mozilla
/
fxa-auth-server
зеркало из https://github.com/mozilla/fxa-auth-server.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
3 084 коммитов 174 Ветки 259 Теги 21 MiB
Граф коммитов

972 Коммитов

Автор SHA1 Сообщение Дата
Phil Booth 9731a08058
fix(logging): log successful sms budget checks 
https://github.com/mozilla/fxa-auth-server/pull/2436
r=shane-tomlinson
 2018-05-14 13:37:30 +01:00
Phil Booth f8bbffff15
fix(metrics): don't emit route flow events for 404s 
https://github.com/mozilla/fxa-auth-server/pull/2435
r=vbudhram
 2018-05-14 08:06:25 +01:00
Vijay Budhram a9c8aca42a
feat(emails): notify users when they are running low on recovery codes (#2429), r=@shane-tomlinson 
Add a new email template `lowRecoveryCodes` that is sent when the user is running low on codes.
 2018-05-10 12:44:38 -04:00
Phil Booth 4fc70a0b2b
fix(metrics): remove old flow signature fallback code 
Added in 445cf30609, this code was a
fallback to handle a change in how the content server generates the
flow id. Now that the content server change has stuck in prod, we can
remove the fallback.

https://github.com/mozilla/fxa-auth-server/pull/2420
r=shane-tomlinson
 2018-05-04 12:31:16 +01:00
Phil Booth 7aedef2fde
feat(sms): query the available budget in /sms/status 
https://github.com/mozilla/fxa-auth-server/pull/2401
r=vbudhram,jbuck
 2018-04-30 13:56:56 +01:00
Ryan Kelly 0cf1bc402d
feat(notifications): Add SNS msg attributes for service notification filtering (#2412); r=philbooth 2018-04-27 19:46:38 +10:00
Vijay Budhram 7793de3cde
fix(totp): check totp before account deletion (#2405), r=@philbooth 2018-04-24 10:19:57 -04:00
Vijay Budhram 308d7ffd58
feat(emails): add email to all manage account email links (#2392), r=@philbooth, @shane-tomlinson 2018-04-23 11:25:50 -04:00
Deepti 4a021c6844 refactor(email): remove email parameter from config (#2400) r=@vladikoff,@rfk 
Removes email extra parameter from config
 2018-04-18 23:02:55 -04:00
Phil Booth 25f2404561
chore(tests): remove duplicate mocking code 
The code in test/local/ip_profiling.js was pretty confusing. There was a
bunch of mocking code at the top level, which duplicated the mocking
code inside makeRoutes. Then some of the test bodies were mocking things
a third time.

This changeset attempts to tidy all that up a bit. In doing so, it also
replaces the home-baked mock log object that was being used with a prefab
from test/mocks.js. This fixes #2383.

https://github.com/mozilla/fxa-auth-server/pull/2398
r=vbudhram
 2018-04-17 15:58:25 +01:00
Vijay Budhram ed3d99edcf
fix(recovery): update to latest recovery code requirements (#2397), r=@philbooth 2018-04-17 09:52:44 -04:00
Phil Booth 778fc33944
chore(logging): use a less confusing op on flow event errors 
https://github.com/mozilla/fxa-auth-server/pull/2393
r=vbudhram
 2018-04-12 18:41:10 +01:00
Phil Booth 445cf30609
fix(metrics): stop using user-agent string in flow id check 
https://github.com/mozilla/fxa-auth-server/pull/2391
r=vbudhram,shane-tomlinson
 2018-04-12 17:32:41 +01:00
Ryan Kelly 19162ff6ed
feat(profile): Send "profileDataChanged" event when modifying 2FA status. (#2390); r=vbudhram 2018-04-12 14:06:26 +10:00
Vijay Budhram 4a892017e4
feat(totp): rate limit totp verify actions (#2386), r=@rfk 2018-04-11 12:19:03 -04:00
Edouard Oger 9462e349d7
fix(devices): Rename pushbox capability to messages in tests (#2389) r=@rfk 2018-04-10 18:31:22 -04:00
Phil Booth a6069e0880
refactor(metrics): use boiler-plate amplitude code from fxa-shared 
https://github.com/mozilla/fxa-auth-server/pull/2384
r=vbudhram
 2018-04-09 18:12:40 +01:00
Vijay Budhram b830707e32
fix(recovery): set assuranceLevel when verifying with recovery code (#2388), r=@rfk 2018-04-09 14:54:41 +00:00
Vijay Budhram 35da0bdf49
fix(email): only send new sign-in emails for sync when verifying with totp (#2381), r=@philbooth 2018-04-09 13:51:05 +00:00
Phil Booth e327e4f62f
fix(metrics): count 28 days per metric month 
https://github.com/mozilla/fxa-auth-server/pull/2378
r=rfk
 2018-03-29 22:07:23 +01:00
Vijay Budhram 110190d12d
fix(totp): add totp code window validation config (#2371), r=@vladikoff 2018-03-29 18:20:34 +00:00
Phil Booth a23eeaad09
feat(metrics): add user properties for active device counts 
Fixes mozilla/fxa-amplitude-send#60.

Amplitude's view of devices is skewed by the randomly-generated
device_id that we're using until cross-project device_ids are
implemented. And the sync_device_count property is skewed to a
lesser degree by apparent session-related problems that seem to
force some users to sign in repeatedly on a single device.

To mitigate those problems, this change adds three new properties
that indicate the number of devices that were active in a given
time period: sync_active_devices_day, sync_active_devices_week and
sync_active_devices_month. In this case, a "month" is 30 days.

https://github.com/mozilla/fxa-auth-server/pull/2372
r=vbudhram
 2018-03-28 17:10:43 +01:00
Ryan Kelly 10e934f5fe
fix(validation): Reject URLs with unexpected characters. (#2370); r=pb 
Previously we could accept URLs with unescaped special characters
such as newlines or unicode, which means we were depending on other
layers of the code to handle them correctly.  This change makes the
requestor responsible for properly escaping any special characters
in their URLs before passing them in to us.
 2018-03-28 19:34:25 +11:00
Phil Booth fd26a4abb2
chore(db): prevent the possibility of future url-injection bugs 
https://github.com/mozilla/fxa-auth-server/pull/2368
r=vbudhram
 2018-03-27 19:02:28 +01:00
Phil Booth be6cc0089e fix(sessions): only return major rev for browser version (#2363) r=@vladikoff 2018-03-27 11:33:43 -04:00
Vijay Budhram 6e0b56ce3e fix(metrics): pass metricsContext to consumeRecoveryCode (#2367) r=@vladikoff 2018-03-26 18:07:08 -04:00
Vijay Budhram 0b1d075b50
fix(totp): ensure correct session verification state before deleting totp (#2365), r=@rfk 2018-03-26 20:51:04 +00:00
Vijay Budhram 575b899cda
fix(totp): throw unverified session in promise chain (#2364), r=@rfk 2018-03-26 13:54:53 +00:00
Phil Booth b18173883e
fix(server): validate ip addresses before setting them on request object 
https://github.com/mozilla/fxa-auth-server/pull/2359
r=vbudhram
 2018-03-23 13:26:17 +00:00
Phil Booth 85da7f2271
fix(metrics): include full version information in event data (#2356) 
Fixes mozilla/fxa-amplitude-send#58.

The user-agent parser was originally written with synthesized device
names in mind, so it didn't always return the full version string for
browsers and operating systems. Since then, we started using the same
code for our event data, meaning that we're getting an incomplete
picture of the browser/os that our users are on.

This change tweaks the user-agent code so that it returns full version
info, and tweaks the code for synthesizing device names so that it
remains consistent with its old behaviour.
 2018-03-22 16:49:05 +00:00
Vijay Budhram 81700dae04
feat(totp): initial recovery codes (#2349), r=@philbooth 2018-03-22 15:46:10 +00:00
Edouard Oger 2067dba0de
feat(devices): Devices capabilities (#2350) r=@philbooth 2018-03-20 10:31:36 -04:00
Ryan Kelly 517f482240
feat(amr): Report AMR and AAL in relier-facing APIs. (#2346); r=vbudhram 
This helps expose the user's MFA state to reliers, by reporting
the "authentication methods" and "authenticator assurance level"
used when creating a sessionToken, along with the available methods
and maximum level achieveable by the account.
 2018-03-20 13:18:51 +11:00
Ryan Kelly ab856aff66 Merge branch 'train-107' 2018-03-19 13:43:25 +11:00
Phil Booth 01d37ee776 Merge branch 'train-107' 2018-03-17 08:14:10 +00:00
Vijay Budhram 8d3928dc96
feat(emails): totp notification emails (#2331), r=@philbooth 2018-03-16 19:30:29 +00:00
Deepti 2262ce8de8 fix(deprecation): check for deprecated APIs r=@vladikoff 
Fixes #2343 

Co-authored-by: deeptibaghel <deeptibaghel@gmail.com>
 2018-03-16 11:33:58 -04:00
Ryan Kelly bb17257d4a fix(validators): Normalize redirectTo url to avoid parsing edge-cases. (#71) r=@vladikoff 
See https://bugzilla.mozilla.org/show_bug.cgi?id=1445927 for an example
of the kind of edge-cases we want to avoid.
 2018-03-15 20:48:56 -04:00
Phil Booth 8da511c82c
fix(emails): prevent unsafe content from reaching rendered email body 
https://github.com/mozilla/fxa-auth-server-private/pull/70
r=rfk
 2018-03-15 20:54:36 +00:00
Ryan Kelly 86de08ba33
fix(totp): Restrict allowed chars in TOTP code input. (#2340); r=vbudhram 2018-03-14 16:59:49 +11:00
Phil Booth c68105343e
fix(metrics): ensure service is set when possible on amplitude events 
https://github.com/mozilla/fxa-auth-server/pull/2342
r=vbudhram
 2018-03-13 18:59:50 +00:00
Vijay Budhram ab7ba5a500
fix(emails): add location to `verify primary email` (#2341), r=@philbooth 2018-03-13 17:55:39 +00:00
Ryan Kelly ab17bf85fe fix(codes): Take token-code uid from the token, not the request payload. (#2339), r=@vbudhram 2018-03-13 13:16:04 +00:00
Deepti 481550543d fix(buffers): migrate from 'Buffer()' constructor calls r=@vladikoff 
Fixes #2333
 2018-03-12 19:51:37 -04:00
Vijay Budhram 70564d20cb Merge branch 'train-107' 2018-03-10 14:09:57 -05:00
Vijay Budhram a35411a2dd chore(uplift): uplift token validation fixes (#2335) r=@vladikoff 2018-03-09 17:25:17 -05:00
Hritvi Bhandari 65f9802f79 fix(params): use default parameters in options (#2332) r=@vladikoff 
Fixes https://github.com/mozilla/fxa-auth-server/issues/2308
 2018-03-09 12:27:33 -05:00
Vlad Filippov e2d2a7ecd5 feat(emails): delete bounced registrations that are younger than 6 hours (#2305); r=rfk 
Fixes https://github.com/mozilla/fxa-content-server/issues/5629
 2018-03-05 09:38:35 +11:00
Ryan Kelly 597bfab79f fix(tests): Make email-polling-expiry tests pass in March. (#2324) r=@vladikoff 
The tests assume that doing `date.setMonth(date.getMonth() - 2)`
will move the timestamp at least 60 days into the past, but in March
it only moves 31+28=59 days.  Thanks, February.
 2018-03-02 09:24:22 -05:00
Vijay Budhram 45ae7b2048
feat(totp): update to use new verification methods (#2321), r=@philbooth, @vladikoff 2018-02-28 19:35:40 +00:00
Phil Booth e9ec39d6cb
fix(redis): delete clashing tokens from redis in createSessionToken 
Our pruning of session tokens from Redis is not perfect because we can
only delete tokens that are expired-but-not-yet-pruned-from-MySQL. This
leaves us with some number of zombie session tokens that are lying
around in Redis, the effect of which could be to sometimes show
incorrect session information in the device manager (albeit with very
low probability).

To eliminate that possbility, this change speculatively deletes from
Redis when creating the session token. In addition, the maximum number
of Redis connections is bumped up from 100 to 200, because we can expect
the number of concurrent Redis operations to increase significantly.

https://github.com/mozilla/fxa-auth-server/pull/2316
r=vbudhram
 2018-02-22 16:29:41 +00:00
Vijay Budhram c805f9c334
feat(totp): TOTP Management APIs (#2300), r=@philbooth 2018-02-21 01:58:47 +00:00
Ryan Kelly e2cd9f91e7 fix(reauth): Don't send a "new device" email during session re-auth. 2018-02-21 06:12:24 +11:00
Ryan Kelly aa388cc5eb feat(sessions): Add ability to reauth within an existing login session. 2018-02-21 06:12:12 +11:00
Phil Booth d219cdd823 chore(logging): downgrade redis.watch.conflict to warning level (#2307) r=@vladikoff 2018-02-16 09:52:31 -05:00
Ryan Kelly bb2c67747b fix(logging): Make oauth_client_info use shared logging instance. (#2299) r=@vladikoff 
Previously it would require() its own version of the logging module, and hence would not correctly use various test stubs and mocks, and hence caused npm test to dump a bunch of logging output to the screen when executing the remote tests. This changes it to accept the log object as an argument in a similar style to other modules in this repo.
 2018-02-09 00:45:55 -05:00
Ryan Kelly 79b2876626 fix(tests): Test that unauthenticated /account/profile rejects cleanly. (#2296) r=@philbooth,@vladikoff 2018-02-08 18:18:56 -05:00
Vijay Budhram 5cb76e517d
fix(tests): Add `verifyTokenCode` support for mem keyFetchToken (#2287), r=@philbooth 2018-02-08 17:39:45 +00:00
Phil Booth a33756e8cd
chore(emails): remove all verification reminder code 
https://github.com/mozilla/fxa-auth-server/pull/2283
r=vbudhram
 2018-02-08 08:09:35 +00:00
Vlad Filippov f0ecf0ae4b
feat(emails): fetch service names from OAuth servers, use in emails (#2284) r=@rfk 
Fixes #2213
fixes #2249
 2018-02-07 20:22:02 -05:00
John Morrison 993fd02755 fix(email): log to recipient alongside smtp message-id 
https://github.com/mozilla/fxa-auth-server/pull/2286
r=philbooth
 2018-02-06 10:09:40 +00:00
Ryan Kelly 669f59a963 feat(sessions): Add /session/duplicate API 2018-02-06 14:39:26 +11:00
Phil Booth 924e8ca4ee
chore(code): eliminate duplicate pool and db modules 
https://github.com/mozilla/fxa-auth-server/pull/2282
r=vbudhram
 2018-02-05 14:44:55 +00:00
Phil Booth 11f7024f91
fix(redis): delete session tokens from redis in db.deleteDevice 
https://github.com/mozilla/fxa-auth-server/pull/2270
r=vbudhram
 2018-01-31 08:17:25 +00:00
Vijay Budhram 3953051b18 fix(bounce): Update bounces lib to use `accountRecord` (#2273) r=@rfk,@vladikoff 
Fixes #2272
 2018-01-30 19:12:38 -05:00
Vijay Budhram 0e4b77fec4
fix(unblock): Send correct primary email when blocked (#2271), r=@rfk 2018-01-30 20:13:58 +00:00
Phil Booth acf4b8bb17 Merge branch 'train-104' 2018-01-29 17:43:37 +00:00
Phil Booth f7ce4d0267
fix(metrics): ensure amplitude events always have a metrics context 
https://github.com/mozilla/fxa-auth-server/pull/2267
r=vbudhram
 2018-01-29 17:33:33 +00:00
Ryan Kelly 70d0f96792
fix(emails): Reset account tokens when deleting an email address. (#2266); r=philbooth 2018-01-29 19:21:14 +11:00
Phil Booth e7bbb86de3
chore(deps): update fxa-geodb 
https://github.com/mozilla/fxa-auth-server/pull/2259
r=vbudhram
 2018-01-20 09:03:38 +00:00
Phil Booth 1b2d1d95c0
fix(redis): pack redis tokens inside db.deleteSessionToken 
https://github.com/mozilla/fxa-auth-server/pull/2261
r=vbudhram
 2018-01-20 08:28:32 +00:00
Phil Booth a9a61f0cc5
feat(redis): prune expired session tokens from redis 
https://github.com/mozilla/fxa-auth-server/pull/2257
r=vbudhram
 2018-01-18 19:23:29 +00:00
Ryan Kelly af3a9eb423
feat(auth): Enable hawk payload validation for additional replay protection (#2252); r=pbooth 
Thanks to Mahmoud Abdelmonem for reporting this issue!
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1427157
 2018-01-16 19:52:52 +11:00
Phil Booth fcddf0b8a2
feat(redis): eliminate property names from redis-stored tokens 
https://github.com/mozilla/fxa-auth-server/pull/2254
r=rfk
 2018-01-11 08:42:03 +00:00
Phil Booth 804344d65b fix(tests): fix failing geolocation tests (#2253) r=@vladikoff 2018-01-08 17:11:44 -05:00
Vijay Budhram 677bdbb6a8
Add ability to verify login with token code (#2218), r=@rfk 2017-12-20 12:03:32 -05:00
Vijay Budhram ae36ddf9a5
feat(codes): don't send delete notification when deleting unverified email (#2246), r=@rfk 2017-12-09 20:45:17 -05:00
Ryan Kelly 9da5305cd3
fix(push): Send a notification to the device that's being disconnected. (#2245); r=eoger 2017-12-06 10:06:41 +11:00
Phil Booth 91cd5398b6
fix(db): implement safe redis write semantics 
https://github.com/mozilla/fxa-auth-server/pull/2235
r=rfk,vbudhram
 2017-11-28 08:02:37 +00:00
Phil Booth 3034a41d0f fix(metrics): include oauth_client_id in amplitude event properties (#2240); r=rfk 2017-11-27 14:43:21 +11:00
Phil Booth 0069873a1d fix(metrics): stop sending raw client ids to amplitude (#2239) r=@vladikoff 2017-11-23 14:36:13 -05:00
Vijay Budhram 90646b9058
chore(email): remove check_can_add_secondary_address route (#2234), r=@philbooth 2017-11-17 13:52:20 -05:00
Vijay Budhram 2617b5abbd
chore(email): Remove FF57 gating logic (#2232), r=@philbooth 2017-11-17 09:19:17 -05:00
Phil Booth f68e4bbdd7
fix(tests): test against actual redis instance 
https://github.com/mozilla/fxa-auth-server/pull/2221
r=vbudhram
 2017-11-15 14:33:57 +00:00
Phil Booth 8826364483
fix(db): sanely handle redis errors 
https://github.com/mozilla/fxa-auth-server/pull/2215
r=vbudhram
 2017-11-10 16:14:26 +00:00
Phil Booth a928f27d22 Merge branch 'train-99' 2017-11-02 14:03:51 +00:00
Phil Booth 686c3ebdb0 fix(tests): add local test coverage for english device locations (#2201), r=@vbudhram 2017-11-02 10:02:38 -04:00
Phil Booth ddb3bc9ebd fix(logging): don't log errors if location is not set (#2200) 2017-11-02 09:08:54 -04:00
Vijay Budhram f3261a6137
fix(emails): add post change email template (#2194), r=@philbooth 2017-11-01 10:48:29 -04:00
Vijay Budhram e6da576b47
fix(links): use a custom url when verifying primary email (#2196), r=@vladikoff 2017-11-01 10:30:42 -04:00
Phil Booth 563851faf9
feat(tokens): add city and stateCode to sessionTokens 
https://github.com/mozilla/fxa-auth-server/pull/2180
r=vbudhram
 2017-10-31 21:11:01 +00:00
Phil Booth a86ee5a4c2 Merge branch 'train-98' 2017-10-30 14:00:02 +00:00
Vijay Budhram a5c41058f4
chore(logo): add new logo to email templates (#2190), r=@philbooth 2017-10-30 09:38:35 -04:00
Phil Booth b18079f9a0 feat(devices): translate location in devices and sessions response 
https://github.com/mozilla/fxa-auth-server/pull/2188
r=vbudhram
 2017-10-27 16:21:55 +01:00
Vijay Budhram dd68d88a9e feat(session): Add email templates (#2184), r=@philbooth 2017-10-26 10:53:04 -04:00
Phil Booth b55bfb0eaa feat(metrics): add newsletter_state property to amplitude events 
https://github.com/mozilla/fxa-auth-server/pull/2183
r=vbudhram
 2017-10-23 18:43:50 +01:00
Phil Booth b498fbd941 feat(devices): return approximateLastAccessTime for old devices 
https://github.com/mozilla/fxa-auth-server/pull/2182
r=shane-tomlinson
 2017-10-23 12:34:39 +01:00
Shane Tomlinson 2e6fcd66e8 feat(sms): Enable SMS in Austria, Germany. (#2179) r=@philbooth 
fixes #2177
 2017-10-19 14:55:25 +01:00
Shane Tomlinson e7dd869e40 Merge pull request #2178 from mozilla/issue-2176-formatted-phone-number r=@philbooth 
formattedPhoneNumber is used by the content server to display the
telephone number the SMS was sent to, formatted for the user's country.

fixes #2176
 2017-10-19 11:23:54 +01:00
Ryan Kelly e8ce38259b fix(devices): Avoid reporting stale last-access times when feature is disabled. (#2144); r=philbooth 2017-10-18 13:18:14 +11:00