From 175fb7cc4f3073016be756bbbcfdd6f81cc89113 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Sat, 21 Jul 2012 16:29:05 -0600
Subject: [PATCH] audit and simplify logic in email_for_token to return proper
 hint to frontend on whether they should get a password from the user and
 forward it along with the 'complete' request during verification process for
 acct creation, password reset, email addition, and email re-verificaiton

---
 lib/wsapi/complete_reset.js         |  3 +--
 lib/wsapi/complete_user_creation.js |  3 +--
 lib/wsapi/email_for_token.js        | 36 ++++++++++++++---------------
 lib/wsapi/password_reset_status.js  |  2 +-
 4 files changed, 20 insertions(+), 24 deletions(-)

diff --git a/lib/wsapi/complete_reset.js b/lib/wsapi/complete_reset.js
index 4d3bcfec2..49d8b2c58 100644
--- a/lib/wsapi/complete_reset.js
+++ b/lib/wsapi/complete_reset.js
@@ -33,8 +33,7 @@ exports.process = function(req, res) {
   //    request
 
   // is this the same browser?
-  if (typeof req.session.pendingReset === 'string' &&
-      req.params.token === req.session.pendingReset) {
+  if (req.params.token === req.session.pendingReset) {
     return postAuthentication();
   }
   // is a password provided?
diff --git a/lib/wsapi/complete_user_creation.js b/lib/wsapi/complete_user_creation.js
index f737e3b8f..66955d378 100644
--- a/lib/wsapi/complete_user_creation.js
+++ b/lib/wsapi/complete_user_creation.js
@@ -38,8 +38,7 @@ exports.process = function(req, res) {
   // the email address of the attacked.
 
   // is this the same browser?
-  if (typeof req.session.pendingCreation === 'string' &&
-      req.params.token === req.session.pendingCreation) {
+  if (req.params.token === req.session.pendingCreation) {
     return postAuthentication();
   }
   // is a password provided?
diff --git a/lib/wsapi/email_for_token.js b/lib/wsapi/email_for_token.js
index 05bf4e2e4..5b28e07c1 100644
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -38,30 +38,28 @@ exports.process = function(req, res) {
           reason: err
         });
       }
-    } 
+    }
 
     function checkMustAuth() {
-      // must the user authenticate?  This is true if they are not authenticated
-      // as the uid who initiated the verification, or they are not on the same
-      // browser as the initiator
       var must_auth = true;
 
-      if (((uid && req.session.userid === uid) || !req.session.userid) &&
-               typeof req.session.pendingReset === 'string' &&
-               req.params.token === req.session.pendingReset) {
-        must_auth = false;
-      }
-      else if (!uid && typeof req.session.pendingCreation === 'string' &&
-               req.params.token === req.session.pendingCreation) {
-        must_auth = false;
-      }
-      else if (typeof req.session.pendingReverification === 'string' ||
-               typeof req.session.pendingAddition === 'string') {
-        must_auth = false;
+      // For the following cases, the user must re-authenticate if they're not on the
+      // same browser.
+      // 1. they're resetting their password
+      // 2. they're creating their account
+      must_auth =
+        !((req.params.token === req.session.pendingCreation) ||
+          (req.params.token === req.session.pendingReset));
+
+      // For the following cases, unless the user is on the same browser AND authenticated,
+      // they must re-provide their password:
+      // 1. they're re-verifying an email after password reset
+      // 2. they're confirming a new email they want to add to their account
+      if (req.params.token === req.session.pendingReverification ||
+          req.params.token === req.session.pendingAddition)
+      {
+        must_auth = !(req.session.userid && req.session.userid === uid);
       }
-      // NOTE: for reverification, we require you're authenticated.  it's not enough
-      // to be on the same browser - that path is nonsensical because you must be
-      // authenticated to initiate a re-verification.
 
       res.json({
         success: true,
diff --git a/lib/wsapi/password_reset_status.js b/lib/wsapi/password_reset_status.js
index e82b2f1df..67fdc1f9e 100644
--- a/lib/wsapi/password_reset_status.js
+++ b/lib/wsapi/password_reset_status.js
@@ -23,7 +23,7 @@ exports.process = function(req, res) {
   //   * if we are not authenticated as the owner of the email, we must auth
   db.isStaged(email, function(err, staged) {
     if (err) wsapi.databaseDown(res, err);
-    
+
     if (staged) {
       return res.json({ status: 'pending' });
     } else {
-- 
GitLab