fix(token): Fix mem verifyTokenCode (#303), r=@rfk, @philbooth

2018-02-08 14:41:48 +00:00 · 2018-02-08 14:41:48 +00:00 · 6a4fb6771d
--- a/db-server/test/backend/remote.js
+++ b/db-server/test/backend/remote.js
@ -1542,7 +1542,7 @@ module.exports = function(cfg, makeServer) {
    )

    describe(
-      'add account, verify session with tokenVerificationCode',
+      'add account, verify session and keyfetch with tokenVerificationCode',
      () => {
        let user

@ -1555,13 +1555,17 @@ module.exports = function(cfg, makeServer) {
            })
        })

-        it('should verify session with tokenVerificationCode', () => {
-          return client.putThen('/sessionToken/' + user.sessionTokenId, user.sessionToken)
-            .then((r) => {
-              respOkEmpty(r)
+        it('should verify session and keyfetch with tokenVerificationCode', () => {
+          return P.all([
+            client.putThen('/sessionToken/' + user.sessionTokenId, user.sessionToken),
+            client.putThen('/keyFetchToken/' + user.keyFetchTokenId, user.keyFetchToken)
+          ])
+            .spread((sessionToken, keyFetchToken) => {
+              respOkEmpty(sessionToken)
+              respOkEmpty(keyFetchToken)
              return client.getThen('/sessionToken/' + user.sessionTokenId + '/verified')
            })
-            .then(function (r) {
+            .then((r) => {
              respOk(r)
              const result = r.obj
              assert.ok(result.tokenVerificationCodeHash, 'tokenVerificationCodeHash exists')
@ -1570,15 +1574,22 @@ module.exports = function(cfg, makeServer) {
                uid: user.accountId
              })
            })
-            .then(function (r) {
+            .then((r) => {
              respOk(r)
-              return client.getThen('/sessionToken/' + user.sessionTokenId + '/verified')
+              return P.all([
+                client.getThen('/sessionToken/' + user.sessionTokenId + '/verified'),
+                client.getThen('/keyFetchToken/' + user.keyFetchTokenId + '/verified'),
+              ])
            })
-            .then(function (r) {
-              respOk(r)
-              const result = r.obj
-              assert.equal(result.tokenVerificationCodeHash, null, 'tokenVerificationCodeHash not set')
-              assert.equal(result.tokenVerificationCodeExpiresAt, null, 'tokenVerificationCodeExpiresAt not set')
+            .spread((sessionTokenResp, keyFetchTokenResp) => {
+              respOk(sessionTokenResp)
+              respOk(keyFetchTokenResp)
+              const sessionToken = sessionTokenResp
+              const keyFetchToken = keyFetchTokenResp
+              assert.equal(sessionToken.tokenVerificationId, null, 'tokenVerificationCodeHash not set')
+              assert.equal(sessionToken.tokenVerificationCodeHash, null, 'tokenVerificationCodeHash not set')
+              assert.equal(sessionToken.tokenVerificationCodeExpiresAt, null, 'tokenVerificationCodeExpiresAt not set')
+              assert.equal(keyFetchToken.tokenVerificationId, null, 'tokenVerificationId not set')
            })
        })
      }
--- a/db-server/test/fake.js
+++ b/db-server/test/fake.js
@ -85,7 +85,7 @@ module.exports.newUserDataHex = function() {
    uid : data.accountId,
    keyBundle : hex96(),
    createdAt: Date.now(),
-    tokenVerificationId: hex16()
+    tokenVerificationId: data.sessionToken.tokenVerificationId
  }

  // accountResetToken
--- a/lib/db/mem.js
+++ b/lib/db/mem.js
@ -367,51 +367,26 @@ module.exports = function (log, error) {
  }

  Memory.prototype.verifyTokenCode = function (tokenData, accountData) {
-    const uid = accountData.uid.toString('hex')
    const tokenVerificationCodeHash = dbUtil.createHash(tokenData.code)
-    let expired = false

-    const tokenCount = Object.keys(unverifiedTokens).reduce((count, tokenId) => {
-      const t = unverifiedTokens[tokenId]
-
-      if (t.uid.toString('hex') !== uid) {
-        return count
+    let token = undefined
+    Object.keys(unverifiedTokens).some((t) => {
+      const tempToken = unverifiedTokens[t]
+      if (tempToken.tokenVerificationCodeHash && tempToken.tokenVerificationCodeHash.toString('hex') === tokenVerificationCodeHash.toString('hex')) {
+        token = tempToken
+        return true
      }
+    })

-      if (! t.tokenVerificationCodeHash || ! t.tokenVerificationCodeExpiresAt) {
-        return count
-      }
-
-      // Is code expired?
-      if (t.tokenVerificationCodeHash.toString('hex') === tokenVerificationCodeHash.toString('hex')) {
-        if (t.tokenVerificationCodeExpiresAt <= Date.now()) {
-          expired = true
-
-          return count
-        }
-
-        // Remove token and update security table
-        (securityEvents[uid] || []).forEach(function (ev) {
-          if (ev.tokenId && ev.tokenId.toString('hex') === tokenId) {
-            ev.verified = true
-          }
-        })
-        delete unverifiedTokens[tokenId]
-
-        return count + 1
-      }
-      return count
-    }, 0)
-
-    if (expired) {
+    if (token && token.tokenVerificationCodeExpiresAt <= Date.now()) {
      return P.reject(error.expiredTokenVerificationCode())
    }

-    if (tokenCount === 0) {
+    if (! token) {
      return P.reject(error.notFound())
    }

-    return P.resolve({})
+    return this.verifyTokens(token.tokenVerificationId, accountData)
  }

  Memory.prototype.deleteAccountResetToken = function (tokenId) {
@ -511,7 +486,7 @@ module.exports = function (log, error) {
    for (var i = 0; i < tokenIds.length; i++) {
      var unverifiedToken = unverifiedTokens[tokenIds[i]]
      if (unverifiedToken.tokenVerificationId.equals(tokenVerificationId) &&
-          unverifiedToken.uid.equals(uid)) {
+        unverifiedToken.uid.equals(uid)) {
        sessionTokenId = tokenIds[i]
        break
      }