Community
Participate
Working Groups
Hi, My Eclipse password contains special characters like % . With such a PW I cannot login. The login only works if the PW doesn't contain special characters. Cheers, Eugen
Denis, can you help?
This is likely a bug in the Babel authentication code. To be honest, Babel should be configured to use an LDAP host as opposed to Bugzilla. That would help solve a lot of issues.
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. -- The automated Eclipse Genie.
Babel uses a copied version of the Bugzilla account database to offer a "single sign-on" for babel users. https://babel.eclipse.org/babel/login.php It's error-prone, laggy, insecure, not modern and problematic. The Babel login should use OpenID: https://wiki.eclipse.org/OpenID
(In reply to Denis Roy from comment #4) > Babel uses a copied version of the Bugzilla account database to offer a > "single sign-on" for babel users. > > https://babel.eclipse.org/babel/login.php > > It's error-prone, laggy, insecure, not modern and problematic. > > The Babel login should use OpenID: > https://wiki.eclipse.org/OpenID +1 Let me know how I can help!
Moving to server.
With apologies, I meant to create a code review for this commit: http://git.eclipse.org/c/babel/server.git/commit/?id=643e02aa211eda15baddd7229c2fc597b65d10df It updates the password hash algorithm to the latest Bugzilla hash. This will resolve many of the most recent login problems folks have been experiencing. + # 2018-02-27 - Comma separator between salt and hash + $pw = $salt . "," . str_replace("=", "", base64_encode(mhash(MHASH_SHA256, $password . $salt))) . $hash_method;
Reducing to Enhancement.
This is no longer an enhancement. This is now required.
https://api.eclipse.org/docs/auth
I worked on this issue and would say most parts are done. One important (but easy) thing to do: babel needs a Client ID to use Eclipse OpenID. See https://wiki.eclipse.org/OpenID#Requesting_a_Client_ID Since I could not really start without that ID I made instead a "Login with Github" for testing. It use the same protocol for authentication therefor things learned here should be reusable for the actual Eclipse OpenID login. You can find a live demo of this test at https://ppazderski.de/babel/html/ If you don't trust me enough don't use it but remember that I have no access to your credentials because you enter them on the GitHub page. Also GitHub shows you what information I can access which is for this demo nothing but the public profile. Now for some technical detail. The current login use a copy of Bugzilla user database. For OpenID login the database is not necessary anymore but I will not fully remove it or I would have to change to much code. Instead my idea was to populate the user table on demand with data from Eclipse account API. When a user logged in a new user entry is generated or the existing updated. Since the existing table is a copy from Bugzilla I assume not every field is required. Fields which can still be used/updated are: userid, username, first_name, last_name, is_committer and the updated and created fields. Email could be updated but I saw no usage other than old login and therefore would leave it empty in the future. Fields which are not usable/updated anymore are: primary_language_id, hours_per_week and password_hash. Because I'm not a user of Babel please tell me if you think this attempt will be problematic in any way.
Paul, thank you very much for your help! That's exactly what Denis and I wanted to implement! I tested out your demo. It's promising! Denis, do we have a Client ID to use Eclipse OpenID already?
> Denis, do we have a Client ID to use Eclipse OpenID already? I will request one from our webdev team.
> Email could be updated but I saw no usage other than old login and therefore > would leave it empty in the future. Agreed. Actually, under GDPR, your approach to local data is the desirable one.
One detail I forgot to mention: for the OpenID Client you might get asked for a callback URL. I planned to use https://babel.eclipse.org/babel/login_oauth.php for that.
(In reply to Paul Pazderski from comment #15) > One detail I forgot to mention: for the OpenID Client you might get asked > for a callback URL. I planned to use > https://babel.eclipse.org/babel/login_oauth.php for that. I sent an email this morning with a client_id + client_secret that you can use but I am realizing now that I only sent it to Kit and Denis. I will forward you that email with an update to the callback url as you requested.
New Gerrit change created: https://git.eclipse.org/r/148599
Thanks Christopher. @Kit and Denis: for the change you must also extend the base.conf with oauth_client_id=~~id~~ oauth_client_secret=~~secret~~ oauth_client_callback=https://babel.eclipse.org/babel/login_oauth.php
(In reply to Paul Pazderski from comment #18) > Thanks Christopher. > > @Kit and Denis: for the change you must also extend the base.conf with > oauth_client_id=~~id~~ > oauth_client_secret=~~secret~~ > oauth_client_callback=https://babel.eclipse.org/babel/login_oauth.php Done, thanks. Patch is in review.
(In reply to Denis Roy from comment #19) > (In reply to Paul Pazderski from comment #18) > > Thanks Christopher. > > > > @Kit and Denis: for the change you must also extend the base.conf with > > oauth_client_id=~~id~~ > > oauth_client_secret=~~secret~~ > > oauth_client_callback=https://babel.eclipse.org/babel/login_oauth.php > > Done, thanks. Patch is in review. Thanks, I will be reviewing the code in the next day or so. @webmaster, is it possible for me to get my hands on a copy of the database? I would like to run the site locally to make sure that all is well from our side.
Chris, have you tried: https://bugs.eclipse.org/bugs/show_bug.cgi?id=463293
(In reply to Denis Roy from comment #21) > Chris, have you tried: > https://bugs.eclipse.org/bugs/show_bug.cgi?id=463293 Apologies, link should have been: https://www.eclipse.org/downloads/download.php?file=/technology/babel/babel-database.sql.gz
(In reply to Denis Roy from comment #22) > (In reply to Denis Roy from comment #21) > > Chris, have you tried: > > https://bugs.eclipse.org/bugs/show_bug.cgi?id=463293 > > Apologies, link should have been: > https://www.eclipse.org/downloads/download.php?file=/technology/babel/babel- > database.sql.gz Thanks, I am taking a look at this now! You can expect some feedback or a +1 before the end of the day!
Gerrit change https://git.eclipse.org/r/148599 was merged to [master]. Commit: http://git.eclipse.org/c/babel/server.git/commit/?id=10ba3f3b2570cfefa82af639aca7d4599b48ea46
Kit, I've disabled cron jobs that sync Bugzilla and I'm purging the database from user accounts that have zero translations. We'll get this patch going on the existing vserver, then migrate to a new server. Does that sound like a reasonable plan?
Good plan! Thanks!
FYI~ mysql> delete from users where userid in (select userid from _tmp_usertrans where transcount = 0); Query OK, 434186 rows affected (10 hours 51 min 2.83 sec) mysql> select count(1) from users; +----------+ | count(1) | +----------+ | 1116 | +----------+ 1 row in set (0.04 sec)
babel.eclipse.org is now using OpenID! I was able to submit some translations: http://babel.eclipse.org/babel/recent.php Some comments: 1== I've commented out line 79 and 85 of: https://git.eclipse.org/r/#/c/148599/7/classes/system/user.class.php PHP Parse error: syntax error, unexpected '[' in user.class.php on line 79 PHP Parse error: syntax error, unexpected '[' in user.class.php on line 85 There must be an issue with PHP 5.3.17. I won't worry about it, since the new server will likely have PHP7. 2== The users.username field is empty, so all users will get a new ID unless we pre-pop the sub. I'll work with Chris. 3== Every time I log in, the Eclipse oAuth provider asks me to confirm the action. Not sure if that's supposed to be. Will check with Chris.
(In reply to Denis Roy from comment #28) > 1== > I've commented out line 79 and 85 of: > https://git.eclipse.org/r/#/c/148599/7/classes/system/user.class.php > > PHP Parse error: syntax error, unexpected '[' in user.class.php on line 79 > PHP Parse error: syntax error, unexpected '[' in user.class.php on line 85 > > > There must be an issue with PHP 5.3.17. I won't worry about it, since the > new server will likely have PHP7. Coincidence! Reading this I just remember I read not long ago a list why PHP is bad [1] and one of the points was: foo()[0] is a syntax error. (Fixed in PHP 5.4.) > 3== > Every time I log in, the Eclipse oAuth provider asks me to confirm the > action. Not sure if that's supposed to be. Will check with Chris. It is Eclipse oAuth specific. My first Github demonstration had not such restriction because Github remembers the authorization. While implementing this I found the related bug 506474 and assume it is still valid. [1] https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
> While implementing > this I found the related bug 506474 and assume it is still valid. I've linked these bugs. Otherwise, I'm ready to close this bug as FIXED. Kit?
I tested the new login. Works great! Thank you Paul for the fix and Denis for the help! +1
Fixed it is!
