Error in HTTPs POST submission results in source code for admin tool
Background
We've had two users report this behavior in the past week.
Observed behavior
It was determined that first user (zendesk ticket 380937) was using the wrong username (email username, but missing the /role), and that returned the following, which looks like the source code for the login screen.
<!--
<br>
<font size=+1>
Welcome to Crossref.
</font>
<br><br>
<div id="browser-warning"></div>
<!--[if lt IE 9]>
<style type="text/css">
#browser-warning {
display: none;
background-color: #fde394;
padding: 20px;
max-width: 950px;
}
#browser-warning td.image {
}
#browser-warning img {
max-height: 50px;
}
#browser-warning td.text {
padding-left: 20px;
padding-right: 20px;
color: #4f5858;
font-family: 'Open Sans', sans-serif;
font-weight: bold;
}
#browser-warning .button {
background-color: #3eb1c8;
padding: 10px;
text-decoration: none;
border-radius: 4px;
border: 0;
color: #fefbef;
font-family: 'Open Sans', sans-serif;
font-weight: bold;
line-height: 1;
white-space: nowrap;
}
</style>
<table id="browser-warning-banner">
<tr>
<td class="image"><img src="/images/exclamation-triangle.gif"/></td>
<td class="text"><span>Upgrade browser for full Crossref experience. It looks like you may be using an outdated web browser. Please update your browser for the best possible experience.</span></td>
<td><a class="button" href="/supported-browsers.html" target="_blank" rel="noopener noreferrer">Supported Browsers</a></td>
</tr>
</table>
<![endif]--><!--
<br/>
<table border="0" cellpadding="0" cellspacing="0"><tr>
<td nowrap width="8" valign="top" class="tabSelected"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabSelected"><a href="/servlet/useragent" title="" class="tabSelected"> <b>Home</b> </a></td>
<td nowrap width="8" valign="top" class="tabSelected"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Users: Not Accessible" class="tabNotAllowed"> Users </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Submissions: Not Accessible" class="tabNotAllowed"> Submissions </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Queries: Not Accessible" class="tabNotAllowed"> Queries </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Reports: Not Accessible" class="tabNotAllowed"> Reports </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Metadata Admin: Not Accessible" class="tabNotAllowed"> Metadata Admin </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
</tr></table>
<table border="0" cellpadding="10" cellspacing="0" width="100%">
<tr><td width="100%" class="tabContent1">
<br>
-->
<!DOCTYPE html>
<html>
<head>
<link rel=stylesheet href="https://test.crossref.org/css/tab.css" title="tab css">
<link rel=stylesheet href="https://cdn.production.dcbridgecrossref.org/frontend/crossref-ui/2.1.1/crossref-ui.css" title="tab css">
<link rel="shortcut icon" href="https://test.crossref.org/favicon.ico">
<link href="https://cdn.jsdelivr.net/npm/@mdi/font@4.x/css/materialdesignicons.min.css" rel="stylesheet">
<meta name="viewport" content="width=device-width, initial-scale=1, minimal-ui">
</head>
<!-- Matomo -->
<script type="text/x-template" id="template">
<login-screen/>
</script>
<div id="app"></div>
<script type="text/javascript" src="https://cdn.production.dcbridgecrossref.org/frontend/crossref-ui/2.1.1/crossref-ui.umd.min.js"></script>
<script type="text/javascript">
var _paq = window._paq || [];
/* tracker methods like "setCustomDimension" should be called before "trackPageView" */
_paq.push(["setDocumentTitle", document.domain + "/" + document.title]);
_paq.push(["setCookieDomain", "*.apps.crossref.org"]);
_paq.push(['trackPageView']);
_paq.push(['enableLinkTracking']);
(function() {
var u="https://crossref.matomo.cloud/";
_paq.push(['setTrackerUrl', u+'matomo.php']);
_paq.push(['setSiteId', '15']);
var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s);
})();
var parts = window.location.href.split("/");
var c = CrossrefUI.run({
element: '#app',
reset_password_url: 'https://authenticator.crossref.org/reset-password/',
template: '#template',
authApiBaseUrl: parts[0] + "//" + parts[2],
apiPort: null,
loginUrl: '/servlet/login',
rolesUrl: '/servlet/login',
authFieldSpec: {
username: 'usr',
password: 'pwd'
},
authPostDataFormat: 'formData',
disableMirage: true
})
</script>
<noscript><p><img src="https://crossref.matomo.cloud/matomo.php?idsite=9&rec=1" style="border:0;" alt="" /></p></noscript>
<!-- End Matomo Code -->
<body>
</body>
</html>
When they corrected the username to include /role after the email address their problem was resolved.
However, the second user (zendesk ticket 381475) is using the old style legacy credentials (just username and password, no email address) and verified that they're correct by using them to login into the admin tool manually.
When they run HTTPs POST, they get this in response, which looks to be part of the source code for the admin tool after login.
<table border="0" cellpadding="0" cellspacing="0"><tr>
<td nowrap width="8" valign="top" class="tabSelected"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabSelected"><a href="/servlet/useragent" title="" class="tabSelected"> <b>Home</b> </a></td>
<td nowrap width="8" valign="top" class="tabSelected"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Users: Not Accessible" class="tabNotAllowed"> Users </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Submissions: Not Accessible" class="tabNotAllowed"> Submissions </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Queries: Not Accessible" class="tabNotAllowed"> Queries </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Reports: Not Accessible" class="tabNotAllowed"> Reports </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_left.gif" width="8" height="8" alt=""></td>
<td nowrap class="tabNotAllowed"><a href="javascript:alert('You do not have permissions to access this function.')" title="Metadata Admin: Not Accessible" class="tabNotAllowed"> Metadata Admin </a></td>
<td nowrap width="8" valign="top" class="tabNotAllowed"><img src="/images/clips/top_right.gif" width="8" height="8" alt=""></td>
</tr></table>
<table border="0" cellpadding="10" cellspacing="0" width="100%">
<tr><td width="100%" class="tabContent1">
<br>
I've attached a copy of the script that user has been using to make https post submissions here. submitDoi__1_.py
We're still unsure why that does not produce a successful deposit. It's the same code that they had used without issue in the past.
Expected behavior
Getting html in response to a HTTPs POST submission just isn't very helpful. A success response or clear error message would be expected.
How urgent
Definition of ready
-
Product owner: @SaraBowman -
Tech lead: -
Service:: or C:: label applied -
Definition of done updated -
Acceptance testing plan: -
Weight applied
Definition of done
-
Unit tests identified, implemented, and passing -
Code reviewed -
Available for acceptance testing via a staging URL, or otherwise -
Consider any impacts to current or future architecture/infrastructure, and update specifications and documentation as needed -
Knowledge base reviewed and updated -
Public documentation reviewed and updated -
Acceptance criteria met -
AC 1 -
AC 2
-
-
Acceptance testing passed -
Deployed to production