8f85f173e6
lockdown passwordStretching parameters
2013-12-10 13:33:14 -08:00
98ac38359f
Fix failing test for email-formatting
2013-12-10 16:35:16 +11:00
a4b155b0bb
Hex-encode the uid for inclusion in browserid certificate.
2013-12-10 16:25:08 +11:00
c66352b8ec
Merge pull request #386 from chilts/fix-mysql-ping
...
Release the connection when pinging the database
2013-12-09 14:51:11 -08:00
4334b80aeb
Release the connection when pinging the database
2013-12-10 11:46:09 +13:00
4543823d0b
camelCase all the config options
2013-12-09 12:26:41 -08:00
fe82e1f098
First, rough attempt at internationalization of emails.
2013-12-09 12:53:24 +11:00
7bbcae4176
added mail_helper.js for local email testing
2013-12-07 15:56:11 -08:00
a35c94c54a
Use MySql pool, transactions and more promises
2013-12-06 18:07:09 +13:00
82b943c37d
Merge pull request #370 from dannycoates/emailz
...
added preVerified option to /account/create
2013-12-04 15:59:31 -08:00
45d557cf2f
added preVerified option to /account/create in non-production environments
2013-12-04 14:12:30 -08:00
6efbc680ab
adding copyright, removing dead code
2013-12-03 16:43:47 -08:00
11006027de
Refactor test helpers into a promisified 'test' function.
2013-12-03 17:47:54 +11:00
3540bd9511
Experiment with some "test+promise helpers" to avoid uncaught errors.
2013-12-03 16:50:33 +11:00
82d3978601
Merge pull request #362 from mozilla/rfk/timestamp-header
...
Add 'Timestamp' header to all successful requests.
2013-12-02 14:49:56 -08:00
3b1d8543d2
Add 'Timestamp' header to all successful requests.
2013-11-28 14:37:47 +11:00
93c2975f91
tokenid and tokendata are now Buffers internally
2013-11-26 17:46:19 -07:00
6d42b2ae54
kA and wrapKb are now Buffers internally
2013-11-26 13:23:14 -07:00
38df743201
uid is now a Buffer internally
2013-11-26 12:17:48 -07:00
46e895005e
Merge pull request #304 from chilts/issue-260-binary-uid-columns
...
Fixes #260 : Convert UID columns from CHAR(36) to BINARY(16)
2013-11-25 19:35:03 -08:00
25647d57b3
Revert "Unhexlify the email address when embedding it in a certificate."
...
This reverts commit 2d2ce24c94
2013-11-22 15:18:03 -08:00
3490257c23
Revert "added uid to principal in signed key"
...
This reverts commit 91bfb7951a
2013-11-22 15:09:21 -08:00
b4bb14a0e1
removing unused email vars
2013-11-21 16:40:21 -08:00
ec5229c805
Fixing a few JSHint warnings in the /tests
2013-11-21 15:06:19 -08:00
c061d46aa6
twerking the tests a bit and converting tabs to [2] spaces
2013-11-21 14:46:14 -08:00
591af25e72
Auto-verify by default when config.env == "dev".
...
This should fix some test brokenness caused by renaming "local" to "dev" and
making it the default environment.
2013-11-21 15:36:06 +11:00
1e8e183239
Merge pull request #326 from mozilla/rfk/dev-by-default
...
Add a "dev" config.env and make it the default
2013-11-19 14:23:58 -08:00
472f489d1a
fix scrypt test
2013-11-19 14:12:29 -08:00
09a26bd237
Add a "dev" NODE_ENV and make it the default.
2013-11-19 13:46:04 +11:00
2d2ce24c94
Unhexlify the email address when embedding it in a certificate.
2013-11-18 14:48:06 +11:00
0860657c3a
Merge pull request #253 from mozilla/rfk/stale-nonce-checking
...
Enable checks for nonce re-use in hawk lib
2013-11-17 19:09:02 -08:00
a986e7d210
adding missing copyright headers (and excluding third party lib)
2013-11-15 16:35:11 -08:00
d89418a0e3
Basic RedisNonceDB implementation
2013-11-14 17:01:52 +11:00
306a2062dc
Implement basic in-memory nonce database
2013-11-14 16:22:07 +11:00
7eca4ea70a
Fixes #260 : Convert UID columns from CHAR(36) to BINARY(16)
2013-11-14 16:00:24 +13:00
258f35019a
Merge pull request #249 from dannycoates/i249
...
proxy for account/reset
2013-11-13 17:45:07 -08:00
630d0b1fc6
added a /raw_password/password/reset test
2013-11-13 17:06:24 -08:00
85faad769a
Report serverTime in seconds, since that's what Hawk protocol uses.
2013-11-14 10:56:38 +11:00
6226903866
Include `serverTime` field in the "invalid timestamp" response.
2013-11-14 10:48:10 +11:00
8debad2e32
split the /raw_password/account/reset into /raw_password/password/change for changing password and /raw_password/password/reset for forgot password
2013-11-13 15:45:13 -08:00
9c7f0405f6
added /raw_password/account/reset endpoint
2013-11-13 12:39:10 -08:00
91bfb7951a
added uid to principal in signed key
2013-11-12 11:00:21 -08:00
dcce997cac
test for uid and verified in /session/create
2013-11-11 17:34:45 -08:00
b33dead326
extracted test_server from integration_tests etc
2013-11-08 19:06:50 -08:00
d11b892e13
how'd that get there?
2013-11-08 10:48:09 -08:00
3e37ebff22
Add token derivation test vectors to unittest suite.
2013-11-08 10:38:14 -08:00
d9bb63db0d
how'd you like this travis?
2013-11-07 18:53:01 -08:00
760fb94f7e
improved signer worker crash handling
2013-11-07 17:31:44 -08:00
291578dc86
began hardening the /certificate/sign endpoint
2013-11-07 17:27:41 -08:00
6842786362
Simplify mocking of Date.now in forgot_password_token tests.
2013-11-08 09:48:17 +11:00
c9a289e4f4
Make SrpToken more like all the other token classes.
2013-11-08 09:48:17 +11:00
8b3665c8a5
Refactor token classes to reduce duplication, improve API compliance
...
This implements the latest tweaks to the token derivation/encrytion
scheme, and uses the new level of symmetry between operations to support
a substantial refactor and cleanup.
2013-11-08 09:48:17 +11:00
beac54a680
encode email as UTF-8 before key stretching and srp - fixes #274
2013-11-06 09:32:04 -08:00
42da3137e6
fixed broken test after #269
2013-11-05 10:41:19 -08:00
7b4623555f
added a test for expired hawk timestamps
2013-11-01 18:03:26 -07:00
ab8f1a1ee0
Merge pull request #267 from dannycoates/validation
...
test for oversized payloads
2013-11-01 16:34:37 -07:00
7c63ecbbbd
fixed jshint complaints
2013-11-01 14:29:39 -07:00
16f7a265f6
test for oversized payloads
2013-10-31 14:49:53 -07:00
657dfb9feb
made heap symmetric to mysql; db tests use config backend
2013-10-30 10:04:50 -07:00
271131a0c8
Fix error codes thrown by MySQL backend
2013-10-30 16:55:11 +11:00
b4b43986fe
More queries implemented for MySQL backend
2013-10-30 15:18:20 +11:00
a7239242fc
Fleshing out query implementations for the MySQL backend
2013-10-30 14:50:12 +11:00
20b4db620e
start of mysql tests
2013-10-29 17:31:54 -07:00
5c81b13c75
Merge branch 'srp2' into db
...
Conflicts:
bin/key_server.js
db/heap.js
db/mysql.js
package.json
tokens/srp_token.js
2013-10-29 15:13:35 -07:00
224083222e
fixed tests deleted obsolete ones. need moar token tests
2013-10-29 13:48:21 -07:00
4c34103589
Adding copyright headers
2013-10-29 11:56:54 -07:00
a41fe08538
updated to node-srp 0.2.0
2013-10-28 17:20:13 -07:00
f59f012e98
fixed tests deleted obsolete ones. need moar token tests
2013-10-28 11:42:16 -07:00
f0f79c4a2c
Merge pull request #252 from mozilla/rfk/static-views-cleanup
...
Cleanup static IDP-related views, and add some basic tests.
2013-10-28 11:35:18 -07:00
030eaf5626
Cleanup static IDP-related views, and add some basic tests.
2013-10-25 15:48:48 +11:00
5b7c185387
Use application-level Error objects in the Model classes.
...
This avoids introducing boom and hoek as dependencies of the client lib.
2013-10-25 14:15:43 +11:00
5d3eca31dc
Intercept hawk errors, transform into custom format.
2013-10-24 19:42:22 +11:00
9065d192b9
Define latest error codes, change existing code structure to use them.
2013-10-24 19:42:14 +11:00
47028e778c
Merge pull request #242 from mozilla/account_exists_client_api
...
add accountExists to client
2013-10-23 11:14:23 -07:00
768649b62d
we don't need the request library anymore in the integration tests because zach added it to the client api
2013-10-23 11:06:39 -07:00
06ae9dd41d
add raw password apis to client api
2013-10-23 05:22:38 -07:00
e48de28465
add accountExists to client
2013-10-23 03:05:05 -07:00
02a51183c4
naive implementation of /raw_password/account/create
2013-10-22 18:35:19 -07:00
20e376f5a7
naive implementation of /auth/password
2013-10-22 17:03:50 -07:00
0f936854de
add verify reset code to client api
2013-09-25 15:38:50 -07:00
ab33146ef0
Re-enable the test to make sure we can still log in after a reset password
2013-09-20 17:59:34 -07:00
de9893fe50
Changes the verification tests to use freshly created emails for each test and fixes some concurrency bugs in how the tests check for the verification and reset codes. Fixes #188
2013-09-20 16:52:56 -07:00
47480905e0
Merge pull request #186 from mozilla/buffers_n_bits
...
adds sjcl bytes codec and makes agument types more consistent
2013-09-10 18:19:57 -07:00
f8a32dc70b
use https for scrypt helper
2013-09-10 18:14:44 -07:00
749b5665d7
adds sjcl bytes codec and makes agument types more consistent - fixes #179
2013-09-06 17:21:48 -07:00
8379e2146e
Merge pull request #164 from vladikoff/key-stretch-updates
...
Updating methods to use buffers, adding tests, addressing feedback
2013-09-03 14:20:35 -07:00
d87c0465f0
Removed reference to authToken from Account
...
This was a race condition that could prevent
multiple devices from authenticating simultaneously.
AuthTokens are ephemeral and single-use so don't
need to be managed by the Account.
2013-09-03 11:53:27 -07:00
c6a3e3286b
Updating methods to use buffers, adding tests, addressing feedback
2013-08-29 20:50:37 -07:00
4485250121
Enhanced logging experience
2013-08-29 13:56:04 -07:00
bae6d84540
Tweak integration tests so they're more easily run against a live server.
2013-08-29 13:11:46 +10:00
72ef0af149
client keys command should return kB
2013-08-23 15:10:19 -07:00
95b4679de9
adding kB key
2013-08-22 19:07:06 -07:00
6cd9341019
Style consistency cleanup
2013-08-22 09:57:31 -07:00
4ea38ab744
Adding password stretching
2013-08-21 18:05:43 -07:00
2b04c921fc
Merge pull request #146 from zaach/email_templates
...
Email templates
2013-08-21 10:54:16 -07:00
9ca7052471
respond with an error on incorrect verification codes
2013-08-20 17:57:25 -07:00
f9f6b59eaa
Use HTML email templates, proxy the verification page through the bridge
2013-08-20 13:39:23 -07:00
796a7b124b
Added integration tests
...
- /session/destroy
- /recovery_email/resend_code
- /get_random_bytes
2013-08-19 13:16:13 -07:00
6adf730960
fix srp tests, bad mailer function
2013-08-15 17:58:01 -07:00
87e13985a9
changed error responses to include and errno
2013-08-15 16:44:18 -07:00
fc90de79a2
added verification test for bad forgot password flow
...
updated error responses to more closely match api.md
2013-08-15 13:03:00 -07:00
c08b67aa66
implemented client side of forgot password
...
added a verification test of the forgot/reset flow
2013-08-14 14:44:19 -07:00
0dfde2d737
WIP on forgot password tests
2013-08-13 19:51:04 -07:00
effc806557
began implementing /password/forgot
2013-08-13 19:51:04 -07:00
d01cca7594
add high-level login call to client
2013-08-13 19:31:56 -07:00
bef3c216c9
token.key should be a Buffer, but stored as hex
...
token.key is used by Hawk as the HMAC key. If its
a Buffer, it uses those bytes, if its a string Hawk
converts the it to a Buffer with UTF8 encoding. We
want Hawk to use the "raw" bytes. This was discovered
in #114
2013-08-13 10:35:54 -07:00
e32bfa35e5
style fixes, removing tabs
2013-08-12 18:21:45 -07:00
3194bdb61d
print smtp debug in verification_tests
2013-08-12 13:49:38 -07:00
28aab91867
verifier may be less than 256 bytes, test golf
2013-08-12 12:23:46 -07:00
aa26f2fce0
moved test mail server inside verification test
2013-08-12 11:54:19 -07:00
ddb4ac13a4
added email verification tests
2013-08-09 20:10:32 -07:00
a1fce406fb
handle conversion of email to buffer in the client
2013-08-09 14:21:14 -07:00
dcf69ff1cf
added /account/destroy integration test
2013-08-09 11:17:47 -07:00
5d8c98c74a
updated AuthToken behavior for multiple contexts
2013-08-08 14:31:26 -07:00
9109a58eed
encode email as a hex string of UTF-8 bytes
2013-08-07 15:18:36 -07:00
fd45e4a8cb
fixed mysql test timeouts suboptimally. fixes #116
2013-08-07 14:29:31 -07:00
1cecfd5f76
changed recovery_method to recovery_email
2013-08-06 14:59:28 -07:00
e9a35fac94
implemented new /auth/start /session/create
2013-08-06 12:44:45 -07:00
df0ac8e8e9
updated /account/create to next api
2013-08-05 17:48:02 -07:00
f4a2d992b0
use dannycoates/node-srp module
...
This fork uses Buffers for all function input/output and bignum.
I'll be sending a PR to jedp.
2013-08-05 11:36:45 -07:00
4c37a7cecc
work around mysql in Account.del test
2013-07-31 11:54:47 -07:00
16c8178fce
made integration.js slightly less ghetto
2013-07-31 11:26:07 -07:00
a5a9fa731d
many changes to client module, started integration tests
2013-07-31 10:38:21 -07:00
4c83fd4d37
added error.js for custom errors
2013-07-31 10:38:21 -07:00
846be8340a
Added config.dev.verified option
...
Create new accounts in a verified state by setting
config.dev.verified to true with the env variable
DEV_VERIFIED=true
2013-07-29 15:09:38 -07:00
3ce6ff2a45
added more tests and changed verify_code api to not use sessionToken
2013-07-29 12:11:02 -07:00
a7b48ece91
added tests
2013-07-28 22:17:21 -07:00
0a5ef54187
made Account work better
2013-07-26 17:00:09 -07:00
7164bf1c21
reorganize files to hopefully be more sane
2013-07-25 17:15:38 -07:00
acc0ef6f97
enabled saving tokens on an Account
2013-07-24 13:44:00 -07:00
b66ee4d855
changed Account.getById to Account.get
2013-07-24 13:44:00 -07:00
90a29f1c50
reordered api.md + random wip
2013-07-24 13:43:59 -07:00
190d8739b2
began implementing recovery_methods
2013-07-24 13:43:59 -07:00
cce4ab7071
WIP on account reset
2013-07-24 13:43:59 -07:00
69c9c4dcbe
change everything, YOLO
2013-07-24 13:43:59 -07:00
1abe129d01
Fix running of tests against a live server.
...
This requires using a different email address for each test, so that we
can be sure it doesn't already exist. It also requires correct handling
of the "application/json; charset=utf8" content-type which seems to be
generated by the server.
2013-07-24 14:21:43 +10:00
6e22f08e11
use old kA on account reset - fixes #59
2013-07-09 16:59:09 -07:00
b9945e08b6
began implementing reference client
2013-07-09 15:55:39 -07:00
7633604bc1
Began api.md documentation
...
Also changed the responses for /create and /entropy
so that all responses are JSON
2013-07-09 13:41:47 -07:00
1c7ef7b21a
add payload verification for fields expected to be hex strings
2013-07-08 18:35:46 -07:00
f163fa8caa
include salt in encrypted bundle from client on reset
2013-07-08 17:22:22 -07:00
cdfecb1226
hex all the strings. closes #51
2013-07-08 14:09:15 -07:00
dbd3f3d22f
reset account WIP
2013-07-08 10:59:22 -07:00
3e1ed0804d
Merge branch 'housekeeping' of https://github.com/dannycoates/picl-idp into danny-housekeeping
...
Conflicts:
test/integration/account.js
2013-07-03 15:17:42 -07:00
f2779a4907
Added getEntropy endpoint at /entropy
2013-07-04 03:16:22 +05:30
619f835fc7
removed password login and accountToken
...
Also commented out reset tests until resetToken
is implemented, and refactored login tests.
2013-07-03 14:44:50 -07:00
63e9e50f40
added /sign tests with invalid data
...
the payload validation test will fail until hapi is fixed.
see https://github.com/spumko/hapi/pull/949
2013-07-02 18:01:25 -07:00
4a2da1aea6
implemented /sign with hawk credentials
...
uses the signToken to derive the hawk
tokenId and reqHMACkey as specified:
https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#Signing_Certificates
2013-07-02 14:29:42 -07:00
a2c66f97fc
added SRP tests
...
also slightly refactored startLogin and finishLogin
2013-06-26 16:41:26 -07:00
cf7b14855b
Began implementing SRP
2013-06-26 12:01:18 -07:00
e3887aad91
implement utilities to compute hmac/xor keys and encrypt response for getSignToken2
2013-06-24 19:02:26 -07:00
c7abb0c156
use bunyan as the logger, remove 'good'
2013-06-20 11:10:34 -07:00
2519d21984
Implement getResetToken and resetPassword of the idp protocol
2013-05-24 16:00:20 -07:00
5e98adcdf3
added mysql.database to test.json config
2013-05-20 14:10:37 -07:00
0321ff4139
added test keys
2013-05-20 14:09:12 -07:00
318bd677e1
now generates certs from a signToken and public key
2013-05-16 17:13:01 -07:00
5725b6d660
additional failure test cases
2013-05-16 00:32:05 -07:00
8bd07a5e95
Add failure test cases
2013-05-15 17:05:28 -07:00
4d38bdbf51
Implement create, startLogin, and finishLogin sans SRP
2013-05-15 16:52:28 -07:00
820633f1bb
add kvstore library and mysql adapter
2013-05-14 17:06:16 -07:00
d92d1038aa
Skeleton Hapi app
2013-05-13 17:00:22 -07:00
Danny Coates
Ryan Kelly
Andrew Chilton
Peter deHaan
Ryan Kelly
Zachary Carter
Peter deHaan
Chris Karlof
Zach Carter
vladikoff
MrDHat