fxa-auth-server/routes/idp.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

const Hapi = require('hapi');
const fs = require('fs');
const CC = require('compute-cluster');
const config = require('../lib/config').root();

const hour = 1000 * 60 * 60;
const T = Hapi.types;

var cc = new CC({ module: __dirname + '/sign.js' });

var account = require('../lib/account');

var routes = [
  {
    method: 'GET',
    path: '/.well-known/browserid',
    config: {
      handler: wellKnown
    }
  },
  {
    method: 'GET',
    path: '/sign_in.html',
    config: {
      handler: {
        file: './sign_in.html'
      }
    }
  },
  {
    method: 'GET',
    path: '/provision.html',
    config: {
      handler: {
        file: './provision.html'
      }
    }
  },
  {
    method: 'POST',
    path: '/create',
    config: {
      description:
        "Creates an account associated with an email address, " +
        "passing along SRP information (salt and verifier) " +
        "and a wrapped key (used for class B data storage).",
      tags: ["srp", "account"],
      handler: create,
      validate: {
        payload: {
          email: T.String().email().required(),
          verifier: T.String().required(),
          salt: T.String().required(),
          params: T.Object(), // TODO: what are these?
          wrapKb: T.String() // TODO: required?
        }
      }
    }
  },
  {
    method: 'POST',
    path: '/sign',
    config: {
      handler: sign,
      auth: {
        strategy: 'hawk',
        payload: 'required'
      },
      tags: ["account"],
      validate: {
        payload: {
          publicKey: Hapi.types.String().required(),
          duration: Hapi.types.Number().integer().min(0).max(24 * hour).required()
        }
      }
    }
  },
  {
    method: 'POST',
    path: '/startLogin',
    config: {
      description:
        "Begins an SRP login for the supplied email address, " +
        "returning the temporary sessionId and parameters for " +
        "key stretching and the SRP protocol for the client.",
      tags: ["srp", "account"],
      handler: startLogin,
      validate: {
        payload: {
          email: T.String().email().required()
        },
        response: {
          schema: {
            sessionId: T.String(),
            stretch: T.Object({
              salt: T.String()
            }),
            srp: T.Object({
              N_bits: T.Number(), // number of bits for prime
              alg: T.String(),    // hash algorithm (sha256)
              s: T.String(),      // salt
              B: T.String()       // server's public key value
            })
          }
        }
      }
    }
  },
  {
    method: 'POST',
    path: '/finishLogin',
    config: {
      description:
        "Finishes the SRP dance, with the client providing " +
        "proof-of-knownledge of the password and receiving " +
        "the bundle encrypted with the shared key.",
      tags: ["srp", "account"],
      handler: finishLogin,
      validate: {
        payload: {
          sessionId: T.String().required(),
          password: T.String().without('A'),
          A: T.String().without('password').with('M'),
          M: T.String().with('A')
        },
        response: {
          schema: {
            bundle: T.String().without('kA').without('wrapKb'),
            accountToken: T.String(),
            kA: T.String().without('bundle'),
            wrapKb: T.String().without('bundle')
          }
        }
      }
    }
  },
  {
    method: 'POST',
    path: '/resetToken',
    config: {
      tags: ["account"],
      handler: getResetToken,
      validate: {
        payload: {
          accountToken: T.String().required()
        },
        response: {
          schema: {
            resetToken: T.String().required()
          }
        }
      }
    }
  },
  {
    method: 'POST',
    path: '/resetPassword',
    config: {
      tags: ["account"],
      handler: resetPassword,
      validate: {
        payload: {
          resetToken: T.String().required(),
          verifier: T.String().required(),
          params: T.Object(),
          wrapKb: T.String()
        }
      }
    }
  },
];

function wellKnown(request) {
  request.reply({
    'public-key': fs.readFileSync(config.publicKeyFile),
    'authentication': '/sign_in.html',
    'provisioning': '/provision.html'
  });
}

function create(request) {
  account.create(
    request.payload,
    function (err) {
      if (err) {
        request.reply(err);
      }
      else {
        //TODO do stuff
        request.reply('ok');
      }
    }
  );
}

function sign(request) {
  account.getUser(
    request.auth.credentials.uid,
    function (err, user) {
      if (err) { return request.reply(Hapi.error.internal('Unable to sign certificate', err)); }
      cc.enqueue(
        {
          email: user.email,
          publicKey: request.payload.publicKey,
          duration: request.payload.duration
        },
        function (err, result) {
          if (err || result.err) {
            request.reply(Hapi.error.internal('Unable to sign certificate', err || result.err));
          }
          else {
            request.reply(result);
          }
        }
      );
    }
  );
}

function startLogin(request) {

  account.startLogin(
    request.payload.email,
    function (err, result) {
      if (err) {
        request.reply(err);
      }
      else {
        request.reply(result);
      }
    }
  );

}

function finishLogin(request) {

  function respond(err, result) {
    if (err) {
      request.reply(err);
    }
    else {
      request.reply(result);
    }
  }

  if (request.payload.password) {
    account.finishLoginWithPassword(
      request.payload.sessionId,
      request.payload.password,
      respond
    );
  }
  else {
    account.finishLoginWithSRP(
      request.payload.sessionId,
      request.payload.A,
      request.payload.M,
      respond
    );
  }
}

function getResetToken(request) {

  account.getResetToken(
    request.payload.accountToken,
    function (err, result) {
      if (err) {
        request.reply(err);
      }
      else {
        request.reply(result);
      }
    }
  );
}

function resetPassword(request) {
  account.resetPassword(
    request.payload.resetToken,
    request.payload,
    function (err) {
      if (err) {
        request.reply(err);
      }
      else {
        request.reply('ok');
      }
    }
  );
}

module.exports = {
  routes: routes
};
stubbed /create route 2013-05-16 00:42:25 +04:00			`/* This Source Code Form is subject to the terms of the Mozilla Public`
			`* License, v. 2.0. If a copy of the MPL was not distributed with this`
			`* file, You can obtain one at http://mozilla.org/MPL/2.0/. */`

stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`const Hapi = require('hapi');`
now generates certs from a signToken and public key 2013-05-17 04:13:01 +04:00			`const fs = require('fs');`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`const CC = require('compute-cluster');`
changed default logstash log file, fixed a config issue 2013-06-18 21:38:19 +04:00			`const config = require('../lib/config').root();`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`const hour = 1000 * 60 * 60;`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`const T = Hapi.types;`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`var cc = new CC({ module: __dirname + '/sign.js' });`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00
			`var account = require('../lib/account');`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00
			`var routes = [`
			`{`
			`method: 'GET',`
			`path: '/.well-known/browserid',`
			`config: {`
			`handler: wellKnown`
			`}`
			`},`
			`{`
			`method: 'GET',`
			`path: '/sign_in.html',`
			`config: {`
			`handler: {`
			`file: './sign_in.html'`
			`}`
			`}`
			`},`
			`{`
			`method: 'GET',`
			`path: '/provision.html',`
			`config: {`
			`handler: {`
			`file: './provision.html'`
			`}`
			`}`
			`},`
stubbed /create route 2013-05-16 00:42:25 +04:00			`{`
			`method: 'POST',`
			`path: '/create',`
			`config: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`description:`
			`"Creates an account associated with an email address, " +`
			`"passing along SRP information (salt and verifier) " +`
			`"and a wrapped key (used for class B data storage).",`
			`tags: ["srp", "account"],`
stubbed /create route 2013-05-16 00:42:25 +04:00			`handler: create,`
			`validate: {`
			`payload: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`email: T.String().email().required(),`
			`verifier: T.String().required(),`
			`salt: T.String().required(),`
			`params: T.Object(), // TODO: what are these?`
			`wrapKb: T.String() // TODO: required?`
stubbed /create route 2013-05-16 00:42:25 +04:00			`}`
			`}`
			`}`
			`},`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`{`
			`method: 'POST',`
			`path: '/sign',`
			`config: {`
			`handler: sign,`
implemented /sign with hawk credentials uses the signToken to derive the hawk tokenId and reqHMACkey as specified: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Signing_Certificates 2013-07-03 01:16:40 +04:00			`auth: {`
			`strategy: 'hawk',`
			`payload: 'required'`
			`},`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`tags: ["account"],`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`validate: {`
			`payload: {`
implemented /sign with hawk credentials uses the signToken to derive the hawk tokenId and reqHMACkey as specified: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Signing_Certificates 2013-07-03 01:16:40 +04:00			`publicKey: Hapi.types.String().required(),`
			`duration: Hapi.types.Number().integer().min(0).max(24 * hour).required()`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`
			`}`
			`}`
			`},`
			`{`
			`method: 'POST',`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`path: '/startLogin',`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`config: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`description:`
			`"Begins an SRP login for the supplied email address, " +`
			`"returning the temporary sessionId and parameters for " +`
			`"key stretching and the SRP protocol for the client.",`
			`tags: ["srp", "account"],`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`handler: startLogin,`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`validate: {`
			`payload: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`email: T.String().email().required()`
			`},`
			`response: {`
			`schema: {`
			`sessionId: T.String(),`
			`stretch: T.Object({`
			`salt: T.String()`
			`}),`
			`srp: T.Object({`
			`N_bits: T.Number(), // number of bits for prime`
			`alg: T.String(), // hash algorithm (sha256)`
			`s: T.String(), // salt`
			`B: T.String() // server's public key value`
			`})`
			`}`
stubbed /create route 2013-05-16 00:42:25 +04:00			`}`
			`}`
			`}`
			`},`
			`{`
			`method: 'POST',`
			`path: '/finishLogin',`
			`config: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`description:`
			`"Finishes the SRP dance, with the client providing " +`
			`"proof-of-knownledge of the password and receiving " +`
			`"the bundle encrypted with the shared key.",`
			`tags: ["srp", "account"],`
stubbed /create route 2013-05-16 00:42:25 +04:00			`handler: finishLogin,`
			`validate: {`
			`payload: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`sessionId: T.String().required(),`
			`password: T.String().without('A'),`
			`A: T.String().without('password').with('M'),`
			`M: T.String().with('A')`
			`},`
			`response: {`
			`schema: {`
			`bundle: T.String().without('kA').without('wrapKb'),`
			`accountToken: T.String(),`
			`kA: T.String().without('bundle'),`
			`wrapKb: T.String().without('bundle')`
			`}`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`
			`}`
			`}`
now generates certs from a signToken and public key 2013-05-17 04:13:01 +04:00			`},`
Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`{`
			`method: 'POST',`
			`path: '/resetToken',`
			`config: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`tags: ["account"],`
Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`handler: getResetToken,`
			`validate: {`
			`payload: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`accountToken: T.String().required()`
Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`},`
			`response: {`
			`schema: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`resetToken: T.String().required()`
Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`}`
			`}`
			`}`
			`}`
			`},`
			`{`
			`method: 'POST',`
			`path: '/resetPassword',`
			`config: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`tags: ["account"],`
Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`handler: resetPassword,`
			`validate: {`
			`payload: {`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`resetToken: T.String().required(),`
			`verifier: T.String().required(),`
			`params: T.Object(),`
			`wrapKb: T.String()`
Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`}`
			`}`
			`}`
			`},`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`];`

			`function wellKnown(request) {`
			`request.reply({`
use bunyan as the logger, remove 'good' 2013-06-18 03:36:52 +04:00			`'public-key': fs.readFileSync(config.publicKeyFile),`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`'authentication': '/sign_in.html',`
			`'provisioning': '/provision.html'`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`});`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`

stubbed /create route 2013-05-16 00:42:25 +04:00			`function create(request) {`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`account.create(`
			`request.payload,`
Add descriptions to SRP routes and add response validation where missing 2013-07-02 22:44:28 +04:00			`function (err) {`
stubbed /create route 2013-05-16 00:42:25 +04:00			`if (err) {`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`request.reply(err);`
stubbed /create route 2013-05-16 00:42:25 +04:00			`}`
			`else {`
			`//TODO do stuff`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`request.reply('ok');`
stubbed /create route 2013-05-16 00:42:25 +04:00			`}`
			`}`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`);`
stubbed /create route 2013-05-16 00:42:25 +04:00			`}`

stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`function sign(request) {`
implemented /sign with hawk credentials uses the signToken to derive the hawk tokenId and reqHMACkey as specified: https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Signing_Certificates 2013-07-03 01:16:40 +04:00			`account.getUser(`
			`request.auth.credentials.uid,`
			`function (err, user) {`
			`if (err) { return request.reply(Hapi.error.internal('Unable to sign certificate', err)); }`
			`cc.enqueue(`
			`{`
			`email: user.email,`
			`publicKey: request.payload.publicKey,`
			`duration: request.payload.duration`
			`},`
			`function (err, result) {`
			`if (err \|\| result.err) {`
			`request.reply(Hapi.error.internal('Unable to sign certificate', err \|\| result.err));`
			`}`
			`else {`
			`request.reply(result);`
			`}`
			`}`
			`);`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`);`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`

Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`function startLogin(request) {`

			`account.startLogin(`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`request.payload.email,`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`function (err, result) {`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`if (err) {`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`request.reply(err);`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`
			`else {`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`request.reply(result);`
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`
			`}`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`);`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00
stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`}`

stubbed /create route 2013-05-16 00:42:25 +04:00			`function finishLogin(request) {`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00
Began implementing SRP 2013-06-25 04:21:02 +04:00			`function respond(err, result) {`
			`if (err) {`
			`request.reply(err);`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00			`}`
Began implementing SRP 2013-06-25 04:21:02 +04:00			`else {`
			`request.reply(result);`
			`}`
			`}`
Implement create, startLogin, and finishLogin sans SRP 2013-05-16 03:52:28 +04:00
Began implementing SRP 2013-06-25 04:21:02 +04:00			`if (request.payload.password) {`
			`account.finishLoginWithPassword(`
			`request.payload.sessionId,`
			`request.payload.password,`
			`respond`
			`);`
			`}`
			`else {`
			`account.finishLoginWithSRP(`
			`request.payload.sessionId,`
			`request.payload.A,`
			`request.payload.M,`
			`respond`
			`);`
			`}`
stubbed /create route 2013-05-16 00:42:25 +04:00			`}`

Implement getResetToken and resetPassword of the idp protocol 2013-05-25 02:58:08 +04:00			`function getResetToken(request) {`

			`account.getResetToken(`
			`request.payload.accountToken,`
			`function (err, result) {`
			`if (err) {`
			`request.reply(err);`
			`}`
			`else {`
			`request.reply(result);`
			`}`
			`}`
			`);`
			`}`

			`function resetPassword(request) {`
			`account.resetPassword(`
			`request.payload.resetToken,`
			`request.payload,`
			`function (err) {`
			`if (err) {`
			`request.reply(err);`
			`}`
			`else {`
			`request.reply('ok');`
			`}`
			`}`
			`);`
			`}`

stubbed some idp stuff 2013-05-15 03:23:36 +04:00			`module.exports = {`
			`routes: routes`
fixed jshint semicolons 2013-05-16 01:08:03 +04:00			`};`