extractCredentials: do not read json from the request.

[mauritsvanrees]

The result was never used, and it may fail when the request is too large to read. This is a problem since at least Zope 5.8.4, introduced in Plone 6.0.7. See plone/Products.CMFPlone#3848 and zopefoundation/Zope#1180.

This PR is an alternative to #1726. See discussion there.

[netlify]

✅ Deploy Preview for plone-restapi canceled.

Name	Link
🔨 Latest commit	67fe0c5
🔍 Latest deploy log	https://app.netlify.com/sites/plone-restapi/deploys/6541263e55b9e400080d6067

[mister-roboto]

@mauritsvanrees thanks for creating this Pull Request and helping to improve Plone!

TL;DR: Finish pushing changes, pass all other checks, then paste a comment:

@jenkins-plone-org please run jobs

To ensure that these changes do not break other parts of Plone, the Plone test suite matrix needs to pass, but it takes 30-60 min. Other CI checks are usually much faster and the Plone Jenkins resources are limited, so when done pushing changes and all other checks pass either start all Jenkins PR jobs yourself, or simply add the comment above in this PR to start all the jobs automatically.

Happy hacking!

[mauritsvanrees]

This fails because in the test_api_login_grants_zmi test we get an Unauthorised.

What this test tries to do, and what no longer works with this PR:

• Do a POST to the @login endpoint with login and password.
• Request /manage_workspace on the Zope root, with the __ac cookie that is set.

When I instead request /manage_workspace on the Plone root, it does work. The initial response of the @login POST does have an __ac cookie, and its path is /, so that should not be the problem. But something more happened before, that no longer happens if we remove these lines.

It has to do with ZODBUserManager.authenticateCredentials which does not mind that it receives credentials from a different plugin, like ours. It happily uses them, and the Zope root acl_users would authenticate us, as it finds the admin user. But now that our extractCredentials no longer passes on these credentials, no user is found.

The @login endpoint still does something that makes the user be authenticated in Plone, but it no longer works on the Zope root level.

So I guess this approach is not good enough.
What do you think @davisagli ?

[davisagli]

@mauritsvanrees Okay, makes sense: we need to extract the credentials in a PAS extract credentials plugin so that they are available for use by other authenticateCredentials plugins.

I still kind of feel like this would belong more cleanly in a separate plugin, since it is not really directly related to authenticating a JWT token. But let's leave it for now.