Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Encoding is busted in BountySource linking URL #1020

Closed
indirect opened this issue Jun 7, 2013 · 20 comments
Closed

Encoding is busted in BountySource linking URL #1020

indirect opened this issue Jun 7, 2013 · 20 comments

Comments

@indirect
Copy link

indirect commented Jun 7, 2013

When you try to link a gittip account to BountySource, and have a non-ASCII character in your name, gittip sends utf-8 characters interpreted as latin-1 encoding. Here's an example of a BountySource URL for linking with just the name and redirect parameters left:

https://www.bountysource.com/#auth/gittip/connect?first_name=André&last_name=Arko&login=indirect&redirect_url=https%3A%2F%2Fwww.gittip.com%2Fon%2Fbountysource%2Fassociate&status=error_needs_account/

@lyndsysimon
Copy link
Contributor

Does BountySource accept non-ASCII characters in the URL? How should they be encoded?

@indirect
Copy link
Author

indirect commented Jun 7, 2013

Well, my name shows up as "André" in the URL and BountySource form. It's saved in gittip as "André". At very least you could send BountySource the same data you already have...

On Fri, Jun 7, 2013 at 7:06 AM, Lyndsy Simon [email protected]
wrote:

Does BountySource accept non-ASCII characters in the URL? How should they be encoded?

Reply to this email directly or view it on GitHub:
#1020 (comment)

@chadwhitacre
Copy link
Contributor

@indirect
Copy link
Author

FWIW, I did not see that... BountySource successfully displayed the bytes they were being sent (which, afaict, was unicode decoded as latin-1, and then re-encoded as unicode before being given to my browser).

@zbynekwinkler
Copy link
Contributor

Does anyone know where are bountysource api docs? It seems a lot has changed since our part was implemented. I am thinking about busting https://github.com/gittip/www.gittip.com/blob/master/www/on/bountysource/redirect.spt#L31-L80 since the account creation is now based on liking github and others anyway. I just want to make sure I do it right.

@zbynekwinkler
Copy link
Contributor

@corytheboyd I see that you've contributed the original code to connect to bountysource. Do you happen to have a link to the current bountysource api docs?

@zbynekwinkler
Copy link
Contributor

Shall we block this on #1369 too? It is also noted by Sentry but I don't know how to link to this issue from the sentry page without creating a new issue.

@zbynekwinkler
Copy link
Contributor

Referencing #1521 to link these together.

@chadwhitacre
Copy link
Contributor

I don't know how to link to this issue from the sentry page without creating a new issue.

Right, I've ticketed that with Sentry: getsentry/sentry#841.

@chadwhitacre
Copy link
Contributor

Shall we block this on #1369 too?

Hmmm ... we could, although the Bountysource integration is different enough from the others (it's a sort of hacked pseudo-oauth) that refactoring may not really address this.

@chadwhitacre
Copy link
Contributor

I wouldn't block this on #1369, no.

@chadwhitacre
Copy link
Contributor

I don't see where we send you to https://www.bountysource.com/#auth/gittip/connect. I do see where we send to https://www.bountysource.com/#auth/gittip/confirm.

@chadwhitacre
Copy link
Contributor

So the way redirect.spt works is that we pull profile information from existing connections (GitHub, Twitter, Bitbucket), and we send that to Bountysource so that in case you don't have an account to sign up with, they can prepopulate the sign-up form you get.

@chadwhitacre
Copy link
Contributor

However, I'm not seeing that the form prepopulation still exists on the Bountysource side. I notice that the URL redirects:

From https://www.bountysource.com/#/auth/gittip/confirm to https://www.bountysource.com/auth/gittip/confirm and then to https://www.bountysource.com/signin. On the sign in form if I enter an email address I get additional fields for first/last name and display name, but these aren't prepopulated:

screen shot 2013-11-27 at 11 43 59 am

So I'm guessing a) that this bug is no longer an issue (can you confirm, @indirect?) and b) we can just rip out the part where we pull profile information from existing connections.

@chadwhitacre
Copy link
Contributor

Ping @corytheboyd. Also, IRC.

@zbynekwinkler
Copy link
Contributor

@whit537 I am for rip out :). Well, I've already said so in #1020 (comment) so that is probably not a surprise 😄

@chadwhitacre
Copy link
Contributor

Ripped out in b7387dc.

@chadwhitacre
Copy link
Contributor

We should use the BOUNTYSOURCE_WWW_HOST envvar. IRC

@chadwhitacre
Copy link
Contributor

I think we've resolved this, @indirect.

@indirect
Copy link
Author

Cool, thanks everybody!

On Wed, Nov 27, 2013 at 11:31 AM, Chad Whitacre [email protected]
wrote:

Closed #1020.

Reply to this email directly or view it on GitHub:
#1020

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants