second "Asana" account with the same empty accountID as the first "Asana" account).

Feb 22 2020, 8:54 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21018: Update Asana feed publishing integration for "ExternalAccountIdentifier".
Feb 22 2020, 6:28 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21017: Migrate all "accountID" values to "ExternalAccountIdentifier" objects.
Feb 22 2020, 4:56 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21015: Make AuthProvider, ExternalAccount, and ExternalAccountIdentifier all Destructible.
Feb 22 2020, 3:19 AM · Auth

Feb 21 2020

epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21014: Update unusual handling of external accounts in "Password" auth provider.
Feb 21 2020, 3:54 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21013: Make external account identifier APIs return multiple identifiers.
Feb 21 2020, 3:23 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21012: Remove an ancient no-op check for duplicated external accounts.
Feb 21 2020, 12:11 AM · Auth

Feb 20 2020

epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21011: Add an "ExternalAccountIdentifier" table.
Feb 20 2020, 10:21 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21010: Stop exposing raw "accountID" values directly in the web UI.
Feb 20 2020, 9:33 PM · Auth
epriestley added a revision to T13493: JIRA API has changed identifiers from "key" to "accountId": D21007: Remove old code for sending email to external users who create objects via inbound mail.
Feb 20 2020, 8:29 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

These callers use accountId:

Feb 20 2020, 8:24 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

I think the patch above is a piece of the solution here, but makes behavior worse for some installs: installs with a version of JIRA which returns both key and accountId will have worse behavior under the patch than without it (since it will break all the existing account links immediately). It also doesn't smoothly migrate these installs, even though it's theoretically easy/desirable to do that.

Feb 20 2020, 5:43 PM · Auth

Feb 19 2020

epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".
IMPORTANT: Do not run apply this patch or run this script after updating to any version containing D21017 (Feb 22). They are only applicable to older versions of Phabricator.
Feb 19 2020, 11:11 PM · Auth
epriestley added a comment to T13493: JIRA API has changed identifiers from "key" to "accountId".

When a user logs in to "new" JIRA, we also can't easily tell if they have an existing account link based on the presence of an accountId.

Feb 19 2020, 9:00 PM · Auth
epriestley renamed T13493: JIRA API has changed identifiers from "key" to "accountId" from JIRA API has changed identifiers from "accountId" to "key" to JIRA API has changed identifiers from "key" to "accountId".
Feb 19 2020, 8:36 PM · Auth
epriestley triaged T13493: JIRA API has changed identifiers from "key" to "accountId" as Normal priority.
Feb 19 2020, 8:26 PM · Auth

Feb 4 2020

epriestley closed T13485: Update GitHub integration for "access_token" deprecation changes as Resolved by committing rP0f1acb6cef1d: Update GitHub API calls to use "Authorization" header instead of "access_token"….
Feb 4 2020, 3:58 PM · Auth
epriestley added a revision to T13485: Update GitHub integration for "access_token" deprecation changes: D20964: Update GitHub API calls to use "Authorization" header instead of "access_token" URI parameter.
Feb 4 2020, 3:51 PM · Auth
epriestley added a comment to T13485: Update GitHub integration for "access_token" deprecation changes.

The actual replacement is Authorization: token <token>, I believe:

Feb 4 2020, 3:47 PM · Auth
epriestley triaged T13485: Update GitHub integration for "access_token" deprecation changes as Low priority.
Feb 4 2020, 2:39 PM · Auth

Jan 30 2020

epriestley closed T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body as Resolved.

I think D20905 is as good as we're going to get.

Jan 30 2020, 4:44 PM · Auth
epriestley closed T13475: Fix incorrect MFA badge on some stories when MFA is not configured at all as Resolved by committing rP12c337098872: When issuing a "no-op" MFA token because no MFA is configured, don't give the….
Jan 30 2020, 3:35 PM · Auth
epriestley added a revision to T13475: Fix incorrect MFA badge on some stories when MFA is not configured at all: D20958: When issuing a "no-op" MFA token because no MFA is configured, don't give the timeline story a badge.
Jan 30 2020, 3:33 PM · Auth

Jan 15 2020

epriestley closed T13453: Update Asana Auth Adapter for "gid" API changes as Resolved.

These changes seem to have stuck.

Jan 15 2020, 2:40 AM · Asana, Auth
epriestley triaged T13475: Fix incorrect MFA badge on some stories when MFA is not configured at all as Low priority.
Jan 15 2020, 2:28 AM · Auth

Nov 13 2019

epriestley closed T13006: Passphrase can't distinguish between correct, mangled, and passphrase-encoded SSH keys, a subtask of T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body, as Resolved.
Nov 13 2019, 6:19 PM · Auth
epriestley added a revision to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: D20905: Correctly identify more SSH private key problems as "formatting" or "passphrase" related.
Nov 13 2019, 6:17 PM · Auth
epriestley added a subtask for T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: T13006: Passphrase can't distinguish between correct, mangled, and passphrase-encoded SSH keys.
Nov 13 2019, 6:12 PM · Auth
epriestley added a comment to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body.

On Ubuntu 14, the messages are a little less helpful:

Nov 13 2019, 4:01 AM · Auth
epriestley updated the task description for T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body.
Nov 13 2019, 3:11 AM · Auth

Nov 11 2019

epriestley added a revision to T13123: Plans: Improve SSH key parsing and handling: D20904: Perform a more sophisticated test for private keys with credentials.
Nov 11 2019, 7:19 PM · Plans, Auth
epriestley added a revision to T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body: D20904: Perform a more sophisticated test for private keys with credentials.
Nov 11 2019, 7:19 PM · Auth
epriestley triaged T13454: Handle password-protected SSH keys with no "ENCRYPTED" text in the key body as Low priority.
Nov 11 2019, 7:15 PM · Auth