Merge branch 'master' into pb/2884-better-500-errors

2019-02-20 09:57:15 +00:00 · 2019-02-20 09:57:15 +00:00 · 39de07d887
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,13 @@
+<a name="1.130.1"></a>
+## [1.130.1](https://github.com/mozilla/fxa-auth-server/compare/v1.130.0...v1.130.1) (2019-02-11)
+
+
+### Bug Fixes
+
+* **key-data:** fix key-data endpoint for fresh accounts ([ab6ce00](https://github.com/mozilla/fxa-auth-server/commit/ab6ce00)), closes [#2908](https://github.com/mozilla/fxa-auth-server/issues/2908)
+
+
+
 <a name="1.130.0"></a>
 # [1.130.0](https://github.com/mozilla/fxa-auth-server/compare/v1.129.5...v1.130.0) (2019-02-05)

--- a/fxa-oauth-server/config/dev.json
+++ b/fxa-oauth-server/config/dev.json
@ -148,6 +148,17 @@
      "trusted": true,
      "allowedScopes": "https://identity.mozilla.com/apps/oldsync",
      "publicClient": true
+    },
+    {
+      "id": "a2270f727f45f648",
+      "name": "Fenix",
+      "hashedSecret": "4a892c55feaceb4ef2dbfffaaaa3d8eea94b5c205c815dddfc90170741cd4c19",
+      "imageUri": "",
+      "redirectUri": "http://127.0.0.1:3030/oauth/success/a2270f727f45f648",
+      "canGrant": false,
+      "trusted": true,
+      "allowedScopes": "https://identity.mozilla.com/apps/oldsync",
+      "publicClient": true
    }
  ],
  "localRedirects": true,
--- a/fxa-oauth-server/docs/api.md
+++ b/fxa-oauth-server/docs/api.md
@ -455,7 +455,7 @@ destroy the token afterwards. A client can use this route to do so.

 #### Request Parameters

- `token` - The hex string token.
+- `token|access_token|refresh_token`: The hex string access token. By default, `token` is assumed to be the access token.

 **Example:**

--- a/fxa-oauth-server/lib/routes/key_data.js
+++ b/fxa-oauth-server/lib/routes/key_data.js
@ -80,7 +80,7 @@ module.exports = {
      // If the assertion certificate was issued prior to a key-rotation event,
      // we don't want to revel the new secrets to such stale assertions,
      // even if they are technically still valid.
-      if (iat < (keyRotationTimestamp / 1000)) {
+      if (iat < Math.floor(keyRotationTimestamp / 1000)) {
        throw AppError.staleAuthAt(iat);
      }
      response[keyScope.scope] = {
--- a/fxa-oauth-server/test/api.js
+++ b/fxa-oauth-server/test/api.js
@ -2614,6 +2614,19 @@ describe('/v1', function() {
            assert.equal(Object.keys(res.result).length, 0, 'no scoped keys');
          });
      });
+
+      it('correctly handles authAt timestamp for newly-created accounts', () => {
+        mockAssertion().reply(200, mockVerifierResult({
+          authAt: 1549910733,
+          generation: 1549910733629
+        }));
+        return Server.api.post(genericRequest)
+          .then((res) => {
+            assert.equal(res.statusCode, 200);
+            assertSecurityHeaders(res);
+            assert.equal(Object.keys(res.result).length, 1, 'scoped key returned');
+          });
+      });
    });

  });
--- a/lib/routes/devices-and-sessions.js
+++ b/lib/routes/devices-and-sessions.js
@ -112,6 +112,26 @@ module.exports = (log, db, config, customs, push, pushbox, devices) => {
    return {}
  }

+  // Creates a "full" device response, provided a sessionToken and an optional
+  // updated DB device record.
+  function buildDeviceResponse(sessionToken, device = null) {
+    // We must respond with the full device record,
+    // including any default values for missing fields.
+    return {
+      // These properties can be picked from sessionToken or device as appropriate.
+      pushCallback: sessionToken.deviceCallbackURL,
+      pushPublicKey: sessionToken.deviceCallbackPublicKey,
+      pushAuthKey: sessionToken.deviceCallbackAuthKey,
+      pushEndpointExpired: sessionToken.deviceCallbackIsExpired,
+      availableCommands: sessionToken.deviceAvailableCommands,
+      ...device,
+      // But these need to be non-falsey, using default fallbacks if necessary
+      id: (device && device.id) || sessionToken.deviceId,
+      name: (device && device.name) || sessionToken.deviceName || devices.synthesizeName(sessionToken),
+      type: (device && device.type) || sessionToken.deviceType || 'desktop',
+    }
+  }
+
  return [
    {
      method: 'POST',
@ -183,7 +203,7 @@ module.exports = (log, db, config, customs, push, pushbox, devices) => {
        if (payload.id) {
          // Don't write out the update if nothing has actually changed.
          if (devices.isSpuriousUpdate(payload, sessionToken)) {
-            return payload
+            return buildDeviceResponse(sessionToken)
          }

          // We also reserve the right to disable updates until
@ -216,24 +236,8 @@ module.exports = (log, db, config, customs, push, pushbox, devices) => {
            payload.availableCommands = {}
        }

-        return devices.upsert(request, sessionToken, payload)
-          .then(function (device) {
-            // We must respond with the full device record,
-            // including any default values for missing fields.
-            return Object.assign({
-              // These properties can be picked from sessionToken or device as appropriate.
-              pushCallback: sessionToken.deviceCallbackURL,
-              pushPublicKey: sessionToken.deviceCallbackPublicKey,
-              pushAuthKey: sessionToken.deviceCallbackAuthKey,
-              pushEndpointExpired: sessionToken.deviceCallbackIsExpired,
-              availableCommands: sessionToken.deviceAvailableCommands
-            }, device, {
-              // But these need to be non-falsey, using default fallbacks if necessary
-              id: device.id || sessionToken.deviceId,
-              name: device.name || sessionToken.deviceName || devices.synthesizeName(sessionToken),
-              type: device.type || sessionToken.deviceType || 'desktop',
-            })
-          })
+        const device = await devices.upsert(request, sessionToken, payload)
+        return buildDeviceResponse(sessionToken, device)
      }
    },
    {
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "fxa-auth-server",
-  "version": "1.130.0",
+  "version": "1.130.1",
  "description": "Firefox Accounts, an identity provider for Mozilla cloud services",
  "bin": {
    "fxa-auth": "./bin/key_server.js"
@ -56,8 +56,8 @@
    "fxa-shared": "1.0.17",
    "generic-pool": "3.2.0",
    "google-libphonenumber": "2.0.10",
-    "grunt-nunjucks-2-html": "vitkarpov/grunt-nunjucks-2-html#1900f91a756b2eaf900b20",
-    "handlebars": "4.0.6",
+    "grunt-nunjucks-2-html": "3.1.0",
+    "handlebars": "4.1.0",
    "hapi": "17.8.3",
    "hapi-auth-hawk": "4.0.0",
    "hapi-error": "1.8.0",
@ -124,7 +124,7 @@
    "mocha": "5.2.0",
    "nock": "10.0.2",
    "npmshrink": "2.0.0",
-    "nyc": "13.1.0",
+    "nyc": "13.3.0",
    "proxyquire": "2.0.0",
    "read": "1.0.7",
    "rimraf": "2.6.2",
--- a/test/local/routes/devices-and-sessions.js
+++ b/test/local/routes/devices-and-sessions.js
@ -100,10 +100,22 @@ describe('/account/device', function () {
      const args = mockDevices.isSpuriousUpdate.args[0]
      assert.equal(args.length, 2)
      assert.equal(args[0], mockRequest.payload)
-      assert.equal(args[1], mockRequest.auth.credentials)
+      const creds = mockRequest.auth.credentials
+      assert.equal(args[1], creds)

      assert.equal(mockDevices.upsert.callCount, 0)
-      assert.deepEqual(response, mockRequest.payload)
+      // Make sure the shape of the response is the same as if
+      // the update wasn't spurious.
+      assert.deepEqual(response, {
+        availableCommands: creds.deviceAvailableCommands,
+        id: creds.deviceId,
+        name: creds.deviceName,
+        pushAuthKey: creds.deviceCallbackAuthKey,
+        pushCallback: creds.deviceCallbackURL,
+        pushEndpointExpired: creds.deviceCallbackIsExpired,
+        pushPublicKey: creds.deviceCallbackPublicKey,
+        type: creds.deviceType,
+      })
    })
      .then(function () {
        mockDevices.isSpuriousUpdate.resetHistory()