Issue with AuthBackendHook returning 403 occasionally

14 views
Skip to first unread message

Geoffrey Hausheer

unread,
Nov 14, 2023, 8:33:02 PM11/14/23
to Review Board Development
I developed a simple AuthBackendHook, and it seemed to work fine.  However, occasionally Reviewboard return a 403 Unauthorized.  I don't see any calls to my hook when this happens.

To try to root cause, I copied ldap.py to extension.py, changed the class name, id, and name parameters, and added the Extension boilerplate.  Otherwise I changed nothing else, and I still get 403 response.

Specifically, I see:

[2023-11-14 22:53:53 +0000] [13] [DEBUG] GET /reviewboard/api/review-requests/15/draft/
Unauthorized: /reviewboard/api/review-requests/15/draft/
2023-11-14 22:53:53,880 - WARNING - None - AnonymousUser - /reviewboard/api/review-requests/15/draft/ - django.request - Unauthorized: /reviewboard/api/review-requests/15/draft/

When it is working (or if I'm using the real LDAP module) the equivalent response is:
[2023-11-14 22:53:46 +0000] [11] [DEBUG] GET /reviewboard/api/review-requests/15/draft/
Not Found: /reviewboard/api/review-requests/15/draft/
2023-11-14 22:53:46,408 - WARNING - None - username - /reviewboard/api/review-requests/15/draft/ - django.request - Not Found: /reviewboard/api/review-requests/15/draft/


I don't see any difference in the logs otherwise, and when I instrumented the module, I didn't see any calls to get_or_create_user() or authenticate() (the only 2 calls I implemented)

I've found it is easiest to trigger by going back and forth between the summary and diff on a review, but we've triggered it just navigating around as well.

Geoffrey Hausheer

unread,
Nov 14, 2023, 8:48:45 PM11/14/23
to Review Board Development
Sorry, I realized I typed '403', but 'Unauthorized' is a '401' error code, which is what I'm actually getting.

I found that I could not reproduce this issue when directly querying the endpoint with curl (with the identical cookies/headers), it only occurs when using a browser.

I did another test which was to take my module and copy it to 'ad.py' in the reviewboard installation (and change the class name and imports, and remove the extension).  Now my module is available instead of the 'Active Directory' module, and I cannot reproduce the 'Unauthorized' response.  So I think here is some race condition when using the AuthBackendHook extension.

This hack is sufficient for me, but it is obviously brittle, so I would prefer to use the Extension model instead.
Reply all
Reply to author
Forward
0 new messages