Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-58899

Expired OAuth2 confirmation links give poor error message

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.3
    • Fix Version/s: 3.3
    • Component/s: Authentication
    • Labels:
      None
    • Testing Instructions:
      Hide

      2 Confirmation paths need to be tested:

      Newly created account:**

      1. Set up mailcatcher or the like and Moodle SMTP. We want to see outbound emails from Moodle.
      2. Set up google oauth as per the instructions in MDL-58220
      3. Now, make sure you've deleted all users on the site, so we can start from scratch.
      4. As admin, disable the setting 'authpreventaccountcreation' (untick it)
      5. Log out.
      6. Now, using the google oauth login button, try to login using your gmail account.
      7. You should see a message about confirming your account and an email to the same effect. Don't click the link yet.
      8. Check the link in the email and Confirm that it links to 'confirm-account.php'. Don't click it yet.
      9. Now, as the admin user, log in, browse the list of users and remove the user which is not yet confirmed (Hint: You'll see a 'confirm' link next to their name)
      10. Now, click the link in the email and Confirm that you see the notification messsage "The confirmation link is either invalid, or has expired. Please start the login process again to generate a new confirmation email."
      11. Repeat the process, but this time don't expire the confirmation link, and proceed to log in as the new account user.

      Existing account with same email:

      1. Now, from the user preferences of the new user, go to 'Linked logins' and remove the link to your google account
      2. Log out.
      3. Now, try to login using google again.
      4. You should see a message about confirming your account and an email to the same effect. Don't click the link yet.
      5. Check the link in the email and Confirm that it links to 'confirm-linkedlogin.php'. Don't click it yet.
      6. Now, update the 'confirmtokenexpires' column in the 'auth_oauth2_linked_login' table to the current unix timestamp. I.e. expire it.
      7. Now, click the link in the email and Confirm that you see the notification messsage "The confirmation link is either invalid, or has expired. Please start the login process again to generate a new confirmation email."
      8. Repeat the process, but this time don't expire the confirmation link, and proceed to log in as the new account user.
      Show
      2 Confirmation paths need to be tested: Newly created account: ** Set up mailcatcher or the like and Moodle SMTP. We want to see outbound emails from Moodle. Set up google oauth as per the instructions in MDL-58220 Now, make sure you've deleted all users on the site, so we can start from scratch. As admin, disable the setting 'authpreventaccountcreation' (untick it) Log out. Now, using the google oauth login button, try to login using your gmail account. You should see a message about confirming your account and an email to the same effect. Don't click the link yet. Check the link in the email and Confirm that it links to 'confirm-account.php'. Don't click it yet. Now, as the admin user, log in, browse the list of users and remove the user which is not yet confirmed (Hint: You'll see a 'confirm' link next to their name) Now, click the link in the email and Confirm that you see the notification messsage "The confirmation link is either invalid, or has expired. Please start the login process again to generate a new confirmation email." Repeat the process, but this time don't expire the confirmation link, and proceed to log in as the new account user. Existing account with same email: Now, from the user preferences of the new user, go to 'Linked logins' and remove the link to your google account Log out. Now, try to login using google again. You should see a message about confirming your account and an email to the same effect. Don't click the link yet. Check the link in the email and Confirm that it links to 'confirm-linkedlogin.php'. Don't click it yet. Now, update the 'confirmtokenexpires' column in the 'auth_oauth2_linked_login' table to the current unix timestamp. I.e. expire it. Now, click the link in the email and Confirm that you see the notification messsage "The confirmation link is either invalid, or has expired. Please start the login process again to generate a new confirmation email." Repeat the process, but this time don't expire the confirmation link, and proceed to log in as the new account user.
    • Affected Branches:
      MOODLE_33_STABLE
    • Fixed Branches:
      MOODLE_33_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-58899-master

      Description

      1. View login page
      2. Login via linked account and set up a new account
      3. Allow link to expire
      4. Try to use link
      Expected

      Decent error explaining it's expired and encouraging you to set it up again

      Actual

      Error message: Invalid confirmation data

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  15/May/17