diff --git a/lib/wsapi/complete_email_addition.js b/lib/wsapi/complete_email_addition.js
index abd012418bdacfecee0ab3f4d41df2eacf046407..53ddb3625200c603ec1396aceb3b79a415143a07 100644
--- a/lib/wsapi/complete_email_addition.js
+++ b/lib/wsapi/complete_email_addition.js
@@ -23,39 +23,12 @@ exports.process = function(req, res) {
// 1. you must already be authenticated as the user who initiated the verification
// 2. you must provide the password of the initiator.
- // TRANSITIONAL CODE COMMENT
- // for issue 1000 we moved initial password selection to the browserid dialog (from
- // the verification page). Rolling out this change causes some temporal pain.
- // Outstannding verification links sent before the change was deployed will have
- // email addition requests that require passwords without passwords in the stage table.
- // When the verification page is loaded for
- // these links, we prompt the user for a password. That password is sent up with
- // the request. this code and comment should all be purged after the new code
- // has been in production for 2 weeks.
-
- var transitionalPassword = null;
-
- // END TRANSITIONAL CODE COMMENT
-
-
db.authForVerificationSecret(req.body.token, function(err, initiator_hash, initiator_uid) {
if (err) {
logger.info("unknown verification secret: " + err);
return wsapi.databaseDown(res, err);
}
- // TRANSITIONAL CODE
- if (!initiator_hash) {
- if (!req.body.pass) return httputils.authRequired(res, "password required");
- var err = wsapi.checkPassword(req.body.pass);
- if (err) {
- logger.warn("invalid password received: " + err);
- return httputils.badRequest(res, err);
- }
- transitionalPassword = req.body.pass;
- postAuthentication();
- } else
- // END TRANSITIONAL CODE
if (req.session.userid === initiator_uid) {
postAuthentication();
} else if (typeof req.body.pass === 'string') {
@@ -81,23 +54,6 @@ exports.process = function(req, res) {
} else {
wsapi.authenticateSession(req.session, uid, 'password');
res.json({ success: true });
-
- // TRANSITIONAL CODE
- if (transitionalPassword) {
- wsapi.bcryptPassword(transitionalPassword, function(err, hash) {
- if (err) {
- logger.warn("couldn't bcrypt pass for old verification link: " + err);
- return;
- }
-
- db.updatePassword(uid, hash, function(err) {
- if (err) {
- logger.warn("couldn't bcrypt pass for old verification link: " + err);
- }
- });
- });
- }
- // END TRANSITIONAL CODE
}
});
};
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index eab3381d8574a61f50bb6111b550b24619c2ca32..7a65ec488f52322b0010ca8bfd33210324749bcf 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -29,16 +29,6 @@ exports.process = function(req, res) {
// and then control a browserid account that they can use to prove they own
// the email address of the attacked.
- // TRANSITIONAL CODE COMMENT
- // for issue 1000 we moved initial password selection to the browserid dialog (from
- // the verification page). Rolling out this change causes some temporal pain.
- // Outstannding verification links sent before the change was deployed will have
- // new user requests without passwords. When the verification page is loaded for
- // these links, we prompt the user for a password. That password is sent up with
- // the request. this code and comment should all be purged after the new code
- // has been in production for 2 weeks.
- // END TRANSITIONAL CODE COMMENT
-
// is this the same browser?
if (typeof req.session.pendingCreation === 'string' &&
req.body.token === req.session.pendingCreation) {
@@ -47,13 +37,6 @@ exports.process = function(req, res) {
// is a password provided?
else if (typeof req.body.pass === 'string') {
return db.authForVerificationSecret(req.body.token, function(err, hash) {
- // TRANSITIONAL CODE
- // if hash is null, no password was provided during verification and
- // this is an old-style verification. We accept the password and will
- // update it after the verification is complete.
- if (err == 'no password for user' || !hash) return postAuthentication();
- // END TRANSITIONAL CODE
-
if (err) {
logger.warn("couldn't get password for verification secret: " + err);
return wsapi.databaseDown(res, err);
@@ -75,67 +58,33 @@ exports.process = function(req, res) {
}
function postAuthentication() {
- // the time the email verification is performed, we'll clear the pendingCreation
- // data on the session.
- delete req.session.pendingCreation;
-
db.haveVerificationSecret(req.body.token, function(err, known) {
if (err) return wsapi.databaseDown(res, err);
- if (!known) return res.json({ success: false} );
+ if (!known) {
+ // clear the pendingCreation token from the session if we find no such
+ // token in the database
+ delete req.session.pendingCreation;
+ return res.json({ success: false} );
+ }
- // TRANSITIONAL CODE
- // user is authorized (1 or 2 above) OR user has no password set, in which
- // case for a short time we'll accept the password provided with the verification
- // link, and set it as theirs.
- var transitionalPassword = null;
+ db.gotVerificationSecret(req.body.token, function(err, email, uid) {
+ if (err) {
+ logger.warn("couldn't complete email verification: " + err);
+ wsapi.databaseDown(res, err);
+ } else {
+ // clear the pendingCreation token from the session once we
+ // successfully complete user creation
+ delete req.session.pendingCreation;
- db.authForVerificationSecret(req.body.token, function(err, hash) {
- if (err == 'no password for user' || !hash) {
- if (!req.body.pass) return httputils.authRequired(res, "password required");
- err = wsapi.checkPassword(req.body.pass);
- if (err) {
- logger.warn("invalid password received: " + err);
- return httputils.badRequest(res, err);
- }
- transitionalPassword = req.body.pass;
+ // At this point, the user is either on the same browser with a token from
+ // their email address, OR they've provided their account password. It's
+ // safe to grant them an authenticated session.
+ wsapi.authenticateSession(req.session, uid, 'password',
+ config.get('ephemeral_session_duration_ms'));
+ res.json({ success: true });
}
- completeCreation();
});
- // END TRANSITIONAL CODE
-
- function completeCreation() {
- db.gotVerificationSecret(req.body.token, function(err, email, uid) {
- if (err) {
- logger.warn("couldn't complete email verification: " + err);
- wsapi.databaseDown(res, err);
- } else {
- // FIXME: not sure if we want to do this (ba)
- // at this point the user has set a password associated with an email address
- // that they've verified. We create an authenticated session.
- wsapi.authenticateSession(req.session, uid, 'password',
- config.get('ephemeral_session_duration_ms'));
- res.json({ success: true });
-
- // TRANSITIONAL CODE
- if (transitionalPassword) {
- wsapi.bcryptPassword(transitionalPassword, function(err, hash) {
- if (err) {
- logger.warn("couldn't bcrypt pass for old verification link: " + err);
- return;
- }
-
- db.updatePassword(uid, hash, function(err) {
- if (err) {
- logger.warn("couldn't bcrypt pass for old verification link: " + err);
- }
- });
- });
- }
- // END TRANSITIONAL CODE
- }
- });
- }
});
}
};