Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password manager generates unsuccessful requests to googleapis.com/affiliation/v1 #29872

Closed
fmarier opened this issue Apr 19, 2023 · 3 comments · Fixed by brave/brave-core#18153
Assignees
Labels
feature/password-manager network/startup requests OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/connect This requires making a network connection to a third-party service. QA Pass-macOS QA/Yes release-notes/include

Comments

@fmarier
Copy link
Member

fmarier commented Apr 19, 2023

Description

A new feature of the Chromium password manager is backed by a backend service delivering metadata about sites to the browser. Here's the description of the requests:

         description:
            " Chrome can obtain information about affiliated and grouped "
            " websites as well as link to directly change password using this "
            " request. Chrome sends only hash prefixes of the websites. "
          trigger: "Whenever a new password added or one day passed after last"
            " request for existing passwords. Another trigger is a change "
            " password action in settings."
          data:
            "Hash prefixes of websites URLs or package name for android apps."
          setting:
            "This feature is used to facilitate password manager filling "
            "experience by allowing users to fill passwords between "
            "affiliated sites and apps, or when user needs to get a direct"
            "change password URL. Furthermore only deleting all passwords will "
            "turn this feature off."

Steps to Reproduce

Here's how to reproduce on Linux:

  1. Start mitmproxy: mitmproxy --mode socks5 --listen-port 9000
  2. Start Brave in a fresh profile: brave-browser-stable --user-data-dir=/home/francois/brave-temp-profile --proxy-server="socks5://localhost:9000"
  3. Go into the Password Manager settings: brave://settings/passwords
  4. Click Add and put a fake username+password for https://www.facebook.com

Actual result:

This will generate this unproxied network request:

POST https://www.googleapis.com/affiliation/v1/affiliation:lookupByHashPrefix?key=dummytoken HTTP/2.0

with the following response:

{
    "error": {
        "code": 400,
        "details": [
            {
                "@type": "type.googleapis.com/google.rpc.ErrorInfo",
                "domain": "googleapis.com",
                "metadata": {
                    "service": "affiliation.googleapis.com"
                },
                "reason": "API_KEY_INVALID"
            }
        ],
        "errors": [
            {
                "domain": "global",
                "message": "API key not valid. Please pass a valid API key.",
                "reason": "badRequest"
            }
        ],
        "message": "API key not valid. Please pass a valid API key.",
        "status": "INVALID_ARGUMENT"
    }
}

This request will be retried constantly using an exponential backoff algorithm since it always fails.

Expected result:

These network requests should not take place.

Brave version (brave://version info)

Brave	1.50.119 Chromium: 112.0.5615.121 (Official Build) (64-bit) 
Revision	39cc4e45904ae9f1741c4fbaa866e629c96f2268-refs/branch-heads/5615_51@{#8}
OS	Linux
@fmarier fmarier added priority/P2 A bad problem. We might uplift this to the next planned release. feature/password-manager QA/Yes release-notes/include privacy/connect This requires making a network connection to a third-party service. OS/Desktop network/startup requests labels Apr 19, 2023
@fmarier fmarier added the OS/Android Fixes related to Android browser functionality label Apr 19, 2023
@fmarier fmarier self-assigned this Apr 19, 2023
fmarier added a commit to brave/brave-core that referenced this issue Apr 19, 2023
@fmarier fmarier added this to the 1.50.x - Release #5 milestone Apr 20, 2023
@fmarier fmarier removed the OS/Android Fixes related to Android browser functionality label Apr 20, 2023
@kjozwiak kjozwiak removed this from the 1.50.x - Release #5 milestone Apr 20, 2023
@kjozwiak
Copy link
Member

Removed milestone, we'll move the issue into the appropriate milestone once we have uplifts. Assuming this needs to go out via the next possible release. It could be a 1.50.x if we end up getting another C112 build or 1.51.x which is the next major release as per https://github.com/brave/brave-browser/wiki/Brave-Release-Schedule#release-channel-dates. Either way, once we get uplifts, the issue will be moved into the appropriate milestone 👍

@kjozwiak
Copy link
Member

The above requires 1.51.107 or higher for 1.51.x verification 👍

@stephendonner
Copy link

stephendonner commented May 1, 2023

Verification PASSED using

Reproduced easily using

Brave 1.50.121 Chromium: 112.0.5615.138 (Official Build) (x86_64)
Revision 2258f2fcaeb07bc95c992b7ca47f0b43ead9865c-refs/branch-heads/5615@{#1282}
OS macOS Version 11.7.6 (Build 20G1231)
example example
Screen Shot 2023-05-01 at 11 17 29 AM Screen Shot 2023-05-01 at 11 18 05 AM

Steps:

  1. installed 1.50.121
  2. launched Fiddler Everywhere
  3. launched Brave
  4. opened brave://settings/passwords
  5. clicked Add
  6. entered https://www.facebook.com
  7. entered username/password
  8. clicked Save
  9. examined Fiddler Everywhere

Confirmed no requests to https://www.googleapis.com/...

example example
Screen Shot 2023-05-01 at 11 27 19 AM Screen Shot 2023-05-01 at 11 27 13 AM

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels May 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature/password-manager network/startup requests OS/Desktop priority/P2 A bad problem. We might uplift this to the next planned release. privacy/connect This requires making a network connection to a third-party service. QA Pass-macOS QA/Yes release-notes/include
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants