diff --git a/lib/wsapi/complete_email_addition.js b/lib/wsapi/complete_email_addition.js index abd012418bdacfecee0ab3f4d41df2eacf046407..53ddb3625200c603ec1396aceb3b79a415143a07 100644 --- a/lib/wsapi/complete_email_addition.js +++ b/lib/wsapi/complete_email_addition.js @@ -23,39 +23,12 @@ exports.process = function(req, res) { // 1. you must already be authenticated as the user who initiated the verification // 2. you must provide the password of the initiator. - // TRANSITIONAL CODE COMMENT - // for issue 1000 we moved initial password selection to the browserid dialog (from - // the verification page). Rolling out this change causes some temporal pain. - // Outstannding verification links sent before the change was deployed will have - // email addition requests that require passwords without passwords in the stage table. - // When the verification page is loaded for - // these links, we prompt the user for a password. That password is sent up with - // the request. this code and comment should all be purged after the new code - // has been in production for 2 weeks. - - var transitionalPassword = null; - - // END TRANSITIONAL CODE COMMENT - - db.authForVerificationSecret(req.body.token, function(err, initiator_hash, initiator_uid) { if (err) { logger.info("unknown verification secret: " + err); return wsapi.databaseDown(res, err); } - // TRANSITIONAL CODE - if (!initiator_hash) { - if (!req.body.pass) return httputils.authRequired(res, "password required"); - var err = wsapi.checkPassword(req.body.pass); - if (err) { - logger.warn("invalid password received: " + err); - return httputils.badRequest(res, err); - } - transitionalPassword = req.body.pass; - postAuthentication(); - } else - // END TRANSITIONAL CODE if (req.session.userid === initiator_uid) { postAuthentication(); } else if (typeof req.body.pass === 'string') { @@ -81,23 +54,6 @@ exports.process = function(req, res) { } else { wsapi.authenticateSession(req.session, uid, 'password'); res.json({ success: true }); - - // TRANSITIONAL CODE - if (transitionalPassword) { - wsapi.bcryptPassword(transitionalPassword, function(err, hash) { - if (err) { - logger.warn("couldn't bcrypt pass for old verification link: " + err); - return; - } - - db.updatePassword(uid, hash, function(err) { - if (err) { - logger.warn("couldn't bcrypt pass for old verification link: " + err); - } - }); - }); - } - // END TRANSITIONAL CODE } }); }; diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js index eab3381d8574a61f50bb6111b550b24619c2ca32..7a65ec488f52322b0010ca8bfd33210324749bcf 100644 --- a/lib/wsapi/complete_user_creation.js +++ b/lib/wsapi/complete_user_creation.js @@ -29,16 +29,6 @@ exports.process = function(req, res) { // and then control a browserid account that they can use to prove they own // the email address of the attacked. - // TRANSITIONAL CODE COMMENT - // for issue 1000 we moved initial password selection to the browserid dialog (from - // the verification page). Rolling out this change causes some temporal pain. - // Outstannding verification links sent before the change was deployed will have - // new user requests without passwords. When the verification page is loaded for - // these links, we prompt the user for a password. That password is sent up with - // the request. this code and comment should all be purged after the new code - // has been in production for 2 weeks. - // END TRANSITIONAL CODE COMMENT - // is this the same browser? if (typeof req.session.pendingCreation === 'string' && req.body.token === req.session.pendingCreation) { @@ -47,13 +37,6 @@ exports.process = function(req, res) { // is a password provided? else if (typeof req.body.pass === 'string') { return db.authForVerificationSecret(req.body.token, function(err, hash) { - // TRANSITIONAL CODE - // if hash is null, no password was provided during verification and - // this is an old-style verification. We accept the password and will - // update it after the verification is complete. - if (err == 'no password for user' || !hash) return postAuthentication(); - // END TRANSITIONAL CODE - if (err) { logger.warn("couldn't get password for verification secret: " + err); return wsapi.databaseDown(res, err); @@ -75,67 +58,33 @@ exports.process = function(req, res) { } function postAuthentication() { - // the time the email verification is performed, we'll clear the pendingCreation - // data on the session. - delete req.session.pendingCreation; - db.haveVerificationSecret(req.body.token, function(err, known) { if (err) return wsapi.databaseDown(res, err); - if (!known) return res.json({ success: false} ); + if (!known) { + // clear the pendingCreation token from the session if we find no such + // token in the database + delete req.session.pendingCreation; + return res.json({ success: false} ); + } - // TRANSITIONAL CODE - // user is authorized (1 or 2 above) OR user has no password set, in which - // case for a short time we'll accept the password provided with the verification - // link, and set it as theirs. - var transitionalPassword = null; + db.gotVerificationSecret(req.body.token, function(err, email, uid) { + if (err) { + logger.warn("couldn't complete email verification: " + err); + wsapi.databaseDown(res, err); + } else { + // clear the pendingCreation token from the session once we + // successfully complete user creation + delete req.session.pendingCreation; - db.authForVerificationSecret(req.body.token, function(err, hash) { - if (err == 'no password for user' || !hash) { - if (!req.body.pass) return httputils.authRequired(res, "password required"); - err = wsapi.checkPassword(req.body.pass); - if (err) { - logger.warn("invalid password received: " + err); - return httputils.badRequest(res, err); - } - transitionalPassword = req.body.pass; + // At this point, the user is either on the same browser with a token from + // their email address, OR they've provided their account password. It's + // safe to grant them an authenticated session. + wsapi.authenticateSession(req.session, uid, 'password', + config.get('ephemeral_session_duration_ms')); + res.json({ success: true }); } - completeCreation(); }); - // END TRANSITIONAL CODE - - function completeCreation() { - db.gotVerificationSecret(req.body.token, function(err, email, uid) { - if (err) { - logger.warn("couldn't complete email verification: " + err); - wsapi.databaseDown(res, err); - } else { - // FIXME: not sure if we want to do this (ba) - // at this point the user has set a password associated with an email address - // that they've verified. We create an authenticated session. - wsapi.authenticateSession(req.session, uid, 'password', - config.get('ephemeral_session_duration_ms')); - res.json({ success: true }); - - // TRANSITIONAL CODE - if (transitionalPassword) { - wsapi.bcryptPassword(transitionalPassword, function(err, hash) { - if (err) { - logger.warn("couldn't bcrypt pass for old verification link: " + err); - return; - } - - db.updatePassword(uid, hash, function(err) { - if (err) { - logger.warn("couldn't bcrypt pass for old verification link: " + err); - } - }); - }); - } - // END TRANSITIONAL CODE - } - }); - } }); } };