sends http (not https) link in password reset email

I could have sworn I remembered seeing another bug about this, but I can't find it. Bug 1747479 (private security) may be related, though isn't quite the same thing.

I just requested a password reset and yes:

Hello

You have requested a new password for your Ubuntu One account.

Click the following link to automatically confirm your reset:

http://login.ubuntu.com/token/<verylongtoken>/+<email address hidden>
Thank you,

The Ubuntu One team
https://login.ubuntu.com

THe /+forgot_password link takes one to the forgot_password view in src.webui.views.registration. This eventually instantiates an SSO API client (identityprovider.apiutils.get_api_client method) and calls its request_password_reset method passing email and the given reset token.

get_api_client returns a TimelineRecordingApiClient (same module) which contains a TimelineRecordingApiSession which is a subclass of ssoclient.v2.http.ApiSession, basically an augmented requests.Session.

What this client does is hit internal API endpoints on settings.API_HOST to perform actual actions. FOr a password reset, it ultimately hits the PasswordResetTokenHandler, which builds the URL to be sent in the e-mail and then calls emailutils.send_password_reset_email (including a root_url for building the reset link).

This root_url is obtained by the usual Django method of using request.build_absolute_uri() on the request that originated the action, to try and ensure that the scheme and host match.

I think this is where the problem lies: the request here is not the request from the browser to the https main web service, but the request from the app server to the backend API server (settings.API_HOST). I think this is why the schema is http and not https, because settings.API_HOST is defined as an http:// URL with a specific port, under the assumption that it runs on the same host and thus is privileged.

One way to fix this would be to get the root URL in the forgot_password view (since this has the appropriate context for the user -> secure app server request). Then, pass this root URL to the request_password_reset API endpoint/method.

request_password_reset (which lives in the ssoclient module https://code.launchpad.net/~ubuntuone-pqm-team/canonical-identity-provider/ssoclient) would need to support receiving this parameter and passing it when doing the API call that hits PasswordResetTokenHandler. It currently accepts two parameters: email and token. It would need to take a third parameter (base URL) and use that instead of request.build_absolute_uri for the root_url.

For further confirmation, I tried hitting the API, the way the webui component does:

curl -v -X POST https://login.ubuntu.com/api/v2/tokens/password -H "Content-type: application/json" -d '{"email": "<email address hidden>", "token": null}'

(note the null token since we don't have one yet).

the link I got looks like:

https://<email address hidden>

Which means the naive solution of passing the root url as a parameter to the API won't work, because this API is public and we can't allow anyone out there to send a base root url.

Maybe then the solution would be to forcibly change the schema to https if it isn't already.

Do API endpoints move often enough to justify this amount of work? I hoped the fix would be a simple sed -i command. It's obviously more than that now, but maybe the endpoint url could just be hardcoded in the template?

Thanks

This caused a regression (bug #1787496), so production has been rolled back.

The offending commit has been reverted in trunk.