diff --git a/browserid/lib/db.js b/browserid/lib/db.js
index 891e50e062cfc30c8a0e06ec828151e0c646ad1e..6fb423216f13468910988ca75ce101ab227c5dcc 100644
--- a/browserid/lib/db.js
+++ b/browserid/lib/db.js
@@ -99,7 +99,7 @@ exports.onReady = function(f) {
'stageUser',
'stageEmail',
'gotVerificationSecret',
- 'haveVerificationSecret',
+ 'emailForVerificationSecret',
'checkAuth',
'listEmails',
'removeEmail',
diff --git a/browserid/lib/db_json.js b/browserid/lib/db_json.js
index 3bfa8991b9eeb67894d6be4f03fa2545c650c64a..781525735fe7dcfddf787245af490a97173913f6 100644
--- a/browserid/lib/db_json.js
+++ b/browserid/lib/db_json.js
@@ -177,8 +177,10 @@ exports.stageEmail = function(existing_email, new_email, cb) {
};
-exports.haveVerificationSecret = function(secret, cb) {
- setTimeout(function() { cb(staged.hasOwnProperty(secret)); }, 0);
+exports.emailForVerificationSecret = function(secret, cb) {
+ setTimeout(function() {
+ cb(staged[secret]? staged[secret].email:undefined);
+ }, 0);
};
exports.gotVerificationSecret = function(secret, hash, cb) {
diff --git a/browserid/lib/db_mysql.js b/browserid/lib/db_mysql.js
index 3700a7f4dc2006790516375a39132ea453d76607..25f53ce3b71c3379d9e917bb479bd3cad57c08c5 100644
--- a/browserid/lib/db_mysql.js
+++ b/browserid/lib/db_mysql.js
@@ -197,12 +197,12 @@ exports.stageUser = function(email, cb) {
});
}
-exports.haveVerificationSecret = function(secret, cb) {
+exports.emailForVerificationSecret = function(secret, cb) {
client.query(
- "SELECT COUNT(*) as N FROM staged WHERE secret = ?", [ secret ],
+ "SELECT email FROM staged WHERE secret = ?", [ secret ],
function(err, rows) {
if (err) logUnexpectedError(err);
- cb(rows && rows.length > 0 && rows[0].N > 0);
+ cb((rows && rows.length > 0) ? rows[0].email : undefined);
});
};
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index e27abae915dcb56022ce752fd0ce4d9a9985346f..6d964f060b7629177d1f6731b55ed0ac8fdcdd5e 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -176,8 +176,8 @@ function setup(app) {
// if the secret is still in the database, it hasn't yet been verified and
// verification is still pending
- db.haveVerificationSecret(req.session.pendingCreation, function (haveSecret) {
- if (haveSecret) return resp.json('pending');
+ db.emailForVerificationSecret(req.session.pendingCreation, function (email) {
+ if (email) return resp.json('pending');
// if the secret isn't known, and we're not authenticated, then the user must authenticate
// (maybe they verified the URL on a different browser, or maybe they canceled the account
// creation)
@@ -202,8 +202,8 @@ function setup(app) {
// We should check to see if the verification secret is valid *before*
// bcrypting the password (which is expensive), to prevent a possible
// DoS attack.
- db.haveVerificationSecret(req.body.token, function(valid) {
- if (!valid) return resp.json(false);
+ db.emailForVerificationSecret(req.body.token, function(email) {
+ if (!email) return resp.json(false);
// now bcrypt the password
bcrypt.gen_salt(10, function (err, salt) {
@@ -282,8 +282,8 @@ function setup(app) {
} else if (!req.session.pendingAddition) {
resp.json('failed');
} else {
- db.haveVerificationSecret(req.session.pendingAddition, function (haveSecret) {
- if (haveSecret) {
+ db.emailForVerificationSecret(req.session.pendingAddition, function (email) {
+ if (email) {
return resp.json('pending');
} else {
delete req.session.pendingAddition;
diff --git a/browserid/tests/db-test.js b/browserid/tests/db-test.js
index 558bc0f901621fcc8264ce677345a9bce045e304..c4c1136bf02850e2ceab1989d8e198f9947973d1 100755
--- a/browserid/tests/db-test.js
+++ b/browserid/tests/db-test.js
@@ -105,6 +105,14 @@ suite.addBatch({
secret = r;
assert.isString(secret);
assert.strictEqual(secret.length, 48);
+ },
+ "fetch email for given secret": {
+ topic: function(secret) {
+ db.emailForVerificationSecret(secret, this.callback);
+ },
+ "matches expected email": function(storedEmail) {
+ assert.strictEqual('lloyd@nowhe.re', storedEmail);
+ }
}
}
});