Conversation
…re available on the server.
…ss-Android into feature/3805-improve-self-hosted-login-internals
Fixed a bunch of other issues along the way.
…ss-Android into feature/3805-improve-self-hosted-login-internals
…e server replies with an empty document.
…droid platform classes and methods.
|
I'm planning to extend the work done here by extracting the cross-platform flows into testable chunks. |
| } | ||
|
|
||
| private boolean isHTTPAuthErrorMessage(Exception e) { | ||
| if (e != null && e.getMessage() != null && e.getMessage().contains("401")) { |
There was a problem hiding this comment.
Maybe we can just return this since we are not doing anything else in the if statement anymore.
There was a problem hiding this comment.
Right. I've removed the unnecessary code.
| String baseURL = getBaseURL(mOriginalURL); | ||
|
|
||
| if (!baseURL.contains("/plugins")) { | ||
| baseURL = baseURL + "/wp-content/plugins/"; |
There was a problem hiding this comment.
This might be a stupid question as I don't know how this class is going to be used, but is there any way the url contains /wp-content but not /plugins?
There was a problem hiding this comment.
Please ignore the above question, I found my answer in getBaseUrl, sorry about that!
| } | ||
|
|
||
| int respCode = openConnection(baseURL); | ||
| if (respCode != HttpURLConnection.HTTP_OK && respCode != 401 && respCode != 403) { |
There was a problem hiding this comment.
I am a bit confused here, what do we do if the error code is 401 or 403 for example? These cases don't seem to be handled later.
There was a problem hiding this comment.
OK, I have an idea. Is this just checking if we can access the server even if it's an unauthorized connection? If so, then this makes sense. However, wouldn't that cause the next call we are going to make to check if a plugin exists return error as well? I really don't know much about how self-hosted installations work, so I might be way off in my assumptions.
There was a problem hiding this comment.
We need to check wether the http://domain/wp-content/plugins/ address is available on internet or not. If the HTTP response code in [200, 401, 403] means that the folder is available on the server. If the response is != from one of the codes above, we can safely assume that the folder is not there.
Note that the routine is just an heuristic, and we can't be 100% sure the folder is there.
There was a problem hiding this comment.
note2: Assuming that the folder is NOT there is not a problem, since the plugins check is just skipped. This minimize false positive.
There was a problem hiding this comment.
Thanks for the clarification. It's pretty convoluted.
|
@daniloercoli I've completed my review and left a few comments/questions. This is a complicated PR for me to take alone, so getting another set of eyes (more experienced ones) would be good. Are there any testing instructions I can follow? |
|
@oguzkocer I fixed the issues you've brought up during review. Hint for reviewers: The best way to review all the login flow is to start looking at |
…ss-Android into feature/3805-improve-self-hosted-login-internals # Conflicts: # WordPress/src/main/java/org/xmlrpc/android/ApiHelper.java
…after a SSLHanshakeException on self hosted sites. Props @hypest
…ted a valid URL on the UI, but WordPress is missconfigured and returns an invalid URL in the apiLink field in the RSD document.
|
Closing this PR since #3853 includes the changes added here, and adds Unit Tests. |
Fix #3805 by providing an enhanced version of the XML-RPC discovery procedure and some other nice things ;)
futurefolder. If you feel confident in keeping the BB plugins list updated (wordpress-mobile/app-blocking-plugins) feel free to put it back in production.The Bad Behavior matching seems to be solid, since the "main" logic behind it was taken from wpscan, but I didn't test it too much. In the end it is just a series of tests upon HTTP response codes returned by the external web server.
login_inserted_invalid_url), that has 1 property attached to ituser_inserted_url, that keep tracks of how many invalid URLs we receive in the login screen. I've not added it to Mixpanel Should I?cc @oguzkocer @hypest @SergioEstevao @bummytime @astralbodies