• 
  
    
 
    
 
    

    



    
    
    
    
     
    






    
 
    


 
    



    
 

 

  

  

 

    


  
    





    
 
    



  

    
 
 
    
  
    Fix issues with authenticating to private-API servers.
    
 
    

    



 
    
 
    

  Review Request #14751
  —
  Created Jan. 7, 2026 and submitted  — Latest diff uploaded 

 
    


    




    




    




 
    
  
    
   Information

  
    



    
 
 
    
  maubin
 
    

    





    
 
 
    
  RBTools
 
    

    





    
 
 
    
  master
 
    

    





    
 
 
    
  
 
    

    





    
 
 
    
  
 
    

    



 
    



 
    
  
    
   Reviewers

  
    



    
 
 
    
  rbtools
 
    

    





    
 
 
    
  
 
    

    



 
    



    


    
 
    




  

    
 
 
    
  
    Review Board's API has certain resources that require authentication.
    
But some resources like its root resource, the session resource, and
    
the server resource don't require any. However, there's a server
    
setting that lets you disable anonymous read access to the API. When
    
that is set, every request to the API must be authenticated.
    

    RBTools assumes that the public API resources would always be public. We
    
weren't properly handling communication with private-API servers. This
    
has revealed itself in a few issues:
    

      

    1. 

      Web-based login caused a regression. When a command that requires the
      
  API first initializes itself, it creates an API client and fetches the
      
  root resource. That fetch triggers our auth handlers to prompt for
      
  authentication, but the web login handler would break because its
      
  callback expects the root resource and API client to already be set.
      
  This regression was never made public, it comes from recent
      
  work that hasn't been released yet.
      

      2. 

    2. 

      If a user is logged out and does rbt logout, they'll be prompted to
      
   login again.
      

      3. 

    3. 

      If a user is logged out and does rbt login, they'll successfully
      
   login but we'll print the "You're already logged in" message.
      

      4. 

    

    This change addresses those issues and makes sure that we properly
    
authenticate commands when interacting with private-API servers. We add
    
a has_session_cookie() method to the API client (and all the way down
    
to the server class) which returns whether we have a local session
    
cookie for the server. This information helps us deal with issues 2 and
    
3. We also update the login/logout commands to needs_api=False to
    
address issues 2 and 3.
    

    The web login handler no longer assumes that a root resource is set. We
    
need the root to get the server info, in order to see whether web login
    
is supported on the server or not. In the case where we're working with a
    
private-API server while logged out, we'll just assume that the server
    
supports web login. Even if it doesn't, the auth will fail and we'll
    
move on to the username/password prompt handler.
    
 
    

    





  

    
 
 
    
  
      

    • Ran unit tests.
      • 

    • Tested login/logout on both private-API servers and public ones.
      • 

    • Tested login with api tokens, username/password, and web login.
      • 

    
 
    

    




 
    

    





    
 
    









 




 
    

    




   
    
    
    
    
    
    
    
    

    
    
      
    Commits
    
      
    
        
      
    
    
    

    
    

      
    Files