Add a web-based logon flow for clients.

Review Request #12982 — Created May 5, 2023 and submitted — Latest diff uploaded


Review Board


This adds supporting views and endpoints for allowing users to authenticate
clients to the Review Board server via a web browser. This is useful for
users who log in to Review Board using SSO or similar methods, and would
like to use those methods to authenticate the clients. Right now our only
client is RBTools, but in the future we could have other tools and services
that would need to authenticate to Review Board, so this lays the foundation
for supporting web-based logon for any client.

Specifically, we're adding a view that sends authentication data to a client
URL (with the data being an API token created for the client). We also add a
view for prompting the user to authenticate the client as the currently logged
in user, if they are already logged in on their browser during the web login

  • Ran unit tests and JS unit tests.
  • Manually tested authentication to RBTools with the normal login flow, SSO,
    and SSO auto login.
  • Manually tested with successful logins, incorrect password/username attempts,
    logins where the RBTools server is down or returns bad responses
  • Tested with redirect URLs.
  • Tested the normal login flow and with redirect URLs.
  • Tested for XSS vulnerability by using <script>..</script> values in
    the client name, client URL and redirect query parameters.