Permalink
Browse files

feat(server): reject assertions if fxa-tokenVerified is false

  • Loading branch information...
1 parent 8b8263a commit e1c6f2a3c5bae53998bcd18db253691a90817421 @philbooth philbooth committed May 13, 2016
Showing with 29 additions and 0 deletions.
  1. +20 −0 tokenserver/tests/test_service.py
  2. +9 −0 tokenserver/views.py
@@ -163,6 +163,26 @@ def test_unauthorized_error_status(self):
with self.assertRaises(ValueError):
res = self.app.get('/1.0/sync/1.1', headers=headers)
+ def test_unverified_token(self):
+ headers = {'Authorization': 'BrowserID %s' % self._getassertion()}
+ # Assertion should not be rejected if fxa-tokenVerified is unset
+ mock_response = {
+ "status": "okay",
+ "email": "test@mozilla.com",
+ "idpClaims": {}
+ }
+ with self.mock_verifier(response=mock_response):
+ self.app.get("/1.0/sync/1.1", headers=headers, status=200)
+ # Assertion should not be rejected if fxa-tokenVerified is True
+ mock_response['idpClaims']['fxa-tokenVerified'] = True
+ with self.mock_verifier(response=mock_response):
+ self.app.get("/1.0/sync/1.1", headers=headers, status=200)
+ # Assertion should be rejected if fxa-tokenVerified is False
+ mock_response['idpClaims']['fxa-tokenVerified'] = False
+ with self.mock_verifier(response=mock_response):
+ res = self.app.get("/1.0/sync/1.1", headers=headers, status=401)
+ self.assertEqual(res.json['status'], 'invalid-credentials')
+
def test_generation_number_change(self):
headers = {"Authorization": "BrowserID %s" % self._getassertion()}
# Start with no generation number.
@@ -96,6 +96,15 @@ def valid_assertion(request):
raise _unauthorized("invalid-timestamp")
raise _unauthorized("invalid-credentials")
+ # FxA sign-in confirmation introduced the notion of unverified tokens.
+ # The default value is True to preserve backwards compatibility.
+ try:
+ tokenVerified = assertion['idpClaims']['fxa-tokenVerified']
+ except KeyError:
+ tokenVerified = True
+ if not tokenVerified:
+ raise _unauthorized("invalid-credentials")
+
# everything sounds good, add the assertion to the list of validated fields
# and continue
request.metrics['token.assertion.verify_success'] = 1

0 comments on commit e1c6f2a

Please sign in to comment.