diff --git a/browserid/lib/db.js b/browserid/lib/db.js index 891e50e062cfc30c8a0e06ec828151e0c646ad1e..6fb423216f13468910988ca75ce101ab227c5dcc 100644 --- a/browserid/lib/db.js +++ b/browserid/lib/db.js @@ -99,7 +99,7 @@ exports.onReady = function(f) { 'stageUser', 'stageEmail', 'gotVerificationSecret', - 'haveVerificationSecret', + 'emailForVerificationSecret', 'checkAuth', 'listEmails', 'removeEmail', diff --git a/browserid/lib/db_json.js b/browserid/lib/db_json.js index 3bfa8991b9eeb67894d6be4f03fa2545c650c64a..781525735fe7dcfddf787245af490a97173913f6 100644 --- a/browserid/lib/db_json.js +++ b/browserid/lib/db_json.js @@ -177,8 +177,10 @@ exports.stageEmail = function(existing_email, new_email, cb) { }; -exports.haveVerificationSecret = function(secret, cb) { - setTimeout(function() { cb(staged.hasOwnProperty(secret)); }, 0); +exports.emailForVerificationSecret = function(secret, cb) { + setTimeout(function() { + cb(staged[secret]? staged[secret].email:undefined); + }, 0); }; exports.gotVerificationSecret = function(secret, hash, cb) { diff --git a/browserid/lib/db_mysql.js b/browserid/lib/db_mysql.js index 3700a7f4dc2006790516375a39132ea453d76607..25f53ce3b71c3379d9e917bb479bd3cad57c08c5 100644 --- a/browserid/lib/db_mysql.js +++ b/browserid/lib/db_mysql.js @@ -197,12 +197,12 @@ exports.stageUser = function(email, cb) { }); } -exports.haveVerificationSecret = function(secret, cb) { +exports.emailForVerificationSecret = function(secret, cb) { client.query( - "SELECT COUNT(*) as N FROM staged WHERE secret = ?", [ secret ], + "SELECT email FROM staged WHERE secret = ?", [ secret ], function(err, rows) { if (err) logUnexpectedError(err); - cb(rows && rows.length > 0 && rows[0].N > 0); + cb((rows && rows.length > 0) ? rows[0].email : undefined); }); }; diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js index e27abae915dcb56022ce752fd0ce4d9a9985346f..6d964f060b7629177d1f6731b55ed0ac8fdcdd5e 100644 --- a/browserid/lib/wsapi.js +++ b/browserid/lib/wsapi.js @@ -176,8 +176,8 @@ function setup(app) { // if the secret is still in the database, it hasn't yet been verified and // verification is still pending - db.haveVerificationSecret(req.session.pendingCreation, function (haveSecret) { - if (haveSecret) return resp.json('pending'); + db.emailForVerificationSecret(req.session.pendingCreation, function (email) { + if (email) return resp.json('pending'); // if the secret isn't known, and we're not authenticated, then the user must authenticate // (maybe they verified the URL on a different browser, or maybe they canceled the account // creation) @@ -202,8 +202,8 @@ function setup(app) { // We should check to see if the verification secret is valid *before* // bcrypting the password (which is expensive), to prevent a possible // DoS attack. - db.haveVerificationSecret(req.body.token, function(valid) { - if (!valid) return resp.json(false); + db.emailForVerificationSecret(req.body.token, function(email) { + if (!email) return resp.json(false); // now bcrypt the password bcrypt.gen_salt(10, function (err, salt) { @@ -282,8 +282,8 @@ function setup(app) { } else if (!req.session.pendingAddition) { resp.json('failed'); } else { - db.haveVerificationSecret(req.session.pendingAddition, function (haveSecret) { - if (haveSecret) { + db.emailForVerificationSecret(req.session.pendingAddition, function (email) { + if (email) { return resp.json('pending'); } else { delete req.session.pendingAddition; diff --git a/browserid/tests/db-test.js b/browserid/tests/db-test.js index 558bc0f901621fcc8264ce677345a9bce045e304..c4c1136bf02850e2ceab1989d8e198f9947973d1 100755 --- a/browserid/tests/db-test.js +++ b/browserid/tests/db-test.js @@ -105,6 +105,14 @@ suite.addBatch({ secret = r; assert.isString(secret); assert.strictEqual(secret.length, 48); + }, + "fetch email for given secret": { + topic: function(secret) { + db.emailForVerificationSecret(secret, this.callback); + }, + "matches expected email": function(storedEmail) { + assert.strictEqual('lloyd@nowhe.re', storedEmail); + } } } });