• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

mozilla / blurts-server / 34cde2c5-46cb-4312-850d-fcea45fa1c76

pending completion
34cde2c5-46cb-4312-850d-fcea45fa1c76

Pull #2959

circleci

Vincent
fixup! Pretend HTMLElement.shadowRoot is always set
Pull Request #2959: Add type checking for a couple of files

282 of 1619 branches covered (17.42%)

Branch coverage included in aggregate %.

31 of 31 new or added lines in 6 files covered. (100.0%)

959 of 4333 relevant lines covered (22.13%)

3.69 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/src/controllers/auth.js
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4

5
import { URL } from 'url'
6
import { randomBytes } from 'crypto'
7

8
import AppConstants from '../app-constants.js'
9
import {
10
  getSubscriberByEmail,
11
  removeFxAData,
12
  updateFxAData
13
} from '../db/tables/subscribers.js'
14
import { addSubscriber } from '../db/tables/email_addresses.js'
15

16
import { getTemplate } from '../views/emails/email-2022.js'
17
import {
18
  signupReportEmailPartial
19
} from '../views/emails/email-signup-report.js'
20

21
import { getBreachesForEmail } from '../utils/hibp.js'
22
import { getMessage } from '../utils/fluent.js'
23
import { getProfileData, FxAOAuthClient, getSha1 } from '../utils/fxa.js'
24
import { getEmailCtaHref, sendEmail } from '../utils/email.js'
25
import { UnauthorizedError } from '../utils/error.js'
26
import mozlog from '../utils/log.js'
27

28
const { SERVER_URL } = AppConstants
×
29

30
const log = mozlog('controllers.auth')
×
31

32
function init (req, res, next, client = FxAOAuthClient) {
×
33
  // Set a random state string in a cookie so that we can verify
34
  // the user when they're redirected back to us after auth.
35
  const state = randomBytes(40).toString('hex')
×
36
  req.session.state = state
×
37
  const url = new URL(client.code.getUri({ state }))
×
38
  const fxaParams = new URL(req.url, SERVER_URL)
×
39

40
  req.session.utmContents = {}
×
41
  url.searchParams.append('prompt', 'login')
×
42
  url.searchParams.append('max_age', 0)
×
43
  url.searchParams.append('access_type', 'offline')
×
44
  url.searchParams.append('action', 'email')
×
45

46
  for (const param of fxaParams.searchParams.keys()) {
×
47
    url.searchParams.append(param, fxaParams.searchParams.get(param))
×
48
  }
49

50
  res.redirect(url)
×
51
}
52

53
async function confirmed (req, res, next, client = FxAOAuthClient) {
×
54
  if (!req.session.state) {
×
55
    log.error('oauth-invalid-session', 'req.session.state missing')
×
56
    throw new UnauthorizedError(getMessage('oauth-invalid-session'))
×
57
  }
58

59
  if (req.session.state !== req.query.state) {
×
60
    log.error('oauth-invalid-session', 'req.session does not match req.query')
×
61
    throw new UnauthorizedError(getMessage('oauth-invalid-session'))
×
62
  }
63

64
  const fxaUser = await client.code.getToken(req.originalUrl, {
×
65
    state: req.session.state
66
  })
67
  // Clear the session.state to clean up and avoid any replays
68
  req.session.state = null
×
69
  log.debug('fxa-confirmed-fxaUser', fxaUser)
×
70
  const fxaProfileData = await getProfileData(fxaUser.accessToken)
×
71
  log.debug('fxa-confirmed-profile-data', fxaProfileData)
×
72
  const email = JSON.parse(fxaProfileData).email
×
73

74
  const existingUser = await getSubscriberByEmail(email)
×
75
  req.session.user = existingUser
×
76

77
  const returnURL = new URL('user/breaches', SERVER_URL)
×
78
  const originalURL = new URL(req.originalUrl, SERVER_URL)
×
79

80
  for (const [key, value] of originalURL.searchParams.entries()) {
×
81
    if (key.startsWith('utm_')) returnURL.searchParams.append(key, value)
×
82
  }
83

84
  // Check if user is signing up or signing in,
85
  // then add new users to db and send email.
86
  if (!existingUser) {
×
87
    // req.session.newUser determines whether or not we show `fxa_new_user_bar`
88
    // in template
89
    req.session.newUser = true
×
90
    const signupLanguage = req.locale
×
91
    const verifiedSubscriber = await addSubscriber(
×
92
      email,
93
      signupLanguage,
94
      fxaUser.accessToken,
95
      fxaUser.refreshToken,
96
      fxaProfileData
97
    )
98

99
    // Get breaches for email the user signed-up with
100
    const allBreaches = req.app.locals.breaches
×
101
    const unsafeBreachesForEmail = await getBreachesForEmail(
×
102
      getSha1(email),
103
      allBreaches,
104
      true
105
    )
106

107
    // Send report email
108
    const utmCampaignId = 'report'
×
109
    const subject = unsafeBreachesForEmail?.length
×
110
      ? getMessage('email-subject-found-breaches')
111
      : getMessage('email-subject-no-breaches')
112

113
    const data = {
×
114
      breachedEmail: email,
115
      ctaHref: getEmailCtaHref(utmCampaignId, 'dashboard-cta'),
116
      heading: getMessage('email-breach-summary'),
117
      recipientEmail: email,
118
      subscriberId: verifiedSubscriber,
119
      unsafeBreachesForEmail,
120
      utmCampaign: utmCampaignId
121
    }
122
    const emailTemplate = getTemplate(data, signupReportEmailPartial)
×
123

124
    await sendEmail(data.recipientEmail, subject, emailTemplate)
×
125

126
    req.session.user = verifiedSubscriber
×
127

128
    return res.redirect(returnURL.pathname + returnURL.search)
×
129
  }
130
  // Update existing user's FxA data
131
  const { accessToken, refreshToken } = fxaUser
×
132
  await updateFxAData(existingUser, accessToken, refreshToken, fxaProfileData)
×
133

134
  res.redirect(returnURL.pathname + returnURL.search)
×
135
}
136

137
/**
138
 * Controller to trigger a logout for user
139
 *
140
 * @param {object} req Contains session.user
141
 * @param {object} res Redirects to homepage
142
 */
143
async function logout (req, res) {
144
  const subscriber = req.session?.user
×
145
  log.info('logout', subscriber?.primary_email)
×
146

147
  // delete oauth session info in database
148
  await removeFxAData(subscriber)
×
149

150
  // clear session cache
151
  req.session.destroy(s => {
×
152
    delete req.session
×
153
    res.redirect('/')
×
154
  })
155
}
156

157
export { init, confirmed, logout }
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2025 Coveralls, Inc