Canonical SSO provider

Merge lp:~roadmr/canonical-identity-provider/better-evil-token-instructions into lp:canonical-identity-provider/release

  1. better-evil-token-instructions
  2. Merge into trunk
Proposed by Daniel Manrique
Status: Merged
Approved by: Daniel Manrique
Approved revision: no longer in the source branch.
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: lp:~roadmr/canonical-identity-provider/better-evil-token-instructions
Merge into: lp:canonical-identity-provider/release
Diff against target: 69 lines (+41/-2)
3 files modified
src/webui/templates/404-no-token.html (+27/-0)
src/webui/tests/test_views_ui.py (+3/-1)
src/webui/views/ui.py (+11/-1)
To merge this branch: bzr merge lp:~roadmr/canonical-identity-provider/better-evil-token-instructions
Reviewer Review Type Date Requested Status
Maximiliano Bertacchini Approve
Review via email: mp+367285@code.launchpad.net

Commit message

Show friendly help if we can't find the openid session token from a validation link

The most common reason for that is initiating a login on a third-party site,
creating the account in sso as part of the flow, then clicking on the
activation link on another device or browser.

SO instead of sending people to a terse 404 page which causes them to fume and
come file bugs which end up as dupes of https://pad.lv/1693375, the new (still
a 404-code) page explains what to do and provides a link where they can
validate their e-mail address out of the third-party login flow (which is the
workaround we recommend anyway, after painful back and forth checking the
format of the link they clicked on and referring to the cited bug)

Description of the change

I'm fed up with all the dupes of https://bugs.launchpad.net/canonical-identity-provider/+bug/1693375.

The rendered page looks like https://people.canonical.com/~roadmr/404-no-token.png.

To post a comment you must log in.
Revision history for this message
Maximiliano Bertacchini (maxiberta) wrote :

LGTM, with a couple of nitpicks. Thanks!

review: Approve
Revision history for this message
Daniel Manrique (roadmr) :
Revision history for this message
Maximiliano Bertacchini (maxiberta) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'src/webui/templates/404-no-token.html'
2--- src/webui/templates/404-no-token.html 1970-01-01 00:00:00 +0000
3+++ src/webui/templates/404-no-token.html 2019-05-10 19:55:53 +0000
4@@ -0,0 +1,27 @@
5+{% extends "base.html" %}
6+{% load i18n %}
7+
8+{% comment %}
9+Copyright 2019 Canonical Ltd. This software is licensed under the
10+GNU Affero General Public License version 3 (see the file LICENSE).
11+{% endcomment %}
12+
13+{% block title %}
14+ {% trans "Not found" %}
15+{% endblock %}
16+
17+{% block text_title %}
18+ <h1 class="main">Invalid address validation link</h1>
19+{% endblock %}
20+
21+{% block content %}
22+ <div>
23+ <p>{% blocktrans %}You clicked on an e-mail address validation link from Ubuntu One SSO; however, the information from the link seems to be invalid or stale.{% endblocktrans %}</p>
24+ <p>{% blocktrans %}This could be for one of the following reasons:{% endblocktrans %}</p>
25+ <ol class="u1-list">
26+ <li>{% blocktrans %}The link has already been used. You don't need to validate your address again. {% endblocktrans %}</li>
27+ <li>{% blocktrans %}You created your Ubuntu One SSO account while starting a session on another site. You must click the validation link on the same browser where you started your session on the other site.{% endblocktrans %}</li>
28+ </ol>
29+ <p>{% blocktrans %}You can also go to <a href="{{email_url}}">Your account's e-mail page</a> and click on "Verify" next to the e-mail address you want to verify. This is the best solution if you are unable to click the link on the same browser where you started your session on the other site.{% endblocktrans %}</p>
30+ </div>
31+{% endblock %}
32
33=== modified file 'src/webui/tests/test_views_ui.py'
34--- src/webui/tests/test_views_ui.py 2018-10-16 21:41:53 +0000
35+++ src/webui/tests/test_views_ui.py 2019-05-10 19:55:53 +0000
36@@ -1190,7 +1190,9 @@
37
38 response = self.client.post(the_url,
39 None, follow=False)
40- self.assertEqual(response.status_code, 404)
41+ self.assertContains(
42+ response, reverse('account-emails'), status_code=404)
43+ self.assertTemplateUsed(response, '404-no-token.html')
44 # Ensure the address was NOT validated since we bailed
45 # on suspicious/incomplete info.
46 email.refresh_from_db()
47
48=== modified file 'src/webui/views/ui.py'
49--- src/webui/views/ui.py 2018-10-16 19:32:57 +0000
50+++ src/webui/views/ui.py 2019-05-10 19:55:53 +0000
51@@ -526,7 +526,17 @@
52 except BadSignedValue:
53 logger.exception(
54 "OpenID Request token %s given but no orequest found", token)
55- return HttpResponseNotFound()
56+ # Show a 404 page with some instructions on what to do. This most
57+ # commonly happens due to LP #1693375, and the instructions can
58+ # help legitimate users while not leaking anything to evil users
59+ # who may have stolen a validation link.
60+ return HttpResponseNotFound(
61+ render(
62+ request,
63+ '404-no-token.html',
64+ {'email_url': reverse('account-emails')}
65+ )
66+ )
67
68 if request.method == 'POST':
69 captcha_solution = request.POST.get('g-recaptcha-response')