From 8a63fbd9af7a40b0f13aa205f4a6b558ca0596b7 Mon Sep 17 00:00:00 2001
From: Zachary Carter <zack.carter@gmail.com>
Date: Fri, 20 Jul 2012 12:47:50 -0700
Subject: [PATCH] User should not have to auth when email added/verified on
 same browser

---
 lib/wsapi/email_for_token.js |  3 ++-
 tests/forgotten-pass-test.js | 50 +++++++++++++++++++++++++++++++++++-
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/lib/wsapi/email_for_token.js b/lib/wsapi/email_for_token.js
index 66f9a6398..4b3c837fb 100644
--- a/lib/wsapi/email_for_token.js
+++ b/lib/wsapi/email_for_token.js
@@ -55,7 +55,8 @@ exports.process = function(req, res) {
                req.params.token === req.session.pendingCreation) {
         must_auth = false;
       }
-      else if (typeof req.session.pendingReverification === 'string') {
+      else if (typeof req.session.pendingReverification === 'string' ||
+               typeof req.session.pendingAddition === 'string') {
         must_auth = false;
       }
       // NOTE: for reverification, we require you're authenticated.  it's not enough
diff --git a/tests/forgotten-pass-test.js b/tests/forgotten-pass-test.js
index fff015c37..e4e2407e8 100755
--- a/tests/forgotten-pass-test.js
+++ b/tests/forgotten-pass-test.js
@@ -25,6 +25,9 @@ start_stop.addStartupBatches(suite);
 // var 'token'
 var token = undefined;
 
+// stores wsapi client context
+var oldContext;
+
 // create a new account via the api with (first address)
 suite.addBatch({
   "staging an account": {
@@ -101,6 +104,52 @@ suite.addBatch({
   }
 });
 
+// should not require auth to complete
+suite.addBatch({
+  "given a token, getting an email": {
+    topic: function() {
+      wsapi.get('/wsapi/email_for_token', { token: token }).call(this);
+    },
+    "account created": function(err, r) {
+      assert.equal(r.code, 200);
+      var body = JSON.parse(r.body);
+      assert.strictEqual(body.success, true);
+      assert.strictEqual(body.must_auth, false);
+    }
+  }
+});
+
+
+// New context for a second client
+suite.addBatch({
+  "change context": function () {
+    oldContext = wsapi.getContext();
+    wsapi.setContext({});
+  }
+});
+
+// should require auth to complete for second client
+suite.addBatch({
+  "given a token, getting an email": {
+    topic: function() {
+      wsapi.get('/wsapi/email_for_token', { token: token }).call(this);
+    },
+    "account created": function(err, r) {
+      assert.equal(r.code, 200);
+      var body = JSON.parse(r.body);
+      assert.strictEqual(body.success, true);
+      assert.strictEqual(body.must_auth, true);
+    }
+  }
+});
+
+// restore context of first client
+suite.addBatch({
+  "restore context": function () {
+    wsapi.setContext(oldContext);
+  }
+});
+
 // confirm second email email address to the account
 suite.addBatch({
   "create second account": {
@@ -290,7 +339,6 @@ suite.addBatch({
 // browser should be prompted to authenticate
 
 // New context for a second client
-var oldContext;
 suite.addBatch({
   "change context": function () {
     oldContext = wsapi.getContext();
-- 
GitLab