testERP5Security: test if user really can/can't login
@romain has also hit by the 'Invalid authentication token' error when login with unicode in login/password, which reminder me the Invalid authentication token discussion that i forgot
After some search, i think here is what happens:
-
when user click login,
modifyRequestofCookieCrumbleris called, which generate ac value, then callsetAuthCookieto set cookie in browser even the login/password are not correct -
then
BaseRequestofZopeis called, which callidentifyofAccessControl -
in
identify, it try to calldecode, but since there hasunicode, it fail with exception:
'ascii' codec can't decode byte 0xc3 in position 0
which is catched and raise again with BadRequest 'Invalid authentication token'
-
since there has exception, the
post traversal hooksofBaseRequestis not called anymore, in our login case,logged_inis not called, which is used to removed cookie if anonymous -
in the end, the wrong cookie is set in browser, user is not able to login anymore since login page always shows
BadRequest 'Invalid authentication token'
i don't know what's the correct way to fix, i already tried the original CookieCrumbler instead of our patch, it has the same error
Maybe we should patch also BaseRequest.py or AccessControl.py
i already tried with @romain that patch AccessControl.py, it seems works
--- a/src/AccessControl/userfolder.py
+++ b/src/AccessControl/userfolder.py
@@ -118,7 +118,7 @@ class BasicUserFolder(Implicit, Persistent, RoleManager):
name, password = decodebytes(auth.split(b' ')[-1]) \
.decode().split(':', 1)
except BaseException:
- raise BadRequest('Invalid authentication token')
+ return None, None
return name, password
else:
return None, None
@jerome @vpelletier what do you think ?