Fixes

comm-release/patches/1685414-1-1027.patch → comm-release/patches/1685414-1027.patch

@@ -2,7 +2,7 @@
 # User Sean Burke <sean@thunderbird.net>
 # Date 1666520198 -39600
 # Node ID 37f32ce1863bbee3639d6a0a75cbbc7c225b9dc7
-# Parent  07b10a62a5d560b3f6d4499180bf27c2fcc5c6c3
+# Parent  d3cc73ade41adb7241f0f76a7d956fc279b3594e
 Bug 1685414 - switch Thunderbird OAuth2 to desktop client auth. r=darktrojan,sancus  a=wsmwk
 
 Differential Revision: https://phabricator.services.mozilla.com/D158588
@@ -240,7 +240,16 @@ diff --git a/mailnews/base/src/msgOAuth2Module.js b/mailnews/base/src/msgOAuth2M
 diff --git a/mailnews/base/util/OAuth2.jsm b/mailnews/base/util/OAuth2.jsm
 --- a/mailnews/base/util/OAuth2.jsm
 +++ b/mailnews/base/util/OAuth2.jsm
-@@ -16,49 +16,46 @@ Cu.importGlobalProperties(["fetch"]);
+@@ -8,57 +8,55 @@
+  */
+ var EXPORTED_SYMBOLS = ["OAuth2"];
+ 
+ ChromeUtils.import("resource://gre/modules/Services.jsm");
+ ChromeUtils.import("resource://gre/modules/XPCOMUtils.jsm");
+ ChromeUtils.import("resource:///modules/gloda/log4moz.js");
+ 
+ Cu.importGlobalProperties(["fetch"]);
++Cu.importGlobalProperties(["URL"]);
  
  // Only allow one connecting window per endpoint.
  var gConnecting = {};
@@ -307,7 +316,7 @@ diff --git a/mailnews/base/util/OAuth2.jsm b/mailnews/base/util/OAuth2.jsm
    accessToken: null,
    refreshToken: null,
    tokenExpires: 0,
-@@ -184,19 +181,19 @@ OAuth2.prototype = {
+@@ -184,19 +182,19 @@ OAuth2.prototype = {
        this._browserRequest._listener._cleanUp();
      }
      delete this._browserRequest;

comm-release/patches/1685414-2-1027.patch

@@ -1,35 +0,0 @@
-# HG changeset patch
-# User Frank-Rainer Grahl <frgrahl@gmx.net>
-# Date 1720638787 -7200
-# Parent  efbfc5592504be71e46776dd7556776a04d7b746
-Bug 1685414 - Restore old code. r=me a=me
-
-new URL(foo) is currently disliked for whatever reason.
-
-diff --git a/mailnews/base/util/OAuth2.jsm b/mailnews/base/util/OAuth2.jsm
---- a/mailnews/base/util/OAuth2.jsm
-+++ b/mailnews/base/util/OAuth2.jsm
-@@ -181,19 +181,20 @@ OAuth2.prototype = {
-       this._browserRequest._listener._cleanUp();
-     }
-     delete this._browserRequest;
-   },
- 
-   // @see RFC 6749 section 4.1.2: Authorization Response
-   onAuthorizationReceived(aURL) {
-     this.log.info("OAuth2 authorization received: url=" + aURL);
--    const url = new URL(aURL);
--    if (url.searchParams.has("code")) {
--      this.requestAccessToken(url.searchParams.get("code"), false);
-+    // Services.console.logStringMessage("OAuth2 authorization received: url=" + aURL);
-+    let params = new URLSearchParams(aURL.split("?", 2)[1]);
-+    if (params.has("code")) {
-+      this.requestAccessToken(params.get("code"), false);
-     } else {
-       this.onAuthorizationFailed(null, aURL);
-     }
-   },
- 
-   onAuthorizationFailed(aError, aData) {
-     this.connectFailureCallback(aData);
-   },

comm-release/patches/1814823-1-1153.patch

@@ -0,0 +1,145 @@
+# HG changeset patch
+# User Magnus Melin <mkmelin+mozilla@iki.fi>
+# Date 1694771644 -10800
+# Node ID e8a762f17c72b92cc982e71f1b6f7eefd4de1202
+# Parent  1749f7af16cbf5f31e4d1db5c8658dcccd8d9451
+Bug 1814823 - Handle stale OAuth2 scope. r=leftmostcat a=wsmwk
+
+Add better logging, and always use hardcoded details from the providers we have them for
+(everyone, atm. since we don't yet support dynamic registration).
+
+Differential Revision: https://phabricator.services.mozilla.com/D188241
+
+diff --git a/mail/components/accountcreation/content/createInBackend.js b/mail/components/accountcreation/content/createInBackend.js
+--- a/mail/components/accountcreation/content/createInBackend.js
++++ b/mail/components/accountcreation/content/createInBackend.js
+@@ -24,18 +24,21 @@ function createAccountInBackend(config)
+       sanitize.enum(config.incoming.type, ["pop3", "imap", "nntp"]));
+   inServer.port = config.incoming.port;
+   inServer.authMethod = config.incoming.auth;
+   inServer.password = config.incoming.password;
+   if (config.rememberPassword && config.incoming.password.length)
+     rememberPassword(inServer, config.incoming.password);
+ 
+   if (inServer.authMethod == Ci.nsMsgAuthMethod.OAuth2) {
+-    inServer.setCharValue("oauth2.scope", config.incoming.oauthSettings.scope);
+-    inServer.setCharValue(
++    inServer.setUnicharValue(
++      "oauth2.scope",
++      config.incoming.oauthSettings.scope
++    );
++    inServer.setUnicharValue(
+       "oauth2.issuer",
+       config.incoming.oauthSettings.issuer
+     );
+   }
+ 
+   // SSL
+   if (config.incoming.socketType == 1) // plain
+     inServer.socketType = Ci.nsMsgSocketType.plain;
+diff --git a/mailnews/base/src/msgOAuth2Module.js b/mailnews/base/src/msgOAuth2Module.js
+--- a/mailnews/base/src/msgOAuth2Module.js
++++ b/mailnews/base/src/msgOAuth2Module.js
+@@ -14,46 +14,44 @@ ChromeUtils.import("resource://gre/modul
+  * bearer token it can use to authenticate in SASL steps.
+  * It also takes care of persising the refreshToken for later usage.
+  *
+  * @implements {msgIOAuth2Module}
+  */
+ function OAuth2Module() {}
+ 
+ OAuth2Module.prototype = {
+-  // XPCOM registration stuff
+   QueryInterface: XPCOMUtils.generateQI([Ci.msgIOAuth2Module]),
+   classID: Components.ID("{b63d8e4c-bf60-439b-be0e-7c9f67291042}"),
+ 
+   initFromSmtp(aServer) {
+     return this._initPrefs("mail.smtpserver." + aServer.key + ".",
+       aServer.username, aServer.hostname);
+   },
+   initFromMail(aServer) {
+     return this._initPrefs("mail.server." + aServer.key + ".",
+       aServer.realUsername, aServer.realHostName);
+   },
+   _initPrefs(root, aUsername, aHostname) {
+     // Load all of the parameters from preferences.
+     let issuer = Services.prefs.getStringPref(root + "oauth2.issuer", "");
+     let scope = Services.prefs.getStringPref(root + "oauth2.scope", "");
+ 
+-    // These properties are absolutely essential to OAuth2 support. If we don't
+-    // have them, we don't support OAuth2.
++    let details = OAuth2Providers.getHostnameDetails(aHostname);
++    if (details) {
++      // Found in the list of hardcoded providers. Use the hardcoded values.
++      [issuer, scope] = details;
++      //  Store them for the future, can be useful once we support
++      // dynamic registration.
++      Services.prefs.setStringPref(root + "oauth2.issuer", issuer);
++      Services.prefs.setStringPref(root + "oauth2.scope", scope);
++    }
+     if (!issuer || !scope) {
+-      // Since we currently only support gmail, init values if server matches.
+-      let details = OAuth2Providers.getHostnameDetails(aHostname);
+-      if (details)
+-      {
+-        [issuer, scope] = details;
+-        Services.prefs.setStringPref(root + "oauth2.issuer", issuer);
+-        Services.prefs.setStringPref(root + "oauth2.scope", scope);
+-      }
+-      else
+-        return false;
++      // We need these properties for OAuth2 support.
++      return false;
+     }
+ 
+     // Find the app key we need for the OAuth2 string. Eventually, this should
+     // be using dynamic client registration, but there are no current
+     // implementations that we can test this with.
+     const issuerDetails = OAuth2Providers.getIssuerDetails(issuer);
+     if (!issuerDetails.clientId) {
+       return false;
+diff --git a/mailnews/base/util/OAuth2.jsm b/mailnews/base/util/OAuth2.jsm
+--- a/mailnews/base/util/OAuth2.jsm
++++ b/mailnews/base/util/OAuth2.jsm
+@@ -180,23 +180,39 @@ OAuth2.prototype = {
+ 
+     this._browserRequest._active = false;
+     if ("_listener" in this._browserRequest) {
+       this._browserRequest._listener._cleanUp();
+     }
+     delete this._browserRequest;
+   },
+ 
+-  // @see RFC 6749 section 4.1.2: Authorization Response
++  /**
++   * @param {string} aURL - Redirection URI with additional parameters.
++   */
+   onAuthorizationReceived(aURL) {
+-    this.log.info("OAuth2 authorization received: url=" + aURL);
++    this.log.info("OAuth2 authorization response received: url=" + aURL);
++    // Services.console.logStringMessage("OAuth2 authorization response received: url=" + aURL);
+     const url = new URL(aURL);
+     if (url.searchParams.has("code")) {
++      // @see RFC 6749 section 4.1.2: Authorization Response
+       this.requestAccessToken(url.searchParams.get("code"), false);
+     } else {
++      // @see RFC 6749 section 4.1.2.1: Error Response
++      if (url.searchParams.has("error")) {
++        let error = url.searchParams.get("error");
++        let errorDescription = url.searchParams.get("error_description") || "";
++        if (error == "invalid_scope") {
++          errorDescription += ` Invalid scope: ${this.scope}.`;
++        }
++        if (url.searchParams.has("error_uri")) {
++          errorDescription += ` See ${url.searchParams.get("error_uri")}.`;
++        }
++        this.log.error(`Authorization error [${error}]: ${errorDescription}`);
++      }
+       this.onAuthorizationFailed(null, aURL);
+     }
+   },
+ 
+   onAuthorizationFailed(aError, aData) {
+     this.connectFailureCallback(aData);
+   },
+ 

comm-release/patches/1814823-2-1153.patch

@@ -0,0 +1,45 @@
+# HG changeset patch
+# User Magnus Melin <mkmelin+mozilla@iki.fi>
+# Date 1695117196 0
+# Node ID 5074b31848209b17654136f44096a42a7e61f31e
+# Parent  422471def1629a661236f2ffed5e97c9af7d3715
+Bug 1814823 - Don't update stored OAuth2 scope if we had a narrower version of the scope stored. r=leftmostcat a=wsmwk
+
+This happens with pre 91 profiles, where we used to have google scope to only "https://mail.google.com/".
+
+Differential Revision: https://phabricator.services.mozilla.com/D188457
+
+diff --git a/mailnews/base/src/msgOAuth2Module.js b/mailnews/base/src/msgOAuth2Module.js
+--- a/mailnews/base/src/msgOAuth2Module.js
++++ b/mailnews/base/src/msgOAuth2Module.js
+@@ -26,23 +26,26 @@ OAuth2Module.prototype = {
+     return this._initPrefs("mail.smtpserver." + aServer.key + ".",
+       aServer.username, aServer.hostname);
+   },
+   initFromMail(aServer) {
+     return this._initPrefs("mail.server." + aServer.key + ".",
+       aServer.realUsername, aServer.realHostName);
+   },
+   _initPrefs(root, aUsername, aHostname) {
+-    // Load all of the parameters from preferences.
+-    let issuer = Services.prefs.getStringPref(root + "oauth2.issuer", "");
+-    let scope = Services.prefs.getStringPref(root + "oauth2.scope", "");
++    let issuer = Services.prefs.getStringPref(root + "oauth2.issuer", null);
++    let scope = Services.prefs.getStringPref(root + "oauth2.scope", null);
+ 
+     let details = OAuth2Providers.getHostnameDetails(aHostname);
+-    if (details) {
++    if (details &&
++        (details[0] != issuer ||
++         !scope?.split(" ").every(s => details[1].split(" ").includes(s)))) {
+       // Found in the list of hardcoded providers. Use the hardcoded values.
++      // But only if what we had wasn't a narrower scope of current
++      // defaults. Updating scope would cause re-authorization.
+       [issuer, scope] = details;
+       //  Store them for the future, can be useful once we support
+       // dynamic registration.
+       Services.prefs.setStringPref(root + "oauth2.issuer", issuer);
+       Services.prefs.setStringPref(root + "oauth2.scope", scope);
+     }
+     if (!issuer || !scope) {
+       // We need these properties for OAuth2 support.

comm-release/patches/series

@@ -2120,10 +2120,11 @@ NOBUG-fixcalbackend-25318.patch
 1453403-2-61a1.patch
 1466297-62a1.patch
 1353704-69a1.patch
-1685414-1-1027.patch
-1685414-2-1027.patch
+1685414-1027.patch
 1810760-1-1027.patch
 1810760-2-1027.patch
+1814823-1-1153.patch
+1814823-2-1153.patch
 1871992-122a1.patch
 815638-125a1.patch
 1864287-punycode-25319.patch