feat(oauth): 'verification_redirect' option for OAuth reliers #2366
Conversation
| keys: false | ||
| keys: false, | ||
| // always redirect to the rp, useful during email verification signup flow | ||
| always: false |
vladikoff
Apr 30, 2015
Author
Contributor
WIP: need to rename this
WIP: need to rename this
zaach
May 6, 2015
Contributor
Have other alternatives been considered, like making use of redirectTo or allowing the relier to specify an URL other than the redirectURI?
redirectTo is conventionally used by reliers to dynamically change the redirect URL, which we don't support now but haven't ruled out for the future. Let's not conflate that with configuring the UX around redirection.
Have other alternatives been considered, like making use of redirectTo or allowing the relier to specify an URL other than the redirectURI?
redirectTo is conventionally used by reliers to dynamically change the redirect URL, which we don't support now but haven't ruled out for the future. Let's not conflate that with configuring the UX around redirection.
vladikoff
force-pushed the
vladikoff:issue-2343-dead-end
branch
from
5eb857c
to
c3ae53a
| * @param {String} uri | ||
| * @returns {boolean} | ||
| */ | ||
| isHTTP: function (uri) { |
rfk
May 1, 2015
Member
Not sure I have a better naming suggestion, but when I saw the name of this method, I immediately thought "oh, it's checking whether the URL is plain http instead of https".
Not sure I have a better naming suggestion, but when I saw the name of this method, I immediately thought "oh, it's checking whether the URL is plain http instead of https".
vladikoff
May 1, 2015
Author
Contributor
Good note!
Good note!
pdehaan
May 1, 2015
Contributor
isUri()? I'm guessing a uri couldn't be protocol-relative URL, like "//mozilla.com/" (http://www.paulirish.com/2010/the-protocol-relative-url/)?
isUri()? I'm guessing a uri couldn't be protocol-relative URL, like "//mozilla.com/" (http://www.paulirish.com/2010/the-protocol-relative-url/)?
vladikoff
force-pushed the
vladikoff:issue-2343-dead-end
branch
2 times, most recently
from
2e94ef5
to
23850a9
vladikoff
changed the title
| @@ -76,7 +76,7 @@ define([ | |||
| // event handlers before the flow completes. | |||
| var self = this; | |||
| return p().delay(100).then(function () { | |||
| if (self.isOriginalTab()) { | |||
| if (self.isOriginalTab() || account.get('sessionToken') && alwaysRedirect) { | |||
vladikoff
May 1, 2015
Author
Contributor
Any better way to do this, is there anything else we can use instead of sessionToken to signal that this is SAME_BROWSER?
Any better way to do this, is there anything else we can use instead of sessionToken to signal that this is SAME_BROWSER?
shane-tomlinson
May 3, 2015
Member
Passing in alwaysRedirect feels janky and like an implementation detail the view doesn't need to know about. The broker already has access to the relier, so the flag can be fetched by the broker directly from the relier.
Any better way to do this, is there anything else we can use instead of sessionToken to signal that this is SAME_BROWSER?
- We need to know this already in app-start - see
- We have a notion of "verification info models" in https://github.com/mozilla/fxa-content-server/tree/master/app/scripts/models/verification. Logically, knowing whether the user is verifying in the same browser seems like it is "verification info". Maybe we can add a bit onto the verification info models and pass the model in to the broker?
Passing in alwaysRedirect feels janky and like an implementation detail the view doesn't need to know about. The broker already has access to the relier, so the flag can be fetched by the broker directly from the relier.
Any better way to do this, is there anything else we can use instead of sessionToken to signal that this is SAME_BROWSER?
- We need to know this already in app-start - see
- We have a notion of "verification info models" in https://github.com/mozilla/fxa-content-server/tree/master/app/scripts/models/verification. Logically, knowing whether the user is verifying in the same browser seems like it is "verification info". Maybe we can add a bit onto the verification info models and pass the model in to the broker?
shane-tomlinson
changed the title
| keys: false | ||
| keys: false, | ||
| // always redirect to the rp, useful during email verification signup flow | ||
| alwaysRedirect: false |
shane-tomlinson
May 3, 2015
Member
Maybe forceRedirect is more clear? Can you move this closer to redirectTo so there is slight bit more local context?
Maybe forceRedirect is more clear? Can you move this closer to redirectTo so there is slight bit more local context?
shane-tomlinson
May 6, 2015
Member
I have to admit that I'm still a little confused by the name. Does alwaysRedirect mean the user is automatically redirected, or always given the option to redirect? If the second, could it be called allowRedirect or something like that? IIUC, always_redirect is specified by the relier?
Have other alternatives been considered, like making use of redirectTo or allowing the relier to specify an URL other than the redirectURI?
I'm trying to wrap my head around the relier HTTP API and am trying to avoid confusion (because I myself am confused).
I have to admit that I'm still a little confused by the name. Does alwaysRedirect mean the user is automatically redirected, or always given the option to redirect? If the second, could it be called allowRedirect or something like that? IIUC, always_redirect is specified by the relier?
Have other alternatives been considered, like making use of redirectTo or allowing the relier to specify an URL other than the redirectURI?
I'm trying to wrap my head around the relier HTTP API and am trying to avoid confusion (because I myself am confused).
| @@ -12,12 +12,13 @@ define([ | |||
| 'lib/auth-errors', | |||
| 'lib/validate', | |||
| 'lib/promise', | |||
| 'lib/resume-token', | |||
shane-tomlinson
May 3, 2015
Member
It doesn't look like the resume token is actually used anywhere.
It doesn't look like the resume token is actually used anywhere.
| it('detects HTTP and HTTPS properly', function () { | ||
| assert.isFalse(Url.isNavigable('urn:ietf:wg:oauth:2.0:fx:webchannel')); | ||
| assert.isTrue(Url.isNavigable('https://find.firefox.com')); | ||
| assert.isTrue(Url.isNavigable('http://find.firefox.com')); |
shane-tomlinson
May 3, 2015
Member
Can you add a test for telnet:// or ftp:// or something with a protocol:// that is not http/https?
Can you add a test for telnet:// or ftp:// or something with a protocol:// that is not http/https?
vladikoff
May 4, 2015
Author
Contributor
Done.
Done.
| var alwaysRedirect = relier.get('alwaysRedirect'); | ||
|
|
||
| // if this relier wants to always redirect the user then create a link to the service | ||
| if (alwaysRedirect && redirectUri && Url.isNavigable(redirectUri)) { |
shane-tomlinson
May 3, 2015
Member
alwaysRedirect implies that the user would be redirected automatically, is that not the case?
alwaysRedirect implies that the user would be redirected automatically, is that not the case?
vladikoff
May 3, 2015
Author
Contributor
Not the case for the signup flow in a different browser
Not the case for the signup flow in a different browser
| @@ -62,7 +63,7 @@ function (Cocktail, FormView, BaseView, CompleteSignUpTemplate, | |||
| return self.fxaClient.verifyCode(uid, code) | |||
| .then(function () { | |||
| self.logScreenEvent('verification.success'); | |||
| return self.broker.afterCompleteSignUp(self.getAccount()); | |||
| return self.broker.afterCompleteSignUp(self.getAccount(), self.relier.get('alwaysRedirect')); | |||
shane-tomlinson
May 3, 2015
Member
Again, I would not pass in self.relier.get('alwaysRedirect'), but let the broker fetch this value from the relier directly.
Again, I would not pass in self.relier.get('alwaysRedirect'), but let the broker fetch this value from the relier directly.
| assert.isTrue(Url.isNavigable('https://find.firefox.com')); | ||
| assert.isTrue(Url.isNavigable('http://find.firefox.com')); | ||
| assert.isFalse(Url.isNavigable('')); | ||
| assert.isFalse(Url.isNavigable()); |
shane-tomlinson
May 3, 2015
Member
A brief look at the code - it also looks like both the strings http:// and https:// (without any sort of domain name) are considered navigable. I think they should not be.
A brief look at the code - it also looks like both the strings http:// and https:// (without any sort of domain name) are considered navigable. I think they should not be.
| @@ -18,12 +18,14 @@ define([ | |||
| 'lib/strings', | |||
| 'lib/auth-errors', | |||
| 'lib/promise', | |||
| 'lib/url', | |||
| 'lib/resume-token', | |||
shane-tomlinson
May 3, 2015
Member
It doesn't look like ResumeToken is used in this module.
It doesn't look like ResumeToken is used in this module.
|
@vladikoff - can you explain a bit what you are trying to do? I think some context got shoved out of my head between last Thursday and today. |
|
@shane-tomlinson woops I think I forgot to link the bug, see #2343 |
vladikoff
changed the title
|
I have a feeling, though I have not tested, the above behavior will affect account lockout too. |
|
Don't we want the button after a reset? Otherwise it would be another dead end. |
| var showProceedButton = false; | ||
|
|
||
| // if this relier wants to use verification redirect in the same browser then create a link to the service | ||
| if (verificationRedirect === Constants.VERIFICATION_REDIRECT_ALWAYS && |
shane-tomlinson
May 12, 2015
Member
Perhaps to avoid last minute confusion and unexpected behavior for reset password, you should add && this.is('sign_up'). We can iterate on the other cases next train.
Perhaps to avoid last minute confusion and unexpected behavior for reset password, you should add && this.is('sign_up'). We can iterate on the other cases next train.
vladikoff
May 12, 2015
Author
Contributor
We can iterate on the other cases next train.
Agreed.
We can iterate on the other cases next train.
Agreed.
|
The only sad thing is that 123done explodes, but maybe we should fix that and in cases of password reset / account lockout we should be able to "Proceed" |
For sure. I think for this train it's sufficient to enable the feature for sign up verification, and then add the other two flows in the next train when we have more time to work through any hidden goblins. |
|
@vladikoff - can you rebase & limit r+ once addressed! |
vladikoff
force-pushed the
vladikoff:issue-2343-dead-end
branch
3 times, most recently
from
5ae66f7
to
687f79d
|
|
||
| beforeEach: function () { | ||
| email = TestHelpers.createEmail(); | ||
| bouncedEmail = TestHelpers.createEmail(); |
shane-tomlinson
May 13, 2015
Member
nit: this isn't actually used anywhere.
nit: this isn't actually used anywhere.
| beforeEach: function () { | ||
| email = TestHelpers.createEmail(); | ||
| bouncedEmail = TestHelpers.createEmail(); | ||
| user = TestHelpers.emailToUser(email); |
shane-tomlinson
May 13, 2015
Member
nit: nor is this.
nit: nor is this.
| email = TestHelpers.createEmail(); | ||
| bouncedEmail = TestHelpers.createEmail(); | ||
| user = TestHelpers.emailToUser(email); | ||
| fxaClient = new FxaClient(AUTH_SERVER_ROOT, { |
shane-tomlinson
May 13, 2015
Member
same here. ;)
same here. ;)
|
|
||
| // new browser provides a proceed link to the relier | ||
| .findByCssSelector('#proceedButton') | ||
| .click() |
shane-tomlinson
May 13, 2015
Member
nit: indent.
nit: indent.
vladikoff
force-pushed the
vladikoff:issue-2343-dead-end
branch
2 times, most recently
from
31f1000
to
c4acf4f
vladikoff
force-pushed the
vladikoff:issue-2343-dead-end
branch
from
c4acf4f
to
a5fdaee
|
|
feat(oauth): 'verification_redirect' option for OAuth reliers r=shane-tomlinson,zaach
|
ref #2402 |
Fixes #2343