feat(oauth): show permission screen for untrusted reliers

[zaach]

I refactored sign up/in to use the account and user models, but still need to get the permission screen working.

cc @shane-tomlinson

[shane-tomlinson]

%(serviceName)s

[vladikoff]

extra comment

[pdehaan]

this.relier.get('privacyUri')?

[shane-tomlinson]

I'm waffling whether this should be on the relier on on the account. I can see it both ways.

Ask the account if the relier needs permission to access its information.
vs
Ask the relier if it needs permission to access the account.

The first makes more sense to me.

[zaach]

I was also considering the broker? Dunno.

[shane-tomlinson]

I totally dig this.

[shane-tomlinson]

YES! I'll be happy to update the PR I showed you to continue with these changes and rip a lot of this account management logic out of the views.

[shane-tomlinson]

Do you want the id to be fxa-permissions-header or something different than confirm?

[shane-tomlinson]

Not a normal submit button like the other templates?

[shane-tomlinson]

Something we may want to put on the relier when the redirectUri is set?

[shane-tomlinson]

We so need an external state machine and to rip this stuff out of the views.

[shane-tomlinson]

I do not see this called anywhere.

[zaach]

Yeah, still WIP

[shane-tomlinson]

console!

[shane-tomlinson]

Looks like an opportune time to re-indent this.

[shane-tomlinson]

Overall, I dig this approach.

I would really like to see us move towards ripping the implicit state machine out of the views and into something self contained and duplicate logic can be reduced.

[shane-tomlinson]

Minor nit, but the intention could probably be easier to understand if it were re-written a bit like:

if (this.isTrusted()) {
  return false;
}
return ! account.hasGrantedPermissions(...

My guess is uglify will combine the two branches into something similar to what you have here.

[shane-tomlinson]

How you pass the account is slightly different to how its done in onSignInUnverified

[shane-tomlinson]

At least the email should be updated to use getElementValue so that leading/trailing whitespace is trimmed.

[shane-tomlinson]

Side note - how have we gotten away with using .val() for so long?

[shane-tomlinson]

Perhaps to avoid duplication with the signin/signup modules, these three functions could be extracted into one ore two mixins (one for sign in, one for sign up? overkill?) that are mixed in where needed?

[shane-tomlinson]

I don't think p is used anywhere in this module.

[pdehaan]

Ooohhh!!! I think i saw a grunt task for this the other day: grunt-amdcheck.

I did a quick test against master with this, grunttasks/amdcheck.js:

module.exports = function (grunt) {
  grunt.config('amdcheck', {
    app: {
      files: [{
        expand: true,
        cwd: 'app/',
        src: [
          '**/*.js',
          '!bower_components/**'
        ],
        dest: 'build/'
      }]
    }
  });
}

And got a lot of weird output, which may point to some unused and unloved requires:

Total unused dependencies: 89 in 64 files.
Total processed files: 251

The output is actually pretty long, so I'll file a separate bug which we can z-never it.

---

UPDATE: Filed as #2392

[zaach]

FTR p is now used.

[shane-tomlinson]

I don't see Constants used anywhere either.

[shane-tomlinson]

As part of this PR, can you update the client-metrics doc?

[shane-tomlinson]

@zaach - can you rebase this?

[shane-tomlinson]

@zaach - this PR is epic! It's looking pretty good, mostly small nits at this point. I have to test it pretty thoroughly, I see you have already added functional tests. Have you tested the screen in mobile to ensure it looks good?

[shane-tomlinson]

A silly question, why Object.create(null) instead of a {}?

[shane-tomlinson]

@zaach - I see the granted permissions are saved, yet when I go back through 321done's signin flow, I am re-asked for the permissions. Expected?

[zaach]

Bah– so currently when a user signs in we create a new account object and store it in localStorage, overwriting the existing data (including saved permissions). We'll have to merge in the old account info before storing it.

[shane-tomlinson]

What if the scopes match the already granted permissions?

[shane-tomlinson]

Can you add a test case for true? I am seeing odd behavior in that I am being re-asked for permissions on 321done after I have already granted permissions. Is that the desired behavior? It feels a bit odd.

[zaach]

Fixed.

[shane-tomlinson]

Less code is a beautiful thing.

[shane-tomlinson]

@zaach - when local testing, I am re-asked for permissions for 321done even though I have granted them. If that is expected, no problem, but it feels odd.

Here is what the screen looks like in both desktop and mobile:

Desktop

Mobile

Maybe tighten up the space between the "Proceed" and "Cancel" buttons? @johngruen and @ryanfeeley?

[shane-tomlinson]

👍

[shane-tomlinson]

Can you add a note here that this is what allows permissions to remain persisted per relier across sign ins? I know my own memory and am afraid I'll forget in 6 months.

[shane-tomlinson]

@zaach - I've been reviewing & testing this PR all morning, it looks really good! Well done!

I have a couple of small changes that I'd like to see that I will probably make myself and then merge:

• auth_brokers->shouldPromptForPermissions doesn't actually use any info from the brokers and feels like it has feature envy of either the relier or the account. I'm going to move this function to the relier.
• update the client events document to specify the full screen name for the events.
• Two additional functional tests: signup->signin - no permissions should be requested. signin->signin - no permissions should be requested.
• A long email address can overflow the container.

For the longer term, I think we should reconsider how we deal with account management when using multiple accounts. For example, if I sign in as user X, then sign in as user Y, then re-sign in as user X, I have to re-grant permissions.

[coveralls]

Coverage increased (+0.04%) to 97.91% when pulling df3bb96 on issue-2346 into b0d96f8 on master.

[shane-tomlinson]

For follow on - make the permissions screen generic. The permissions screen is currently hard coded to display the email permission.

[ryanfeeley]

Man, the more I look at this, the more I think we should have gone with the original design of a read-only email field. Thoughts @shane-tomlinson @zaach? Should I just file a bug?

[shane-tomlinson]

Should I just file a bug?

File it @ryanfeeley!

[zaach]

For example, if I sign in as user X, then sign in as user Y, then re-sign in as user X, I have to re-grant permissions.

Do you mean when the user clicks "Use different account"? In that case, yes, all localStorage is wiped out and you have to re-grant permissions. Our long term solution for this is the full-fledged account chooser screen #1844.

[shane-tomlinson]

Do you mean when the user clicks "Use different account"? In that case, yes, all localStorage is wiped out and you have to re-grant permissions. Our long term solution for this is the full-fledged account chooser screen #1844.

Yeah, the same also happens if an OAuth relier sends a user to signin with an email query parameter other than the currently signed in user.

[zaach]

Hmm, in that case we show the email form field but the cached credentials should still be intact. The only place I see where we clear cached credentials is here: https://github.com/mozilla/fxa-content-server/blob/master/app/scripts/views/sign_in.js#L208

[ryanfeeley]

Progress so far (showing editable Full name field for demo purposes only)
Button should not be blue (as full name cannot be empty in this example)

[ryanfeeley]

Latest @zaach @vladikoff @johngruen @pdehaan @jrgm

[vladikoff]

@ryanfeeley new bug #2423