Mahara

Public key expiration date is current date for service access tokens

Bug #1744351 reported by Alex Buckley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Low
Unassigned
Mahara 18.04.0

Bug Description

In the 'Manage service users' area of the Mahara administration when you generate a new token, the public key of the token has an expiration date of the current date/time making the token un-usable.

This bug was replicated in a remote and locally installed instance of Mahara.

When I tried to perform curl commands using this token I was redirected to the Mahara login page, showing the token was not valid.

To replicate:
1. Login to Mahara and go to Administration->Web services->Configuration->Managae service access tokens

2. Input a username and generate the token

3. Notice the expiration date of the public key is the current date/time of the server that the instance is running on

See original description
Alex Buckley (alexbuckley)
summary: - Public key expiration date is current date for service access tokens is
- current date
+ Public key expiration date is current date for service access tokens
description: updated
description: updated
description: updated
Revision history for this message
Robert Lyon (robertl-9) wrote :

The fields:
"Enable web services security (XML-RPC Only)"
"Public key"
"Public key expires"

All go together - if you've not enabled the XML-RPC Only switch the other fields are ignored.

If you paste in a public key then the expires field shows the true expiry of the key - but still isn't used if XML-RPC Only switch is off

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/8461

Revision history for this message
Robert Lyon (robertl-9) wrote :

I've added a patch that has some javascript to hide those confusing fields when xml-rpc switch is set to 'no'

Revision history for this message
Alex Buckley (alexbuckley) wrote :

Another note about this:

Even though now hidden (by this patch) surely if you don't enable the extra security 'Enable web services security (XML-RPC Only)' field then the public key expiry date should not default to a date based on the server, i.e. the public key date expiry date should be independent of the current date/time of the hosting server.

Revision history for this message
Steven (stevens-q) wrote :

Manually ran the following Behat test:

Environment tested: Master
Browser tested: Chrome

===================
Behat Test Script
===================

@javascript @core @core_institution @core_artefact
Feature: Public key expiration date is current date for service access tokens Edit
    As an admin
    When I generate a service access token for a Mahara user
    And I do not enable web services security (XML-RPC Only)
    I do not see Public key expires data

Background:
Given the following "users" exist:
    | username | password | email | firstname | lastname | institution | authname | role |
    | UserA | Kupuhipa1 | <email address hidden> | Angela | User | Institution A | internal | admin |
    | UserB | Kupuhipa1 | <email address hidden> | Bob | User | Institution A | internal | member |

Scenario: Admin user generate a service access token for a Mahara user
    Given I log in as "UserA" with password "Kupuhipa1"
    And I am on "/admin/index.php?open=webservices_token"
    # Need step def for step below (And I fill in input "Username:" with "Bob" and select first autosuggestion)
    And I fill in "Username:" with "Bob"
    When I press "Generate token"
    Then I should see "Service access tokens"
    And I should not see "Public key expires"

Catalyst QA Approved ✔

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8461
Committed: https://git.mahara.org/mahara/mahara/commit/4ae480c55b6e9ddefc58ed61df1f4217a43db5da
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 4ae480c55b6e9ddefc58ed61df1f4217a43db5da
Author: Robert Lyon <email address hidden>
Date: Tue Jan 23 10:43:48 2018 +1300

Bug 1744351: Hide the xmlrpc specific fields when not using them

In the add/edit webservice users/tokens screens

behatnotneeded

Change-Id: I9921dd5408c39cbd2f449a89ddc7f177e2551aab
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Robert Lyon (robertl-9) wrote :

The problem of the public key expires is an issue with reading the date from the xmlrpc certificate - but as we are moving away from xmlrpc to LTI we will ingore the problem with incorrect date for now.

Hiding that part of the form will avoid user confusion when not using xmlrpc

Changed in mahara:
milestone: none → 18.04.0
importance: Undecided → Low
status: New → Fix Committed
Kristina Hoeppner (kris-hoeppner)
tags: added: usermanualupdate
Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.