so the provider is more or less ready for use, its deployed on test.mb and i also modified CB's codebase to test both login and using the access tokens issued by this provider to write reviews using its API.
2024-04-29 12053, 2024
lucifer
some UI issues need to be fixed, i'll discuss them separately with monkey and aerozol.
2024-04-29 12007, 2024
bitmap
!m lucifer
2024-04-29 12008, 2024
BrainzBot
You're doing good work, lucifer!
2024-04-29 12009, 2024
lucifer
nothing much to discuss about this point so moving on to 2.
2024-04-29 12017, 2024
lucifer
2. Security measures taken and decided against
2024-04-29 12018, 2024
lucifer
the distrinet group had done a audit of the MB OAuth provider a few years ago, using their now open source tool. i audited the new ouath provder's implementation.
The report is ^. There are no major unmitigated threats according to it.
2024-04-29 12038, 2024
lucifer
However, there are some tradeoffs that can be made to make it even more secure.
2024-04-29 12012, 2024
lucifer
there are a total of 8 failing tests in the report. 3 are mandatory, i have opened PRs upstream to fix them in authlib (the library used to implement this provider).
2024-04-29 12058, 2024
lucifer
i do not think these pose a security threat though so it should be fine to release even without it.
i think its because no one has recently logged in.
2024-04-29 12033, 2024
yvanzo
I did last week
2024-04-29 12034, 2024
lucifer
and tokens expire hourly.
2024-04-29 12012, 2024
lucifer
right, we probably need a bigger expire window to gather an exhaustive list of clients.
2024-04-29 12013, 2024
yvanzo
Oh so that list can vary anytime.
2024-04-29 12022, 2024
bitmap
we have a bunch of expired tokens from 2014/2015 which were never cleaned up for some reason
2024-04-29 12011, 2024
bitmap
but yes, otherwise the list can vary a bit
2024-04-29 12056, 2024
lucifer
we can probably check when the last token was issued to an application for a better estimate.
2024-04-29 12058, 2024
yvanzo
Does PKCE has anything to do with the app itself, or just the tokens?
2024-04-29 12026, 2024
lucifer
you need a couple of code changes in the OAuth process to obtain the tokens with PKCE.
2024-04-29 12028, 2024
yvanzo
I mean do apps need to support it in a way?
2024-04-29 12059, 2024
lucifer
yes code changes are needed in the clients to get the token but nothing after the fact.
2024-04-29 12058, 2024
yvanzo
There are 144 apps with token that expired since last year.
2024-04-29 12030, 2024
lucifer
a lot of these may be one time things. like local deployments.
2024-04-29 12056, 2024
bitmap
24 with a token since last week
2024-04-29 12056, 2024
lucifer
would be simple to check that from the redirect_uris/name/description
2024-04-29 12008, 2024
yvanzo
yes but even then, it's not 6.
2024-04-29 12028, 2024
lucifer
the local deployments use the code from LB, CB, BB so wouldn't need any change to support.
2024-04-29 12039, 2024
zerodogg has quit
2024-04-29 12016, 2024
lucifer
note that, unless we plan to shut off the MB OAuth soon (i don't think we do). mandating PKCE will only prolong the migration by some time during which we need to support both.
2024-04-29 12038, 2024
lucifer
and that is fine i guess.
2024-04-29 12018, 2024
bitmap
we will probably have to continue this discussion later
2024-04-29 12045, 2024
atj
apologies, I didn't meant to derail the discussion
2024-04-29 12046, 2024
lucifer
yup makes sense. after the regular meet or some other day?
2024-04-29 12012, 2024
yvanzo
but it is good to see that there won't be so many apps to move.
2024-04-29 12024, 2024
yvanzo
was there anything else to discuss?
2024-04-29 12032, 2024
bitmap
ideally another day, I really need to work on PG upgrade stuff :)
2024-04-29 12032, 2024
lucifer
yup loads of it :D
2024-04-29 12048, 2024
lucifer
ah okay, makes sense.
2024-04-29 12056, 2024
lucifer
any suggestions on when?
2024-04-29 12002, 2024
derat joined the channel
2024-04-29 12003, 2024
yvanzo
after that?
2024-04-29 12025, 2024
atj
great work btw lucifer
2024-04-29 12034, 2024
bitmap
one thing that stood out from the document - doesn't Picard use the OOB redirect uri?
2024-04-29 12041, 2024
lucifer
:)
2024-04-29 12050, 2024
atj
do you enjoy reading RFCs?
2024-04-29 12051, 2024
lucifer
bitmap: yeah that is another lengthy discussion
2024-04-29 12002, 2024
bitmap
ok, sorry for bringing it up :D
2024-04-29 12031, 2024
lucifer
atj: certainly better than writing compliance tests for the rfcs
2024-04-29 12012, 2024
atj
well, that's like me asking if you like being kicked in the balls and you telling me you prefer to be punched in the face
2024-04-29 12025, 2024
lucifer
its a nice change sometimes but wouldn't volunteer for it for sure XD
2024-04-29 12030, 2024
lucifer
lol
2024-04-29 12052, 2024
lucifer
when's the schema change?
2024-04-29 12057, 2024
reosarevok
13 may
2024-04-29 12018, 2024
lucifer
so how about 16th?
2024-04-29 12007, 2024
monkey
Don't call me first for reviews please, metro is slow
2024-04-29 12048, 2024
lucifer
i am fine with any day that week or the one after that fwiw.
2024-04-29 12036, 2024
bitmap
that tenatively sounds fine
2024-04-29 12046, 2024
lucifer
cool
2024-04-29 12057, 2024
lucifer
thanks reosarevok, bitmap, yvanzo and atj!
2024-04-29 12000, 2024
bitmap
thank you!
2024-04-29 12020, 2024
reosarevok
<BANG>
2024-04-29 12000, 2024
reosarevok
And on that note, welcome to this MetaBrainz Monday Meeting!
2024-04-29 12014, 2024
ApeKattQuest
🙋
2024-04-29 12028, 2024
JadedBlueEyes
🙋♀️
2024-04-29 12034, 2024
reosarevok
My list for today: Pratha-Fish, huhridge, jasje, JadedBlueEyes, pranav, Tarun_0x0, mayhem, rimskii, atj, monkey, yvanzo, yellowhatpro, theflash__, reosarevok, ansh, zas, ApeKattQuest, akshaaatt, kellnerd, lucifer, bitmap