diff --git a/browserid/lib/db.js b/browserid/lib/db.js
index 3caf1969f0e7609ff09343f1a3822628090e6e94..8181f9041c10ee1da658d3d16665d5e08814d237 100644
--- a/browserid/lib/db.js
+++ b/browserid/lib/db.js
@@ -1,6 +1,5 @@
const sqlite = require('sqlite'),
- path = require('path'),
- bcrypt = require('bcrypt');
+ path = require('path');
var VAR_DIR = path.join(path.dirname(__dirname), "var");
@@ -13,7 +12,7 @@ var ready = false;
var waiting = [];
// async break allow database path to be configured by calling code
-// a touch tricky cause client must set dbPath before releasing
+// a touch tricky cause client must set dbPath before releasing
// control of the runloop
setTimeout(function() {
db.open(exports.dbPath, function (error) {
@@ -200,7 +199,7 @@ exports.stageEmail = function(existing_email, new_email, pubkey) {
return secret;
};
-/* invoked when a user clicks on a verification URL in their email */
+/* invoked when a user clicks on a verification URL in their email */
exports.gotVerificationSecret = function(secret, cb) {
if (!g_staged.hasOwnProperty(secret)) return cb("unknown secret");
@@ -257,23 +256,17 @@ exports.gotVerificationSecret = function(secret, cb) {
}
};
-exports.checkAuth = function(email, pass, cb) {
+// check authentication credentials for a given email address. This will invoke the
+// users callback with the authentication (password/hash/whatever - the database layer
+// doesn't care). callback will be passed undefined if email cannot be found
+exports.checkAuth = function(email, cb) {
db.execute("SELECT users.password FROM emails, users WHERE users.id = emails.user AND emails.address = ?",
[ email ],
function (error, rows) {
- cb(rows.length === 1 && bcrypt.compare_sync(pass, rows[0].password));
+ cb(rows.length !== 1 ? undefined : rows[0].password);
});
};
-exports.checkAuthHash = function(email, hash, cb) {
- db.execute("SELECT users.password FROM emails, users WHERE users.id = emails.user AND emails.address = ? AND users.password = ?",
- [ email, hash ],
- function (error, rows) {
- cb(rows.length === 1);
- });
-};
-
-
/* a high level operation that attempts to sync a client's view with that of the
* server. email is the identity of the authenticated channel with the user,
* identities is a map of email -> pubkey.
@@ -291,7 +284,7 @@ exports.getSyncResponse = function(email, identities, cb) {
key_refresh: [ ]
};
- // get the user id associated with this account
+ // get the user id associated with this account
emailToUserID(email, function(userID) {
if (userID === undefined) {
cb("no such email: " + email);
@@ -320,7 +313,7 @@ exports.getSyncResponse = function(email, identities, cb) {
// #3
// XXX todo
- cb(undefined, respBody);
+ cb(undefined, respBody);
}
});
});
diff --git a/browserid/lib/wsapi.js b/browserid/lib/wsapi.js
index 53c2096c4ab365acdd7de3d352a5a3d603f87386..b304843c87e4472ede7fbf9187896d8af3059000 100644
--- a/browserid/lib/wsapi.js
+++ b/browserid/lib/wsapi.js
@@ -87,10 +87,10 @@ function setup(app) {
};
httputils.jsonResponse(resp, true);
-
+
// let's now kick out a verification email!
email.sendVerificationEmail(stageParams.email, stageParams.site, secret);
-
+
} catch(e) {
// we should differentiate tween' 400 and 500 here.
httputils.badRequest(resp, e.toString());
@@ -105,14 +105,14 @@ function setup(app) {
httputils.badRequest(resp, "api abuse: registration_status called without a pending email addition/verification");
return;
}
-
+
// Is the current session trying to add an email, or register a new one?
if (req.session.pendingAddition) {
// this is a pending email addition, it requires authentication
if (!isAuthed(req, resp)) {
return httputils.badRequest(resp, "requires authentication");
}
-
+
// check if the currently authenticated user has the email stored under pendingAddition
// in their acct.
db.emailsBelongToSameAccount(req.session.pendingAddition,
@@ -128,10 +128,10 @@ function setup(app) {
} else {
// this is a pending registration, let's check if the creds stored on the
// session are good yet.
-
+
var v = req.session.pendingVerification;
- db.checkAuthHash(v.email, v.hash, function(authed) {
- if (authed) {
+ db.checkAuth(v.email, function(hash) {
+ if (hash === v.hash) {
delete req.session.pendingVerification;
req.session.authenticatedUser = v.email;
httputils.jsonResponse(resp, "complete");
@@ -141,28 +141,30 @@ function setup(app) {
});
}
});
-
-
+
+
app.get('/wsapi/authenticate_user', checkParams(["email", "pass"]), function(req, resp) {
- db.checkAuth(req.query.email, req.query.pass, function(rv) {
- if (rv) {
+ db.checkAuth(req.query.email, function(hash) {
+ var success = bcrypt.compare_sync(req.query.pass, hash);
+
+ if (success) {
if (!req.session) req.session = {};
req.session.authenticatedUser = req.query.email;
}
- httputils.jsonResponse(resp, rv);
+ httputils.jsonResponse(resp, success);
});
});
-
+
// FIXME: need CSRF protection
app.get('/wsapi/add_email', checkAuthed, checkParams(["email", "pubkey", "site"]), function (req, resp) {
try {
// upon success, stage_user returns a secret (that'll get baked into a url
// and given to the user), on failure it throws
var secret = db.stageEmail(req.session.authenticatedUser, req.query.email, req.query.pubkey);
-
+
// store the email being added in session data
req.session.pendingAddition = req.query.email;
-
+
httputils.jsonResponse(resp, true);
// let's now kick out a verification email!
diff --git a/browserid/tests/db-test.js b/browserid/tests/db-test.js
index 7135eb811bcaf9c3a1e0ad460e58358bdfce5888..c749770c8d97e2ea2a4e20077f3698dc77c15da7 100755
--- a/browserid/tests/db-test.js
+++ b/browserid/tests/db-test.js
@@ -142,10 +142,9 @@ suite.addBatch({
assert.strictEqual(r.length, 3);
}
}
-});
-
+});
-// XXX: remaining APIs to test
+// XXX: remaining APIs to test
// exports.addEmailToAccount
// exports.cancelAccount
// exports.checkAuth