fix(oauth): Ensure we can derive relier keys during the signup flow.

[rfk]

This is a rather brutal approach to ensuring that we can derive oauth relier keys during the signup flow. It persists the keys=true state in the oauth session data, and persists keyFetchToken and unwrapBKey in the account data so that they can be used on the complete_sign_up page.

I'm putting it up here as a proof of concept. We should find a way to do it without persisting the key-fetching material any more than necessary.

Fixes #2384. But not in a way that I'm happy about.

[shane-tomlinson]

Maybe this should be done in persist so this same logic can be used for account unlock and password reset as well?

[rfk]

Makes sense, although IIRC the account is not current passed into persist().

[rfk]

Looking into this, I get the impression that:

• the password reset case should work already, because of the existing cross-tab dance that goes on to coordinate completion of that flow in the original tab
• the account-unlock flow only completes signin on the original tab, not the tab from the email link, and hence should work already.

If I can confirm that this is the case, I think it's better to special-case this to the sign-up flow for now, then deal with a more generalied version when we go to clean it up with e.g. tab-mutex or similar.

[shane-tomlinson]

Maybe this logic should live in a new function "sync" - which could call "load", then perform your logic - that way the semantics of the original function are not changed and we don't break expectations inadvertently, but the intent is clear?

[rfk]

On reflection, "sync" suggests a two-way synchronisation between the session and its backing store. How about "reload"?

[shane-tomlinson]

On reflection, "sync" suggests a two-way synchronisation between the session and its backing store. How about "reload"?

I thought that was the intent, no?

[rfk]

no, this is more about just sucking in any changes that were made to the backing store

[shane-tomlinson]

Ah, then reload makes sense. Carry on.

[shane-tomlinson]

This leaves open a 100ms window where the original tab could see that this.session.oauth exists, then finish the oauth flow, and the verification tab also finishes the oauth flow just afterwards.

I would wrap all of your new logic inside of:

  var self = this;
  return p().delay(100)
    .then(function () {
      self.session.load(); // or sync!
      if (self.session.oauth) {
      ....
         return self.finishOAuthFlow(account);
      }
  });

[rfk]

nice catch

[shane-tomlinson]

you use sync in the docs and reload in the signature.

[rfk]

OK, the latest push is moving a lot closer to something we might actually run with. Most importantly, it's got a bunch of tests! I get a clean run of the mocha tests and of npm run test-functional-oauth, apart from some force_auth tests that seem to be broken on master.

I coped the existing suite of oauth_webchannel tests into a new oauth_webchannel_keys suite and tweaked them to request and check key derivation. This was a bit fiddly because with the change, the original tab will often skip completing the oauth flow. So in e.g. the sign-up-and-verify-in-same-browser test, we have to check for the WebChannel events in the verification page rather than the main browser page.

This ickiness will go away if we move to a cross-tab mutex solution to ensure that the original tab is deterministically chosen as the one to complete the flow. But I've no idea how much work that will turn out to be, and it's nice to have some sort of fix ready in the meantime.

[rfk]

apart from some force_auth tests that seem to be broken on master.

Aha, I did not have mozilla/123done@65ac3b1 in my local dev setup; the whole oauth functional suite is now passing cleaning for me.

[shane-tomlinson]

apart from some force_auth tests that seem to be broken on master.
...
Aha, I did not have mozilla/123done@65ac3b1 in my local dev setup; the whole oauth functional suite is now passing cleaning for me.

We don't check in code if those tests fail. ;)

[shane-tomlinson]

Super nit, can you move this note above the @method

[shane-tomlinson]

Also, can you make a note that this operation is destructive, as in, it'll remove any values currently in Session that are not also in sessionStorage or localStorage?

[shane-tomlinson]

I was thinking about this yesterday. If Session were an actual Backbone model, we wouldn't have to do this unnatural hasOwnProperty stuff because models store their data in its own field. It's a bit moot because I want to get rid of Session, and converting to a model is well out of the scope of this PR.

[shane-tomlinson]

Can this and the next line be combined (in all 4 places) into a descriptively named helper function that reduces the need for the comment, something like if (this.canFinishOAuthFlow()) { or if (! this.hasOAuthFlowFinished()) {

[shane-tomlinson]

You can add a ' between the nt with doesn\'t. It looks funny in the JS, but renders well in HTML.

[rfk]

Heh, yeah I deliberately didn't do that because it looked funny in the JS; will add it.

[shane-tomlinson]

Is the extra work needed for the reset password flow? In the reset password flow, the updated keys are generated once the user enters their new password in the verification page. The verification page can send the keys/web channel message to the browser w/o the original page being involved.

[shane-tomlinson]

So, what I'm asking, if you haven't done so already, can you verify there is a problem w/ reset password before adding the extra logic to have the original tab send the message?

[shane-tomlinson]

never mind, I found my own answer.

[rfk]

For completeness: thanks to the existing session-token-juggling logic between the two tabs here, they were both already capable of finishing the flow with keys. The logic here is just to prevent them both from doing so, and hence triggering an error by trying to use the same keyFetchToken twice.

[shane-tomlinson]

Does this account already have the keyFetchToken and unwrapBKey?

[rfk]

Yes, thanks to wantsKeys() being true and the user already typing their password into that tab. It's the same account that was passed into beforeSignUpConfirmationPoll above.

[rfk]

It's a shame we can't fetch keys until after the account is verified; if that were possible, we could do the key-derivation ahead of time and store just the relier keys in the session, rather than the master unwrapKBey...

[rfk]

@vladikoff this PR adds some more functional tests for the oauth flow with keys, and shuffles the existing tests around a bit. Can you please give it a look over to sanity-check?

[shane-tomlinson]

Thanks for working through this with me @rfk. I give this my r+.
@vladikoff, yer turn!

[vladikoff]

Nit: rename this to avoid confusion with the original openFxaFromRp?

[vladikoff]

Adding keys here doesn't do anything, removing functional tests still pass. Currently we are not parsing the resume token anywhere AFAIK. I'm adding parsing in https://github.com/mozilla/fxa-content-server/pull/2366/files#diff-ca4d7096469c2a76694bb8214760cbaaR104

Not sure if we want to keep this here. Is this just for a the "different browser" flow to know that the relier wanted keys?

[rfk]

After talking this over with @shane-tomlinson, I will just remove it from here.

[vladikoff]

@rfk @shane-tomlinson can we use https://developer.mozilla.org/en-US/docs/Web/Guide/User_experience/Using_the_Page_Visibility_API to reliably finish flow in the active tab?
Should that be part of this PR or leave it for later?

[vladikoff]

https://github.com/dcherman/jquery.pagevisibility

[shane-tomlinson]

https://github.com/dcherman/jquery.pagevisibility

Why'd he have to tie that to jQuery?

[shane-tomlinson]

@rfk @shane-tomlinson can we use https://developer.mozilla.org/en-US/docs/Web/Guide/User_experience/Using_the_Page_Visibility_API to reliably finish flow in the active tab?
Should that be part of this PR or leave it for later?

@vladikoff - at first blush this makes sense, but the preference is for the original tab to finish the flow, if it is still open. @rfk has already started on a PR to make it so.

[vladikoff]

" but the preference is for the original tab" why is that?

[vladikoff]

Why'd he have to tie that to jQuery?

Does not have to be, I saw the brutal example on MDN and looked for a contained solution.

[rfk]

We prefer the original sign-up tab to finish the flow, since it's the one holding the encryption material. It doesn't come into play in this PR, but in a future iteration we want to avoid writing the encryption material to localStorage. In that case, the verification link would have to re-prompt for your password to complete the flow, while the originating tab could do it automatically. Hence the (future-looking) preference for completing in the original tab.

[vladikoff]

Nit: signup, verify same browser with original tab open' ->
signup, verify same browser, in a different tab, with original tab open' ?

[shane-tomlinson]

My fault. @rfk copied my test names from elsewhere.

[vladikoff]

nit: naming, with vs adding a , related to https://github.com/mozilla/fxa-content-server/pull/2385/files#r30045417

[vladikoff]

nit: this maybe needs documentation, original tab closed is actually -> "navigated away somewhere else" (to example.com in this case).

[vladikoff]

The 2 tests above: Is original tab closed vs replace original tab a bit redundant?
@shane-tomlinson thoughts?

[shane-tomlinson]

The 2 tests above: Is original tab closed vs replace original tab a bit redundant?

For this case, possibly, for other cases they are not. For example, with the redirect flow, if the user replaces the tab they signed up in with the verification tab, then the user should be redirected back to the relier automatically. If they verify in a 2nd tab and the original tab has closed, then no automatic redirection.

[rfk]

I'd like to leave it in unless you object strongly, since it might highlight weirdness when we're trying to do "complete in the original tab" in the future.

[vladikoff]

2 tests above, see https://github.com/mozilla/fxa-content-server/pull/2385/files#r30046801

[vladikoff]

All different browser tests, see comment https://github.com/mozilla/fxa-content-server/pull/2385/files#r30043457

[rfk]

Yeah, I guess these "from new browser P.O.V." tests aren't really testing anything. I'm going to remove them here, they're equally well covered by their equivalents in the non-keys webchannel case.

[rfk]

OK, functional tests updated per @vladikoff feedback, and keys removed from the resume token. AFAICT this should be good to land for train-37, and we can continue iterating toward a better solution for train-38.

[rfk]

(But I won't be around to watch it so I'll leave the merge button for someone else...)

[coveralls]

Coverage increased (+0.01%) to 97.93% when pulling fd2fc72 on rfk/relier-keys-signup-flow into a52d6fb on master.