GitLab

@romain has also hit by the 'Invalid authentication token' error when login with unicode in login/password, which reminder me the Invalid authentication token discussion that i forgot

After some search, i think here is what happens:

1. when user click login, modifyRequest of CookieCrumbler is called, which generate ac value, then call setAuthCookie to set cookie in browser even the login/password are not correct

2. then BaseRequest of Zope is called, which call identify of AccessControl

3. in identify, it try to call decode, but since there has unicode, it fail with exception:

'ascii' codec can't decode byte 0xc3 in position 0

which is catched and raise again with BadRequest 'Invalid authentication token'

4. since there has exception, the post traversal hooks of BaseRequest is not called anymore, in our login case, logged_in is not called, which is used to removed cookie if anonymous

5. in the end, the wrong cookie is set in browser, user is not able to login anymore since login page always shows BadRequest 'Invalid authentication token'

i don't know what's the correct way to fix, i already tried the original CookieCrumbler instead of our patch, it has the same error

Maybe we should patch also BaseRequest.py or AccessControl.py

i already tried with @romain that patch AccessControl.py, it seems works

--- a/src/AccessControl/userfolder.py
+++ b/src/AccessControl/userfolder.py
@@ -118,7 +118,7 @@ class BasicUserFolder(Implicit, Persistent, RoleManager):
                 name, password = decodebytes(auth.split(b' ')[-1]) \
                     .decode().split(':', 1)
             except BaseException:
-                raise BadRequest('Invalid authentication token')
+                return None, None
             return name, password
         else:
             return None, None

@jerome @vpelletier what do you think ?