refactor(headers): remove HPKP headers

Fixes #2744

config/index.js

@@ -736,44 +736,6 @@ var conf = convict({
       env: 'SIGNIN_UNBLOCK_FORCED_EMAILS'
     }
   },
-  hpkpConfig: {
-    enabled: {
-      default: false,
-      doc: 'Feature flag for appending HPKP headers',
-      format: Boolean,
-      env: 'HPKP_ENABLE'
-    },
-    reportOnly: {
-      default: true,
-      doc: 'Enable report only mode',
-      format: Boolean,
-      env: 'HPKP_REPORT_ONLY'
-    },
-    reportUri: {
-      default: '',
-      doc: 'Enable report only mode',
-      format: String,
-      env: 'HPKP_REPORT_URI'
-    },
-    includeSubDomains: {
-      default: true,
-      doc: 'Include Sub-Domains',
-      format: Boolean,
-      env: 'HPKP_INCLUDE_SUBDOMAINS'
-    },
-    maxAge: {
-      default: 1,
-      doc: 'Max age for HPKP headers (seconds)',
-      format: Number,
-      env: 'HPKP_MAX_AGE'
-    },
-    sha256s: {
-      default: [],
-      doc: 'Supported pin-sha256s',
-      format: Array,
-      env: 'HPKP_PIN_SHA256'
-    }
-  },
   push: {
     allowedServerRegex: {
       doc: 'RegExp that validates the URI format of the Push Server',

fxa-oauth-server/lib/config.js

@@ -150,44 +150,6 @@ const conf = convict({
       default: ''
     }
   },
-  hpkpConfig: {
-    enabled: {
-      default: false,
-      doc: 'Feature flag for appending HPKP headers',
-      format: Boolean,
-      env: 'HPKP_ENABLE'
-    },
-    reportOnly: {
-      default: true,
-      doc: 'Enable report only mode',
-      format: Boolean,
-      env: 'HPKP_REPORT_ONLY'
-    },
-    reportUri: {
-      default: '',
-      doc: 'Enable report only mode',
-      format: String,
-      env: 'HPKP_REPORT_URI'
-    },
-    includeSubDomains: {
-      default: true,
-      doc: 'Include Sub-Domains',
-      format: Boolean,
-      env: 'HPKP_INCLUDE_SUBDOMAINS'
-    },
-    maxAge: {
-      default: 1,
-      doc: 'Max age for HPKP headers (seconds)',
-      format: Number,
-      env: 'HPKP_MAX_AGE'
-    },
-    sha256s: {
-      default: [],
-      doc: 'Supported pin-sha256s',
-      format: Array,
-      env: 'HPKP_PIN_SHA256'
-    }
-  },
   localRedirects: {
     doc: 'When true, `localhost` and `127.0.0.1` always are legal redirects.',
     default: false,

fxa-oauth-server/lib/server/index.js

@@ -29,27 +29,6 @@ exports.create = async function createServer() {
   server.auth.scheme(authBearer.AUTH_SCHEME, authBearer.strategy);
   server.auth.strategy(authBearer.AUTH_STRATEGY, authBearer.AUTH_SCHEME);
 
-  if (config.hpkpConfig && config.hpkpConfig.enabled) {
-    var hpkpOptions = {
-      maxAge: config.hpkpConfig.maxAge,
-      sha256s: config.hpkpConfig.sha256s,
-      includeSubdomains: config.hpkpConfig.includeSubDomains
-    };
-
-    if (config.hpkpConfig.reportUri){
-      hpkpOptions.reportUri = config.hpkpConfig.reportUri;
-    }
-
-    if (config.hpkpConfig.reportOnly){
-      hpkpOptions.reportOnly = config.hpkpConfig.reportOnly;
-    }
-
-    await server.register({
-      plugin: require('hapi-hpkp'),
-      options: hpkpOptions
-    });
-  }
-
   var routes = require('../routing').routes;
   if (isProd) {
     logger.info('prod', 'Disabling response schema validation');

fxa-oauth-server/lib/server/internal.js

@@ -24,27 +24,6 @@ exports.create = async function createServer() {
   server.auth.scheme(auth.AUTH_SCHEME, auth.strategy);
   server.auth.strategy(auth.AUTH_STRATEGY, auth.AUTH_SCHEME);
 
-  if (config.hpkpConfig && config.hpkpConfig.enabled) {
-    var hpkpOptions = {
-      maxAge: config.hpkpConfig.maxAge,
-      sha256s: config.hpkpConfig.sha256s,
-      includeSubdomains: config.hpkpConfig.includeSubDomains
-    };
-
-    if (config.hpkpConfig.reportUri){
-      hpkpOptions.reportUri = config.hpkpConfig.reportUri;
-    }
-
-    if (config.hpkpConfig.reportOnly){
-      hpkpOptions.reportOnly = config.hpkpConfig.reportOnly;
-    }
-
-    await server.register({
-      plugin: require('hapi-hpkp'),
-      options: hpkpOptions
-    });
-  }
-
   var routes = require('../routing').clients;
   if (isProd) {
     logger.info('prod', 'Disabling response schema validation');

fxa-oauth-server/package.json

@@ -32,7 +32,6 @@
     "fxa-notifier-aws": "1.0.0",
     "fxa-shared": "1.0.13",
     "hapi": "17.6.0",
-    "hapi-hpkp": "2.0.0",
     "joi": "14.0.0",
     "keypair": "1.0.1",
     "mozlog": "2.2.0",

lib/server.js

@@ -281,29 +281,6 @@ async function create (log, error, config, routes, db, translator) {
     }
   }
 
-  //register hpkp
-  if (config.hpkpConfig && config.hpkpConfig.enabled) {
-    var hpkpOptions = {
-      maxAge: config.hpkpConfig.maxAge,
-      sha256s: config.hpkpConfig.sha256s,
-      includeSubdomains: config.hpkpConfig.includeSubDomains
-    }
-
-    if (config.hpkpConfig.reportUri){
-      hpkpOptions.reportUri = config.hpkpConfig.reportUri
-    }
-
-    if (config.hpkpConfig.reportOnly){
-      hpkpOptions.reportOnly = config.hpkpConfig.reportOnly
-    }
-
-    await server.register({
-      plugin: require('hapi-hpkp'),
-      options: hpkpOptions
-    })
-
-  }
-
   await server.register(require('hapi-auth-hawk'))
 
   server.auth.strategy(

package.json

@@ -57,7 +57,6 @@
     "hapi-auth-hawk": "4.0.0",
     "hapi-error": "1.8.0",
     "hapi-fxa-oauth": "3.0.0",
-    "hapi-hpkp": "2.0.0",
     "hkdf": "0.0.2",
     "i18n-abide": "0.0.26",
     "jed": "0.5.4",

test/local/server.js

@@ -519,9 +519,6 @@ function getConfig () {
       port: 9000
     },
     useHttps: false,
-    hpkpConfig: {
-      enabled: false
-    },
     oauth: {
       clientIds: {},
       url: 'http://localhost:9010',