Bug #84503

Streamline RsaAuth login behavior

Added by Oliver Hader over 1 year ago. Updated about 1 year ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2018-03-21
Due date:
% Done:

100%

TYPO3 Version:
7
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Short summary

  • regression in TYPO3 v7.6.25 and v8.7.11 when trying to log into the backend using a regular workflow (fill form, click login button)
  • basically affects Firefox (except macOS version) browsers - e.g. Chrom is not affected by this misbehavior

TYPO3 releases

Updated TYPO3 versions 7.6.26 and 8.7.12 (to substitute 7.6.25 and 8.7.11) are planned to be released on Thursday, March 22nd, 2018.

Side note on RsaAuth

System extension "rsaauth" provides a public/private key encryption mechanism to for user credentials that are submitted using an insecure channel (e.g. plain HTTP on port 80). In case a web site is using secure channels (e.g. HTTPS on port 443) the system extension "rsaauth" can be disabled completely in combination with changing the loginSecurityLevel setting in the install tool for frontend and backend from rsa to normal - RsaAuth is superfluous in case the communication to the server is secured via TLS (HTTPS) already.

In general it's suggested to use HTTPS instead of RsaAuth!

Explanation

The fix for issue #76120 - which was targeted to work-around situations when a login form has two submit buttons with different meanings/actions - introduce a regression which lead to the situation that users could not login anymore into the TYPO3 backend.
The mentioned regression was handled in issue #84253 which introduced a work-around for the TYPO3 backend part.

A short summary what happened in the JavaScript part handling the login process:
  • extensions like sr_feuser_register combine different actions by using different name attributes on submit buttons in the same containing form element - in general using different endpoint actions would be suggested instead of combining the meaning in the same form
  • the mentioned first work-around change tries to preserve the name attribute of the clicked button to be send with the very same form - this was necessary since the button gets disabled once it was clicked (to prevent resubmission and clicking multiple times) - disabled form element are not delivered in the application/x-www-form-urlencoded part of the HTTP message to the server
  • the change that introduced the first regression was focusing on button that has been clicked by checking the :focus state of the button and tried to click that again - since the button already became disabled, it also cannot be clicked again and wont actually send the form contents to the server
  • the behavior basically affects FIrefox (excluding macOS versions, see below)
To streamline the behavior the following has to be done:
  • revert both changes, the one that introduced the regression and the other that fixed the regression in the backend scope
  • (optionally) re-implement the initial bug fix for #76120 without touching the backend part and only focussing carefully on the frontend part

Related issues

Related to TYPO3 Core - Bug #76120: rsaauth does not submit the name of the submit-button Rejected 2016-05-10
Related to TYPO3 Core - Bug #84253: BE Login with 8.7.11 and Firefox Quantum Browser Version 59.0 not possible anymore Closed 2018-03-14
Related to TYPO3 Core - Bug #84308: Submit of RSA encrypted form not working with type="image" in TYPO3 8.7.11 Closed 2018-03-15

Associated revisions

Revision 04134a18 (diff)
Added by Oliver Hader over 1 year ago

Revert "[BUGFIX] Trigger submit of RSA encrypted form properly"

This reverts commit 16b7d8413b367009cb25120c3a1411963760f013.

Since the initial change for issue #76120 addressed the backend part
as well - which would not have been required, since the mentioned issue
was about the frontend behavior only, the change that has been reverted
now again has been considered as superfluous work-around.

Releases: master, 8.7
Resolves: #84503
Reverts: #84253
Change-Id: I2c676b038a10abd8d2c7fb330968657e8fbb81d3
Reviewed-on: https://review.typo3.org/56388
Tested-by: TYPO3com <>
Reviewed-by: Markus Klein <>
Tested-by: Markus Klein <>
Reviewed-by: Oliver Hader <>
Tested-by: Oliver Hader <>

Revision 9500d1d5 (diff)
Added by Oliver Hader over 1 year ago

Revert "[BUGFIX] Trigger submit of RSA encrypted form properly"

This reverts commit 8bcd58a219d49340de79e92bdeed69c0cf2e6eec.

Since the initial change for issue #76120 addressed the backend part
as well - which would not have been required, since the mentioned issue
was about the frontend behavior only, the change that has been reverted
now again has been considered as superfluous work-around.

Releases: master, 8.7
Resolves: #84503
Reverts: #84253
Change-Id: I2c676b038a10abd8d2c7fb330968657e8fbb81d3
Reviewed-on: https://review.typo3.org/56393
Tested-by: TYPO3com <>
Reviewed-by: Oliver Hader <>
Tested-by: Oliver Hader <>

Revision 7b6231ec (diff)
Added by Oliver Hader over 1 year ago

Revert "[BUGFIX] Simulate submit button for rsaauth form submit"

This reverts commit 1bd63f45ba90eeb6b52e435546bcd7b97a8deaa6.

This change caused a regression which basically affected users of Mozilla
Firefox - details are described in issue #84503. Besides that the initial
bug report address the frontend part, changing backend login behavior was
not required in order for the bug fix.

Releases: master, 8.7, 7.6
Resolves: #84503
Reverts: #76120
Change-Id: I45fe6086afa48eed71be635e8cf4a1f3fa138ab2
Reviewed-on: https://review.typo3.org/56396
Tested-by: TYPO3com <>
Reviewed-by: Oliver Hader <>
Tested-by: Oliver Hader <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>

Revision 31075b95 (diff)
Added by Oliver Hader over 1 year ago

Revert "[BUGFIX] Simulate submit button for rsaauth form submit"

This reverts commit a0e51ca70b9d8bc343acc0d178a9ba4b9095b94b.

This change caused a regression which basically affected users of Mozilla
Firefox - details are described in issue #84503. Besides that the initial
bug report address the frontend part, changing backend login behavior was
not required in order for the bug fix.

Releases: master, 8.7, 7.6
Resolves: #84503
Reverts: #76120
Change-Id: I45fe6086afa48eed71be635e8cf4a1f3fa138ab2
Reviewed-on: https://review.typo3.org/56395
Tested-by: TYPO3com <>
Reviewed-by: Oliver Hader <>
Tested-by: Oliver Hader <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>

Revision 00b134ae (diff)
Added by Oliver Hader over 1 year ago

Revert "[BUGFIX] Simulate submit button for rsaauth form submit"

This reverts commit 0483c4af5c0441e56322bfa1d882578cbbe71110.

This change caused a regression which basically affected users of Mozilla
Firefox - details are described in issue #84503. Besides that the initial
bug report address the frontend part, changing backend login behavior was
not required in order for the bug fix.

RsaEncryptionWithLib.min.js could not be reverted directly due to newer
conflicting changes for the same file - it has been re-compiled from the
according source files using the following uglify command:

../../../../../../Build/node_modules/uglify-js/bin/uglifyjs \
RsaLibrary.js RsaEncryption.js > RsaEncryptionWithLib.min.js

Releases: master, 8.7, 7.6
Resolves: #84503
Reverts: #76120
Change-Id: I45fe6086afa48eed71be635e8cf4a1f3fa138ab2
Reviewed-on: https://review.typo3.org/56394
Tested-by: TYPO3com <>
Reviewed-by: Oliver Hader <>
Tested-by: Oliver Hader <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>

History

#1 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#2 Updated by Oliver Hader over 1 year ago

  • Related to Bug #76120: rsaauth does not submit the name of the submit-button added

#3 Updated by Oliver Hader over 1 year ago

  • Related to Bug #84253: BE Login with 8.7.11 and Firefox Quantum Browser Version 59.0 not possible anymore added

#4 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#5 Updated by Gerrit Code Review over 1 year ago

  • Status changed from Accepted to Under Review

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56388

#6 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56389

#7 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56388

#8 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56389

#9 Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56389

#10 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56393

#11 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56394

#12 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56395

#13 Updated by Gerrit Code Review over 1 year ago

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56396

#14 Updated by Oliver Hader over 1 year ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Reverts

#15 Updated by Gerrit Code Review over 1 year ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#16 Updated by Gerrit Code Review over 1 year ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#17 Updated by Guido S. over 1 year ago

  • Duplicated by Bug #84498: BE login button not working in Firefox added

#18 Updated by Gerrit Code Review over 1 year ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#19 Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#20 Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/56412

#21 Updated by Markus Klein over 1 year ago

  • Related to Bug #84308: Submit of RSA encrypted form not working with type="image" in TYPO3 8.7.11 added

#22 Updated by Markus Klein over 1 year ago

  • Duplicated by deleted (Bug #84498: BE login button not working in Firefox)

#23 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#24 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#25 Updated by Oliver Hader over 1 year ago

  • Description updated (diff)

#26 Updated by Oliver Hader about 1 year ago

  • Status changed from Under Review to Rejected

RSA auth is only necessary in non-SSL setups. EXT:rsaauth won't be part of TYPO3 core v10 anymore, as its concepts are wrong.

Also available in: Atom PDF