magento2: 2.4.3-p2 breaks OAuth integrations, does not upgrade secrets and tries to decrypt them
Preconditions (*)
- Have OAuth integrations created before forced secret encryption
- Upgrade to 2.4.3-p2
Steps to reproduce (*)
- Create and connect an integration on a version before 2.4.3-p2
- Upgrade to 2.4.3-p2
Expected result (*)
- OAuth integration can be successfully reauthorized
Actual result (*)
- Authorization fails with
The attempt to post data to consumer failed due to an unexpected error. Please try again later.
- The secrets are not upgraded along with the update, so it attempts to decrypt unencrypted values
- Internal exception:
[2022-04-14 15:01:08] main.CRITICAL: Notice: iconv_strlen(): Detected an illegal character in input string in /var/www//data/releases/20220414144351/vendor/magento/zendframework1/library/Zend/Validate/StringLength.php on line 250 {"exception":"[object] (Exception(code: 0): Notice: iconv_strlen(): Detected an illegal character in input string in /var/www//data/releases/20220414144351/vendor/magento/zendframework1/library/Zend/Validate/StringLength.php on line 250 at /var/www//data/releases/20220414144351/vendor/magento/framework/App/ErrorHandler.php:61)"} []
- Patch list shows that OAuth upgrade patches were applied
Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.
- Severity: S0 - Affects critical data or functionality and leaves users without workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 4
- Comments: 32 (8 by maintainers)
Commits related to this issue
- AC-3752::2.4.3-p2 breaks OAuth integrations, does not upgrade secrets and tries to decrypt them — committed to magento/magento2 by deleted user 2 years ago
I’m not sure that you realise it can break whole service using API integration: this should be a P1 ticket
By launching a 2.4.3-p2 or 2.4.4 Magento on production you could break every API service.
Guys you should at least create a quality patch for this issue.
@engcom-Hotel the garbled consumer secret is a reproduction of the issue, this is due to the secret not being encrypted in the migration, so after it, it ends up trying to decrypt the plaintext value from the db
Can reproduce due to the hints of @kenseiatwork, thanks for that!
@engcom-Dash: please try the following:
vendor
directory and use composer to upgrade to Magento 2.4.4bin/magento setup:upgrade
Create two scripts in /path/to/magento/root
runOauth.php:
ini_set('memory_limit','12000M');
use Magento\Framework\App\Bootstrap; require DIR.‘/app/bootstrap.php’; $params = $_SERVER; $bootstrap = Bootstrap::create(BP,$params); $obj = $bootstrap->getObjectManager(); $state = $obj->get(‘Magento\Framework\App\State’); $state->setAreaCode(‘frontend’);try{ $encryptor = $obj->get(‘Magento\Framework\Encryption\Encryptor’); $tokenCollection = $obj->get(‘Magento\Integration\Model\ResourceModel\Oauth\Token\CollectionFactory’)->create(); $tokenResourceModel = $obj->get(‘Magento\Integration\Model\ResourceModel\Oauth\Token’); $tokenCollection->addFieldToSelect(‘entity_id’); $tokenCollection->addFieldToSelect(‘secret’); $tokenCollection->addFieldToSelect(‘type’); $tokenCollection->setPageSize(100); $connection = $tokenResourceModel->getConnection(); $pages = $tokenCollection->getLastPageNumber(); $tableName = $tokenResourceModel->getMainTable();
}catch(\Exception $e){die(‘||’.$e->getMessage());} `
and
runConsumer.php:
` ini_set(‘memory_limit’,‘12000M’); use Magento\Framework\App\Bootstrap; require DIR.‘/app/bootstrap.php’; $params = $_SERVER; $bootstrap = Bootstrap::create(BP,$params); $obj = $bootstrap->getObjectManager(); $state = $obj->get(‘Magento\Framework\App\State’); $state->setAreaCode(‘frontend’);
try{ $encryptor = $obj->get(‘Magento\Framework\Encryption\Encryptor’); $consumerCollection = $obj->get(‘Magento\Integration\Model\ResourceModel\Oauth\Consumer\CollectionFactory’)->create(); $consumerResourceModel = $obj->get(‘Magento\Integration\Model\ResourceModel\Oauth\Consumer’);
$consumerCollection->addFieldToSelect(‘entity_id’); $consumerCollection->addFieldToSelect(‘secret’); $connection = $consumerResourceModel->getConnection(); $consumerCollection->setPageSize(100); $pages = $consumerCollection->getLastPageNumber(); $tableName = $consumerResourceModel->getMainTable();
for ($currentPage = 1; $currentPage <= $pages; $currentPage++) { $consumerCollection->setCurPage($currentPage);
}catch(\Exception $e){die(‘||’.$e->getMessage());} `
Then run:
php runOauth.php
php runConsumber.php
Your existing secrets should be fixed afterwards.
Still waiting for a quality patch since July @magento.
It’s just my opinion but security patch SHOULD never include a
data
/schema
patch or any database changes. You should talk about this with your architecture team.The reason is simple: you may break Magento on a security patch, which is a total non-sense by doing this you are also breaking customer’s confidence on security release.
At least, you may warn everyone in your release patch notes when a database patch is included in your security release.
Hello,
As I can see this issue got fixed in the scope of the internal Jira ticket AC-3752 by the internal team Related commits: https://github.com/magento/magento2/search?q=AC-3752&type=commits
Based on the Jira ticket, the target version is 2.4.6.
Thanks
Exactly. A correct consumer secret would only ever contain character allowed in HTTP headers.
I encountered this problem as well. It looks to be an issue for older magento sites when the module.xml’s setup_version was still in use.
The last setup_version for the integration module looks to be 2.2.0, you can check the row for Magento_Integration in the setup_module table.
In the patch files for UpgradeConsumerSecret.php and UpgradeOauthToken.php, the method for getVersion() is set to 2.0.0. I believe this should be 2.2.1 or greater – or removed altogether.
Per devdocs https://devdocs.magento.com/guides/v2.4/extension-dev-guide/declarative-schema/data-patches.html#will-old-scripts-work-in-newer-versions
You would also need to remove the rows in the table patch_list: Magento\Integration\Setup\Patch\Data\UpgradeOauthToken Magento\Integration\Setup\Patch\Data\UpgradeConsumerSecret
Then rerun setup:upgrade