From 0254fc42061fad42ef65e69d7f826cd2c64b1212 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Tue, 15 May 2012 15:39:46 -0600
Subject: [PATCH] issue #1592 update complete_email_addition to accept a
 password in the case that email verification was started on a previous
 version of the software that didn't collect a password in-dialog

---
 lib/wsapi/complete_email_addition.js | 46 +++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/lib/wsapi/complete_email_addition.js b/lib/wsapi/complete_email_addition.js
index fcff72813..7756fcf5b 100644
--- a/lib/wsapi/complete_email_addition.js
+++ b/lib/wsapi/complete_email_addition.js
@@ -21,13 +21,40 @@ exports.process = function(req, res) {
   //
   // 1. you must already be authenticated as the user who initiated the verification
   // 2. you must provide the password of the initiator.
-  //
+
+  // TRANSITIONAL CODE COMMENT
+  // for issue 1000 we moved initial password selection to the browserid dialog (from
+  // the verification page).  Rolling out this change causes some temporal pain.
+  // Outstannding verification links sent before the change was deployed will have
+  // email addition requests that require passwords without passwords in the stage table.
+  // When the verification page is loaded for
+  // these links, we prompt the user for a password.  That password is sent up with
+  // the request.  this code and comment should all be purged after the new code
+  // has been in production for 2 weeks.
+
+  var transitionalPassword = null;
+
+  // END TRANSITIONAL CODE COMMENT
+
+
   db.authForVerificationSecret(req.body.token, function(err, initiator_hash, initiator_uid) {
     if (err) {
       logger.info("unknown verification secret: " + err);
       return wsapi.databaseDown(res, err);
     }
 
+    // TRANSITIONAL CODE
+    if (!initiator_hash) {
+      if (!req.body.pass) return httputils.authRequired(res, "password required");
+      var err = wsapi.checkPassword(req.body.pass);
+      if (err) {
+        logger.warn("invalid password received: " + err);
+        return httputils.badRequest(res, err);
+      }
+      transitionalPassword = req.body.pass;
+      postAuthentication();
+    } else
+    // END TRANSITIONAL CODE
     if (req.session.userid === initiator_uid) {
       postAuthentication();
     } else if (typeof req.body.pass === 'string') {
@@ -53,6 +80,23 @@ exports.process = function(req, res) {
         } else {
           wsapi.authenticateSession(req.session, uid, 'password');
           res.json({ success: true });
+
+          // TRANSITIONAL CODE
+          if (transitionalPassword) {
+            wsapi.bcryptPassword(transitionalPassword, function(err, hash) {
+              if (err) {
+                logger.warn("couldn't bcrypt pass for old verification link: " + err);
+                return;
+              }
+
+              db.updatePassword(uid, hash, function(err) {
+                if (err) {
+                  logger.warn("couldn't bcrypt pass for old verification link: " + err);
+                }
+              });
+            });
+          }
+          // END TRANSITIONAL CODE
         }
       });
     };
-- 
GitLab