#11898

pending completion

Build # #11898

Build Type

push

circleci

Committed by

web-flow

Commit Message

Merge pull request #2770 from mozilla/license

Add license headers in source files

Run Details

282 of 1138 branches covered (24.78%)

Branch coverage included in aggregate %.

959 of 3049 relevant lines covered (31.45%)

2.55 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/controllers/auth.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

import { URL } from 'url'
import { randomBytes } from 'crypto'

import AppConstants from '../app-constants.js'
import { getSubscriberByEmail, updateFxAData, removeFxAData } from '../db/tables/subscribers.js'
import { addSubscriber } from '../db/tables/email_addresses.js'
// import { sendEmail, getEmailCtaHref, getUnsubscribeUrl } from '../email-utils'
import { getProfileData, FxAOAuthClient } from '../utils/fxa.js'
// import { getBreachesForEmail } from '../utils/hibp.js'
import { fluentError } from '../utils/fluent.js'
import mozlog from '../utils/log.js'
const { SERVER_URL } = AppConstants

const log = mozlog('controllers.auth')

function init (req, res, next, client = FxAOAuthClient) {
  // Set a random state string in a cookie so that we can verify
  // the user when they're redirected back to us after auth.
  const state = randomBytes(40).toString('hex')
  req.session.state = state
  const url = new URL(client.code.getUri({ state }))
  const fxaParams = new URL(req.url, SERVER_URL)

  req.session.utmContents = {}
  url.searchParams.append('prompt', 'login')
  url.searchParams.append('max_age', 0)
  url.searchParams.append('access_type', 'offline')
  url.searchParams.append('action', 'email')

  for (const param of fxaParams.searchParams.keys()) {
    url.searchParams.append(param, fxaParams.searchParams.get(param))
  }

  res.redirect(url)
}

async function confirmed (req, res, next, client = FxAOAuthClient) {
  if (!req.session.state) {
    log.error('oauth-invalid-session', 'req.session.state missing')
    throw fluentError('oauth-invalid-session')
  }

  if (req.session.state !== req.query.state) {
    log.error('oauth-invalid-session', 'req.session does not match req.query')
    throw fluentError('oauth-invalid-session')
  }

  const fxaUser = await client.code.getToken(req.originalUrl, { state: req.session.state })
  // Clear the session.state to clean up and avoid any replays
  req.session.state = null
  log.debug('fxa-confirmed-fxaUser', fxaUser)
  const fxaProfileData = await getProfileData(fxaUser.accessToken)
  log.debug('fxa-confirmed-profile-data', fxaProfileData)
  const email = JSON.parse(fxaProfileData).email

  const existingUser = await getSubscriberByEmail(email)
  req.session.user = existingUser

  const returnURL = new URL('user/breaches', SERVER_URL)
  const originalURL = new URL(req.originalUrl, SERVER_URL)

  for (const [key, value] of originalURL.searchParams.entries()) {
    if (key.startsWith('utm_')) returnURL.searchParams.append(key, value)
  }

  // Check if user is signing up or signing in,
  // then add new users to db and send email.
  if (!existingUser) {
    // req.session.newUser determines whether or not we show "fxa_new_user_bar" in template
    req.session.newUser = true
    const signupLanguage = req.locale
    const verifiedSubscriber = await addSubscriber(email, signupLanguage, fxaUser.accessToken, fxaUser.refreshToken, fxaProfileData)

    // TODO:
    // duping some of user/verify for now
    // let unsafeBreachesForEmail = []

    // unsafeBreachesForEmail = await getBreachesForEmail(
    //   sha1(email),
    //   req.app.locals.breaches,
    //   true
    // )

    // const utmID = 'report'
    // const reportSubject = unsafeBreachesForEmail.length ? req.fluentFormat('email-subject-found-breaches') : req.fluentFormat('email-subject-no-breaches')

    // await sendEmail(
    //   email,
    //   reportSubject,
    //   'email-2022',
    //   {
    //     supportedLocales: req.supportedLocales,
    //     breachedEmail: email,
    //     recipientEmail: email,
    //     date: req.fluentFormat(new Date()),
    //     unsafeBreachesForEmail,
    //     ctaHref: getEmailCtaHref(utmID, 'dashboard-cta'),
    //     utmCampaign: utmID,
    //     unsubscribeUrl: getUnsubscribeUrl(verifiedSubscriber, utmID),
    //     whichPartial: 'email_partials/report',
    //     heading: req.fluentFormat('email-breach-summary')
    //   }
    // )
    req.session.user = verifiedSubscriber

    return res.redirect(returnURL.pathname + returnURL.search)
  }
  // Update existing user's FxA data
  await updateFxAData(existingUser, fxaUser.accessToken, fxaUser.refreshToken, fxaProfileData)

  res.redirect(returnURL.pathname + returnURL.search)
}

/**
 * Controller to trigger a logout for user
 * @param {object} req contains session.user
 * @param {object} res redirects to homepage
 */
async function logout (req, res) {
  const subscriber = req.session?.user
  log.info('logout', subscriber?.primary_email)

  // delete oauth session info in database
  await removeFxAData(subscriber)

  // clear session cache
  req.session.destroy(s => {
    delete req.session
    res.redirect('/')
  })
}

export { init, confirmed, logout }

1	/* This Source Code Form is subject to the terms of the Mozilla Public
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5	import { URL } from 'url'
6	import { randomBytes } from 'crypto'
7
8	import AppConstants from '../app-constants.js'
9	import { getSubscriberByEmail, updateFxAData, removeFxAData } from '../db/tables/subscribers.js'
10	import { addSubscriber } from '../db/tables/email_addresses.js'
11	// import { sendEmail, getEmailCtaHref, getUnsubscribeUrl } from '../email-utils'
12	import { getProfileData, FxAOAuthClient } from '../utils/fxa.js'
13	// import { getBreachesForEmail } from '../utils/hibp.js'
14	import { fluentError } from '../utils/fluent.js'
15	import mozlog from '../utils/log.js'
16	const { SERVER_URL } = AppConstants	×
17
18	const log = mozlog('controllers.auth')	×
19
20	function init (req, res, next, client = FxAOAuthClient) {	×
21	// Set a random state string in a cookie so that we can verify
22	// the user when they're redirected back to us after auth.
23	const state = randomBytes(40).toString('hex')	×
24	req.session.state = state	×
25	const url = new URL(client.code.getUri({ state }))	×
26	const fxaParams = new URL(req.url, SERVER_URL)	×
27
28	req.session.utmContents = {}	×
29	url.searchParams.append('prompt', 'login')	×
30	url.searchParams.append('max_age', 0)	×
31	url.searchParams.append('access_type', 'offline')	×
32	url.searchParams.append('action', 'email')	×
33
34	for (const param of fxaParams.searchParams.keys()) {	×
35	url.searchParams.append(param, fxaParams.searchParams.get(param))	×
36	}
37
38	res.redirect(url)	×
39	}
40
41	async function confirmed (req, res, next, client = FxAOAuthClient) {	×
42	if (!req.session.state) {	×
43	log.error('oauth-invalid-session', 'req.session.state missing')	×
44	throw fluentError('oauth-invalid-session')	×
45	}
46
47	if (req.session.state !== req.query.state) {	×
48	log.error('oauth-invalid-session', 'req.session does not match req.query')	×
49	throw fluentError('oauth-invalid-session')	×
50	}
51
52	const fxaUser = await client.code.getToken(req.originalUrl, { state: req.session.state })	×
53	// Clear the session.state to clean up and avoid any replays
54	req.session.state = null	×
55	log.debug('fxa-confirmed-fxaUser', fxaUser)	×
56	const fxaProfileData = await getProfileData(fxaUser.accessToken)	×
57	log.debug('fxa-confirmed-profile-data', fxaProfileData)	×
58	const email = JSON.parse(fxaProfileData).email	×
59
60	const existingUser = await getSubscriberByEmail(email)	×
61	req.session.user = existingUser	×
62
63	const returnURL = new URL('user/breaches', SERVER_URL)	×
64	const originalURL = new URL(req.originalUrl, SERVER_URL)	×
65
66	for (const [key, value] of originalURL.searchParams.entries()) {	×
67	if (key.startsWith('utm_')) returnURL.searchParams.append(key, value)	×
68	}
69
70	// Check if user is signing up or signing in,
71	// then add new users to db and send email.
72	if (!existingUser) {	×
73	// req.session.newUser determines whether or not we show "fxa_new_user_bar" in template
74	req.session.newUser = true	×
75	const signupLanguage = req.locale	×
76	const verifiedSubscriber = await addSubscriber(email, signupLanguage, fxaUser.accessToken, fxaUser.refreshToken, fxaProfileData)	×
77
78	// TODO:
79	// duping some of user/verify for now
80	// let unsafeBreachesForEmail = []
81
82	// unsafeBreachesForEmail = await getBreachesForEmail(
83	// sha1(email),
84	// req.app.locals.breaches,
85	// true
86	// )
87
88	// const utmID = 'report'
89	// const reportSubject = unsafeBreachesForEmail.length ? req.fluentFormat('email-subject-found-breaches') : req.fluentFormat('email-subject-no-breaches')
90
91	// await sendEmail(
92	// email,
93	// reportSubject,
94	// 'email-2022',
95	// {
96	// supportedLocales: req.supportedLocales,
97	// breachedEmail: email,
98	// recipientEmail: email,
99	// date: req.fluentFormat(new Date()),
100	// unsafeBreachesForEmail,
101	// ctaHref: getEmailCtaHref(utmID, 'dashboard-cta'),
102	// utmCampaign: utmID,
103	// unsubscribeUrl: getUnsubscribeUrl(verifiedSubscriber, utmID),
104	// whichPartial: 'email_partials/report',
105	// heading: req.fluentFormat('email-breach-summary')
106	// }
107	// )
108	req.session.user = verifiedSubscriber	×
109
110	return res.redirect(returnURL.pathname + returnURL.search)	×
111	}
112	// Update existing user's FxA data
113	await updateFxAData(existingUser, fxaUser.accessToken, fxaUser.refreshToken, fxaProfileData)	×
114
115	res.redirect(returnURL.pathname + returnURL.search)	×
116	}
117
118	/**
119	* Controller to trigger a logout for user
120	* @param {object} req contains session.user
121	* @param {object} res redirects to homepage
122	*/
123	async function logout (req, res) {
124	const subscriber = req.session?.user	×
125	log.info('logout', subscriber?.primary_email)	×
126
127	// delete oauth session info in database
128	await removeFxAData(subscriber)	×
129
130	// clear session cache
131	req.session.destroy(s => {	×
132	delete req.session	×
133	res.redirect('/')	×
134	})
135	}
136
137	export { init, confirmed, logout }

mozilla / blurts-server / #11898

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous