mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1056523 - Ensure sync credentials are reset during reauth flow. r=markh 

This patch addresses a bug in the following scenario:

User has browser 1 connected to sync and open, and resets her password
on browser 2. Eventually the browser detects the need to reauthenticate
the user, and prompts the user. When the user entered her new password,
the browserid_identity module failed to re-derive a new syncKeyBundle
from the new password and happily used the old one. Chaos ensued.

This patch mitigate the problem by calling resetCredentials at the
start of initializeWithCurrentIdentity(), which will clear the
syncKeyBundle, along with other credentials. Previously this
function was only resetting this._shouldHaveSyncKeyBundle.

I also removed a misleading comment about the syncKeyBundle being
cleared when it wasn't.
This commit is contained in:
Chris Karlof 2014-08-27 16:14:58 -07:00
Родитель ac2b2f0c46
Коммит 2a436941d9
1 изменённых файлов: 9 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

13
services/sync/modules/browserid_identity.js
Просмотреть файл

@ -188,7 +188,11 @@ this.BrowserIDManager.prototype = {
this._log.error("Could not authenticate: " + err);
});
this._shouldHaveSyncKeyBundle = false;
// initializeWithCurrentIdentity() can be called after the
// identity module was first initialized, e.g., after the
// user completes a force authentication, so we should make
// sure all credentials are reset before proceeding.
this.resetCredentials();
this._authFailureReason = null;
return this._fxaService.getSignedInUser().then(accountData => {
@ -579,9 +583,10 @@ this.BrowserIDManager.prototype = {
// for now assume it is just a transient network related problem.
this._authFailureReason = LOGIN_FAILED_NETWORK_ERROR;
}
// Drop the sync key bundle, but still expect to have one.
// This will arrange for us to be in the right 'currentAuthState'
// such that UI will show the right error.
// this._authFailureReason being set to be non-null in the above if clause
// ensures we are in the correct currentAuthState, and
// this._shouldHaveSyncKeyBundle being true ensures everything that cares knows
// that there is no authentication dance still under way.
this._shouldHaveSyncKeyBundle = true;
Weave.Status.login = this._authFailureReason;
Services.obs.notifyObservers(null, "weave:service:login:error", null);