From 0aee88a17bb41ab4ab76e5d1ffeffcf2e86d7e85 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Mon, 9 Jan 2012 13:33:33 -0700
Subject: [PATCH] backend support for 'two level authentication'. issue #761
---
lib/wsapi.js | 22 +++--
lib/wsapi/auth_with_assertion.js | 4 +-
lib/wsapi/authenticate_user.js | 2 +-
lib/wsapi/complete_email_addition.js | 8 +-
lib/wsapi/complete_user_creation.js | 2 +-
lib/wsapi/session_context.js | 11 ++-
lib/wsapi/user_creation_status.js | 2 +-
tests/primary-then-secondary-test.js | 22 +++++
tests/registration-status-wsapi-test.js | 2 +-
tests/two-level-auth-test.js | 115 ++++++++++++++++++++++++
10 files changed, 174 insertions(+), 16 deletions(-)
create mode 100755 tests/two-level-auth-test.js
diff --git a/lib/wsapi.js b/lib/wsapi.js
index 4fb4bab34..45ca5854e 100644
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -32,8 +32,16 @@ function clearAuthenticatedUser(session) {
session.reset(['csrf']);
}
-function isAuthed(req) {
- return (req.session) ? req.session.userid : undefined;
+function isAuthed(req, requiredLevel) {
+ if (req.session && req.session.userid && req.session.auth_level) {
+ // 'password' authentication allows access to all apis.
+ // 'assertion' authentication, grants access to only those apis
+ // that don't require 'password'
+ if (requiredLevel === 'assertion' || req.session.auth_level === 'password') {
+ return true;
+ }
+ }
+ return false;
}
function bcryptPassword(password, cb) {
@@ -45,8 +53,12 @@ function bcryptPassword(password, cb) {
});
};
-function setAuthenticatedUser(session, uid) {
+function authenticateSession(session, uid, level) {
+ if (['assertion', 'password'].indexOf(level) === -1)
+ throw "invalid authentication level: " + level;
+
session.userid = uid;
+ session.auth_level = level;
}
function checkPassword(pass) {
@@ -59,7 +71,7 @@ function checkPassword(pass) {
exports.clearAuthenticatedUser = clearAuthenticatedUser;
exports.isAuthed = isAuthed;
exports.bcryptPassword = bcryptPassword;
-exports.setAuthenticatedUser = setAuthenticatedUser;
+exports.authenticateSession = authenticateSession;
exports.checkPassword = checkPassword;
exports.fowardWritesTo = undefined;
@@ -278,7 +290,7 @@ exports.setup = function(options, app) {
// above
// does the request require authentication?
- if (wsapis[operation].authed && !isAuthed(req)) {
+ if (wsapis[operation].authed && !isAuthed(req, wsapis[operation].authed)) {
return httputils.badRequest(resp, "requires authentication");
}
diff --git a/lib/wsapi/auth_with_assertion.js b/lib/wsapi/auth_with_assertion.js
index 8db03f64b..2e9c10f61 100644
--- a/lib/wsapi/auth_with_assertion.js
+++ b/lib/wsapi/auth_with_assertion.js
@@ -33,7 +33,7 @@ exports.process = function(req, res) {
if (type === 'primary') {
return db.emailToUID(email, function(uid) {
if (!uid) return res.json({ success: false, reason: "internal error" });
- wsapi.setAuthenticatedUser(req.session, uid);
+ wsapi.authenticateSession(req.session, uid, 'assertion');
return res.json({ success: true });
});
}
@@ -82,7 +82,7 @@ exports.process = function(req, res) {
}
logger.info("successfully created primary acct for " + email + " (" + r.userid + ")");
- wsapi.setAuthenticatedUser(req.session, r.userid);
+ wsapi.authenticateSession(req.session, r.userid, 'assertion');
res.json({ success: true });
});
}).on('error', function(e) {
diff --git a/lib/wsapi/authenticate_user.js b/lib/wsapi/authenticate_user.js
index f6f415c9f..25b073bc6 100644
--- a/lib/wsapi/authenticate_user.js
+++ b/lib/wsapi/authenticate_user.js
@@ -50,7 +50,7 @@ exports.process = function(req, res) {
} else {
if (!req.session) req.session = {};
- wsapi.setAuthenticatedUser(req.session, uid);
+ wsapi.authenticateSession(req.session, uid, 'password');
res.json({ success: true });
diff --git a/lib/wsapi/complete_email_addition.js b/lib/wsapi/complete_email_addition.js
index deedcd4b9..c0449c5bf 100644
--- a/lib/wsapi/complete_email_addition.js
+++ b/lib/wsapi/complete_email_addition.js
@@ -45,7 +45,13 @@ exports.process = function(req, res) {
return res.json({ success: false });
}
db.updatePassword(uid, hash, function(err) {
- if (err) logger.warn("couldn't update password during email verification: " + err);
+ if (err) {
+ logger.warn("couldn't update password during email verification: " + err);
+ } else {
+ // XXX: what if our software 503s? User doens't get a password set and
+ // cannot change it.
+ wsapi.authenticateSession(req.session, uid, 'password');
+ }
res.json({ success: !err });
});
});
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index 912e94262..fd582b7ea 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -45,7 +45,7 @@ exports.process = function(req, res) {
// FIXME: not sure if we want to do this (ba)
// at this point the user has set a password associated with an email address
// that they've verified. We create an authenticated session.
- wsapi.setAuthenticatedUser(req.session, uid);
+ wsapi.authenticateSession(req.session, uid, 'password');
res.json({ success: true });
}
});
diff --git a/lib/wsapi/session_context.js b/lib/wsapi/session_context.js
index 89386ed00..bc57b6bfe 100644
--- a/lib/wsapi/session_context.js
+++ b/lib/wsapi/session_context.js
@@ -29,13 +29,15 @@ exports.process = function(req, res) {
logger.debug("NEW csrf token created: " + req.session.csrf);
}
- var auth_status = false;
+ var auth_level = undefined;
+ var authenticated = false;
function sendResponse() {
res.json({
csrf_token: req.session.csrf,
server_time: (new Date()).getTime(),
- authenticated: auth_status,
+ authenticated: authenticated,
+ auth_level: auth_level,
domain_key_creation_time: domainKeyCreationDate.getTime(),
random_seed: crypto.randomBytes(32).toString('base64')
});
@@ -43,7 +45,7 @@ exports.process = function(req, res) {
// if they're authenticated for an email address that we don't know about,
// then we should purge the stored cookie
- if (!wsapi.isAuthed(req)) {
+ if (!wsapi.isAuthed(req, 'assertion')) {
logger.debug("user is not authenticated");
sendResponse();
} else {
@@ -53,7 +55,8 @@ exports.process = function(req, res) {
wsapi.clearAuthenticatedUser(req.session);
} else {
logger.debug("user is authenticated");
- auth_status = true;
+ auth_level = req.session.auth_level;
+ authenticated = true;
}
sendResponse();
});
diff --git a/lib/wsapi/user_creation_status.js b/lib/wsapi/user_creation_status.js
index c06b6f624..f62e5ea9f 100644
--- a/lib/wsapi/user_creation_status.js
+++ b/lib/wsapi/user_creation_status.js
@@ -11,7 +11,7 @@ exports.process = function(req, res) {
var email = req.query.email;
// if the user is authenticated as the user in question, we're done
- if (wsapi.isAuthed(req)) {
+ if (wsapi.isAuthed(req, 'assertion')) {
db.userOwnsEmail(req.session.userid, email, function(owned) {
if (owned) res.json({ status: 'complete' });
else notAuthed();
diff --git a/tests/primary-then-secondary-test.js b/tests/primary-then-secondary-test.js
index 55ef5df97..d4d244d57 100755
--- a/tests/primary-then-secondary-test.js
+++ b/tests/primary-then-secondary-test.js
@@ -94,6 +94,17 @@ suite.addBatch({
}
});
+// now we have an account, and we're authenticated with an assertion.
+// check auth_level with session_context
+suite.addBatch({
+ "auth_level": {
+ topic: wsapi.get('/wsapi/session_context'),
+ "is 'assertion' after authenticating with assertion" : function(r, err) {
+ assert.strictEqual(JSON.parse(r.body).auth_level, 'assertion');
+ }
+ }
+});
+
var token;
// now we have a new account. let's add a secondary to it
@@ -150,6 +161,17 @@ suite.addBatch({
}
});
+// after adding a secondary and setting password, we're password auth'd
+suite.addBatch({
+ "auth_level": {
+ topic: wsapi.get('/wsapi/session_context'),
+ "is 'password' after authenticating with password" : function(r, err) {
+ assert.strictEqual(JSON.parse(r.body).auth_level, 'password');
+ }
+ }
+});
+
+
// adding a second secondary will not let us set the password
suite.addBatch({
"add a new email address to our account": {
diff --git a/tests/registration-status-wsapi-test.js b/tests/registration-status-wsapi-test.js
index dfb962282..73012662d 100755
--- a/tests/registration-status-wsapi-test.js
+++ b/tests/registration-status-wsapi-test.js
@@ -175,7 +175,7 @@ suite.addBatch({
topic: wsapi.get("/wsapi/session_context"),
"we're authenticated": function (r, err) {
assert.strictEqual(r.code, 200);
- assert.strictEqual(JSON.parse(r.body).authenticated, true);
+ assert.strictEqual(JSON.parse(r.body).auth_level, 'password');
},
"but we can easily clear cookies on the client to change that!": function(r, err) {
wsapi.clearCookies();
diff --git a/tests/two-level-auth-test.js b/tests/two-level-auth-test.js
new file mode 100755
index 000000000..b486a42c4
--- /dev/null
+++ b/tests/two-level-auth-test.js
@@ -0,0 +1,115 @@
+#!/usr/bin/env node
+
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla BrowserID.
+ *
+ * The Initial Developer of the Original Code is Mozilla.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+require('./lib/test_env.js');
+
+const
+assert = require('assert'),
+vows = require('vows'),
+start_stop = require('./lib/start-stop.js'),
+wsapi = require('./lib/wsapi.js'),
+primary = require('./lib/primary.js');
+
+var suite = vows.describe('primary-then-secondary');
+
+start_stop.addStartupBatches(suite);
+
+// this test verifies that a user who has only authenticated with
+// an assertion from their primary, may not call restricted apis
+
+const TEST_DOMAIN = 'example.domain',
+ TEST_EMAIL = 'testuser2@' + TEST_DOMAIN,
+ TEST_ORIGIN = 'http://127.0.0.1:10002';
+
+var primaryUser = new primary({
+ email: TEST_EMAIL,
+ domain: TEST_DOMAIN
+});
+
+// now let's generate an assertion using this user
+suite.addBatch({
+ "generating an assertion": {
+ topic: function() {
+ return primaryUser.getAssertion(TEST_ORIGIN);
+ },
+ "succeeds": function(r, err) {
+ assert.isString(r);
+ },
+ "and logging in with the assertion": {
+ topic: function(assertion) {
+ wsapi.post('/wsapi/auth_with_assertion', {
+ email: TEST_EMAIL,
+ assertion: assertion
+ }).call(this);
+ },
+ "succeeds": function(r, err) {
+ var resp = JSON.parse(r.body);
+ assert.isObject(resp);
+ assert.isTrue(resp.success);
+ }
+ }
+ }
+});
+
+suite.addBatch({
+ "updating our password": {
+ topic: wsapi.post('/wsapi/update_password', { oldpass: '', newpass: 'frobaztastic' }),
+ "won't work": function(r) {
+ assert.strictEqual(r.code, 400);
+ }
+ },
+ "certifying a key": {
+ topic: wsapi.post('/wsapi/cert_key', { email: TEST_EMAIL, pubkey: 'fake_key' }),
+ "won't work": function(r) {
+ assert.strictEqual(r.code, 400);
+ }
+ },
+ "listing emails": {
+ topic: wsapi.get('/wsapi/list_emails'),
+ "works fine": function(r) {
+ assert.strictEqual(r.code, 200);
+ assert.equal(Object.keys(JSON.parse(r.body)).length, 1);
+ }
+ }
+});
+
+// shut the server down and cleanup
+start_stop.addShutdownBatches(suite);
+
+// run or export the suite.
+if (process.argv[1] === __filename) suite.run();
+else suite.export(module);
--
GitLab