SSO with Django 1.11 created bad 2FA QRcode URLs

Bug #1756188 reported by Daniel Manrique
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
Undecided
Tom Wardill

Bug Description

For easier addition of 2FA devices, SSO uses a Google charts service that generates a QR code to be scanned with Google Authenticator.

The image URL for this code is being badly generated by SSO with the Django 1.11 upgrade (on staging), which causes the image link to appear "broken" to users.

How to repro (compare this on staging vs. production to see the effect):

1- Login, and go to "authentication devices"
2- "Add a new authentication device"
3- "Smartphone or tablet", then click "Add device"
4- Check under:

 In the "Google Authenticator" app, add a new token and scan this barcode.

Expected: there should be a QR code.
Actual on staging: there is no QR code, the space for the image is there but it has the broken thingy.

It seems that something in Django 1.11 (or 1.9, or 1.10) more zealously escapes & in built URLs. Checking the page with the browser's devel console I see the src URL for production, which works:

https://chart.googleapis.com/chart?chs=250x250&chld=L|0&cht=qr&chl=otpauth%3A//totp/UbuntuSSO/daniel.manrique%40canonical.com%3Fsecret%3DOVONGMPNNRWYZIP2ZDHAC6I6QECI5RMH%26period%3D30

whereas for staging it's:
https://chart.googleapis.com/chart?chs=250x250&chld=L|0&cht=qr&chl=otpauth%3A//totp/UbuntuSSOStaging/daniel.manrique%40canonical.com%3Fsecret%3DJF5NBNX43DELSNYGWAXVEJXZAULWK5JX%26period%3D30

Notice how the three & are replaced with & .

Related branches

Tom Wardill (twom)
Changed in canonical-identity-provider:
status: New → In Progress
Tom Wardill (twom)
Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Tom Wardill (twom)
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.