SSO with Django 1.11 created bad 2FA QRcode URLs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Undecided
|
Tom Wardill |
Bug Description
For easier addition of 2FA devices, SSO uses a Google charts service that generates a QR code to be scanned with Google Authenticator.
The image URL for this code is being badly generated by SSO with the Django 1.11 upgrade (on staging), which causes the image link to appear "broken" to users.
How to repro (compare this on staging vs. production to see the effect):
1- Login, and go to "authentication devices"
2- "Add a new authentication device"
3- "Smartphone or tablet", then click "Add device"
4- Check under:
In the "Google Authenticator" app, add a new token and scan this barcode.
Expected: there should be a QR code.
Actual on staging: there is no QR code, the space for the image is there but it has the broken thingy.
It seems that something in Django 1.11 (or 1.9, or 1.10) more zealously escapes & in built URLs. Checking the page with the browser's devel console I see the src URL for production, which works:
https:/
whereas for staging it's:
https:/
Notice how the three & are replaced with & .
Related branches
- Colin Watson (community): Approve
- Ricardo Kirkner (community): Approve
-
Diff: 91 lines (+37/-5)3 files modifiedsrc/identityprovider/templatetags/qrcode.py (+6/-3)
src/identityprovider/tests/test_templatetags.py (+30/-1)
src/webui/tests/test_views_devices.py (+1/-1)
Changed in canonical-identity-provider: | |
status: | New → In Progress |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |