diff --git a/resources/static/common/js/network.js b/resources/static/common/js/network.js
index 190b3396df94d5d4be4e61abeff2789576075b88..ce04a07a463b422d96ca3d46051ab15307af24b7 100644
--- a/resources/static/common/js/network.js
+++ b/resources/static/common/js/network.js
@@ -101,15 +101,8 @@ BrowserID.Network = (function() {
}
function handleAddressVerifyCheckResponse(onComplete, status, textStatus, jqXHR) {
- if (status.status === 'complete') {
- // The user at this point can ONLY be logged in with password
- // authentication. Once the registration is complete, that means
- // the server has updated the user's cookies and the user is
- // officially authenticated.
- auth_status = 'password';
-
- if (status.userid) setUserID(status.userid);
- }
+ if (status.status === 'complete' && status.userid)
+ setUserID(status.userid);
complete(onComplete, status.status);
}
diff --git a/resources/static/common/js/user.js b/resources/static/common/js/user.js
index babc592290d3ce01c4e62e3c36aad20757d842eb..dced5541cfb9db855f5f8d29bde705990f91628b 100644
--- a/resources/static/common/js/user.js
+++ b/resources/static/common/js/user.js
@@ -146,7 +146,6 @@ BrowserID.User = (function() {
}
-
function addressVerificationPoll(checkFunc, email, onSuccess, onFailure) {
function poll() {
checkFunc(email, function(status) {
@@ -179,9 +178,19 @@ BrowserID.User = (function() {
// they just completed a registration.
registrationComplete = true;
- if (onSuccess) {
- onSuccess(status);
+ if (status === "complete") {
+ // If the response is complete but the user is not authenticated
+ // to the password level, the user *must* authenticate or else
+ // they will see an error when they try to certify a cert. Users
+ // who have entered their password in this dialog session will be
+ // automatically authenticated in modules/check_registration.js,
+ // all others will have to enter their password. See issue #2088.
+ network.checkAuth(function(authLevel) {
+ if (authLevel !== "password") status = "mustAuth";
+ complete(onSuccess, status);
+ }, onFailure);
}
+ else complete(onSuccess, status);
}
else if (status === 'pending') {
pollTimeout = setTimeout(poll, 3000);
diff --git a/resources/static/dialog/js/misc/state.js b/resources/static/dialog/js/misc/state.js
index b9f1f7db346016bf81d7b1a735d7f2348112adab..d4e679fcbdd69199eb8bb3d3747b05335eb7055a 100644
--- a/resources/static/dialog/js/misc/state.js
+++ b/resources/static/dialog/js/misc/state.js
@@ -49,6 +49,10 @@ BrowserID.State = (function() {
// screen.
var actionInfo = {
email: info.email,
+ // password is used to authenticate the user if the verification poll
+ // wsapi comes back with "mustAuth" or the user is currently
+ // authenticated to the "assertion" level. See issue #2088
+ password: self.stagedPassword,
siteName: self.siteName
};
@@ -120,6 +124,21 @@ BrowserID.State = (function() {
startAction("doAuthenticate", info);
});
+ handleState("authenticate_specified_email", function(msg, info) {
+ // user must authenticate with their password, kick them over to
+ // the required email screen to enter the password.
+ startAction("doAuthenticateWithRequiredEmail", {
+ email: info.email,
+ secondary_auth: true,
+
+ // This is a user is already authenticated to the assertion
+ // level who has chosen a secondary email address from the
+ // pick_email screen. They would have been shown the
+ // siteTOSPP there.
+ siteTOSPP: false
+ });
+ });
+
handleState("new_user", function(msg, info) {
self.newUserEmail = info.email;
@@ -156,6 +175,11 @@ BrowserID.State = (function() {
*/
info = _.extend({ email: self.newUserEmail || self.addEmailEmail || self.resetPasswordEmail }, info);
+ // stagedPassword is used to authenticate a user if the verification poll
+ // comes back with "mustAuth" or the user is not currently authenticated
+ // to the "password" level. See issue #2088
+ self.stagedPassword = info.password;
+
if(self.newUserEmail) {
self.newUserEmail = null;
startAction(false, "doStageUser", info);
@@ -320,16 +344,7 @@ BrowserID.State = (function() {
if (authentication === "assertion") {
// user must authenticate with their password, kick them over to
// the required email screen to enter the password.
- startAction("doAuthenticateWithRequiredEmail", {
- email: email,
- secondary_auth: true,
-
- // This is a user is already authenticated to the assertion
- // level who has chosen a secondary email address from the
- // pick_email screen. They would have been shown the
- // siteTOSPP there.
- siteTOSPP: false
- });
+ redirectToState("authenticate_specified_email", info);
}
else {
redirectToState("email_valid_and_ready", info);
diff --git a/resources/static/dialog/js/modules/check_registration.js b/resources/static/dialog/js/modules/check_registration.js
index 29094a1dcfd4bc7749ed50db4616f3d4baaa46c3..c6823889f51fbcb548252c32acd0a45bc92cde7b 100644
--- a/resources/static/dialog/js/modules/check_registration.js
+++ b/resources/static/dialog/js/modules/check_registration.js
@@ -56,15 +56,11 @@ BrowserID.Modules.CheckRegistration = (function() {
oncomplete && oncomplete();
});
} else {
- user.addressInfo(self.email, function(info) {
- self.close("authenticate", info);
- });
+ self.close("authenticate_specified_email", { email: self.email });
}
});
} else {
- user.addressInfo(self.email, function(info) {
- self.close("authenticate", info);
- });
+ self.close("authenticate_specified_email", { email: self.email });
}
oncomplete && oncomplete();