Use a token with the 'config' scope for the user config request
ClosedPublic
Actions

Authored by mollekopf on Tue, May 12, 6:18 AM.

Project Tags

None

Referenced Files

	F125411904: D5884.1779459719.diff
	Thu, May 21, 2:21 PM

	F124997156: D5884.1779142123.diff
	Sun, May 17, 10:08 PM

	F124990720: D5884.1779138697.diff
	Sun, May 17, 9:11 PM

	F124718151: D5884.1778861486.diff
	Thu, May 14, 4:11 PM

Subscribers

machniak

Details

Reviewers

None

Group Reviewers

Roundcube Kolab Plugins Developers

Commits

rRPK5b8c505aade3: Use a token with the 'config' scope for the user config request

Summary

To avoid breaking config requests.
This will mean that we always require a separate access token for config
requests, even though the more powerful 'api' scope token would be
enough to request the config (but we can't refresh without passing 2fa).

Diff Detail

Repository

rRPK roundcubemail-plugins-kolab

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

mollekopf requested review of this revision.Tue, May 12, 6:18 AM

mollekopf created this revision.

Harbormaster completed remote builds in B57501: Diff 16839.Tue, May 12, 6:18 AM

Cleanup

Harbormaster completed remote builds in B57502: Diff 16840.Tue, May 12, 6:22 AM

Fixup

Harbormaster completed remote builds in B57503: Diff 16841.Tue, May 12, 6:28 AM

mollekopf added a reviewer: Roundcube Kolab Plugins Developers.Tue, May 12, 6:39 AM

mollekopf added inline comments.

plugins/kolab/Kolab/Client.php
159	The error handling is currently not great. When we fail to retrieve a token: We first retry 5 times Then we run into this error here which results in an error 500 page in roudncube and a 500 return code in syncroton Without erroring out we just continue to log-in instead of e.g. loading the 2fa plugin (so that needs to be avoided)

Having a single secret token that identifies Roundcube client and allows for user impersonation on config/webmail request only would probably be better. It would allow to skip /api/auth/login and directly call /api/v4/config/webmail, e.g. with Bearer <email>:<secret>. It would also eliminate any token refresh issues, as it would not have to be refreshed.

The error handling issue... not great, I think we could "abort" from Configuration::authenticateHook() and for syncroton throw a proper error/code from ::readyHook().

This revision was not accepted when it landed; it landed in state Needs Review.Tue, May 19, 8:17 AM

Closed by commit rRPK5b8c505aade3: Use a token with the 'config' scope for the user config request. · Explain Why

This revision was automatically updated to reflect the committed changes.

mollekopf added a commit: rRPK5b8c505aade3: Use a token with the 'config' scope for the user config request.