From 0bdb4f0a4288b732bd67039a76643bc46f81f944 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Fri, 19 Aug 2011 13:41:01 +0300
Subject: [PATCH] add a 'fake verification' mechanism that can be enabled for
testing via an environment variable, and will return secrets via the wsapi.
add plenty of checks to ensure this never makes it into production.
---
browserid/lib/fake_verification.js | 78 ++++++++++++++++++++++++++++++
browserid/lib/wsapi.js | 7 +++
performance/lib/test.js | 7 ++-
performance/lib/wsapi_client.js | 7 ++-
4 files changed, 96 insertions(+), 3 deletions(-)
create mode 100644 browserid/lib/fake_verification.js
diff --git a/browserid/lib/fake_verification.js b/browserid/lib/fake_verification.js
new file mode 100644
index 000000000..8fcafc904
--- /dev/null
+++ b/browserid/lib/fake_verification.js
@@ -0,0 +1,78 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Mozilla BrowserID.
+ *
+ * The Initial Developer of the Original Code is Mozilla.
+ * Portions created by the Initial Developer are Copyright (C) 2011
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ * Lloyd Hilaiel <lloyd@hilaiel.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+/* This little module will, when included, hook the email verification system
+ * and instead of sending emails will make verification tokens available
+ * via the WSAPI. This is *highly* insecure and should only be used when
+ * testing (performance or otherwise).
+ */
+
+const
+email = require('./email.js'),
+configuration = require('../../libs/configuration.js'),
+url = require('url');
+
+// a paranoid check of the configuration. This module should only
+// be included when in a testing environment
+var c = configuration.get('env');
+if (!/^test_/.test(c)) {
+ console.log("FATAL ERROR: you're using fake verification in a configuration that you shouldn't");
+ console.log("stop including fake_verification.js. it's not safe here.");
+ process.exit(1);
+} else {
+ console.log("HEAR YE: Fake verfication enabled, aceess via /wsapi/fake_verification?email=foo@bar.com");
+}
+
+// we store outstanding tokens in memory, folks.
+var tokens = { };
+
+// set up an interceptor
+email.setInterceptor(function(email, site, secret) {
+ tokens[email] = secret;
+});
+
+exports.addVerificationWSAPI = function(app) {
+ app.get('/wsapi/fake_verification', function(req, res) {
+ var email = url.parse(req.url, true).query['email'];
+ if (tokens.hasOwnProperty(email)) {
+ res.write(tokens[email]);
+ delete tokens[email];
+ } else {
+ res.writeHead(400, {"Content-Type": "text/plain"});
+ }
+ res.end();
+ });
+};
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 2a4cf0928..d9bb8f2da 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -321,6 +321,13 @@ function setup(app) {
}
});
});
+
+ // if the BROWSERID_FAKE_VERIFICATION env var is defined, we'll include
+ // fake_verification.js. This is used during testing only and should
+ // never be included in a production deployment
+ if (process.env['BROWSERID_FAKE_VERIFICATION']) {
+ require('./fake_verification.js').addVerificationWSAPI(app);
+ }
}
exports.setup = setup;
diff --git a/performance/lib/test.js b/performance/lib/test.js
index e88531b11..71424c6d6 100644
--- a/performance/lib/test.js
+++ b/performance/lib/test.js
@@ -15,5 +15,10 @@ wcli.post(cfg, '/wsapi/stage_user', ctx, {
pubkey: 'fakepubkey',
site:'fakesite.com'
}, function (r) {
- console.log(r.body);
+ // now get the verification secret
+ wcli.get(cfg, '/wsapi/fake_verification', ctx, {
+ email: "first@fakeemail.com"
+ }, function (r) {
+ console.log(r);
+ });
});
diff --git a/performance/lib/wsapi_client.js b/performance/lib/wsapi_client.js
index 4772632c2..8500aa7ba 100644
--- a/performance/lib/wsapi_client.js
+++ b/performance/lib/wsapi_client.js
@@ -69,7 +69,7 @@ function extractCookies(ctx, res) {
}
}
-exports.get = function(cfg, path, context, cb) {
+exports.get = function(cfg, path, context, getArgs, cb) {
// parse the server URL (cfg.browserid)
var uObj;
var meth;
@@ -84,6 +84,9 @@ exports.get = function(cfg, path, context, cb) {
var headers = { };
injectCookies(context, headers);
+ if (typeof getArgs === 'object')
+ path += "?" + querystring.stringify(getArgs);
+
meth.get({
host: uObj.hostname,
port: uObj.port,
@@ -104,7 +107,7 @@ exports.get = function(cfg, path, context, cb) {
function withCSRF(cfg, context, cb) {
if (context.csrf) cb(context.csrf);
else {
- exports.get(cfg, '/wsapi/csrf', context, function(r) {
+ exports.get(cfg, '/wsapi/csrf', context, undefined, function(r) {
context.csrf = r.body;
cb(context.csrf);
});
--
GitLab