feat(server): add basket proxy server

[zaach]

Hi @shane-tomlinson !

[zaach]

I wasn't quite sure how to test this... Perhaps a mock basket server that we configure the proxy to talk to in dev/test mode.

[coveralls]

Coverage decreased (-0.11%) to 98.25% when pulling 4cbfed3 on issue-2443-basket-proxy into ebc3bee on master.

[shane-tomlinson]

@zaach - this app will need to be able to respond to CORS requests.

[shane-tomlinson]

When token arrives here, it still has Bearer prepended, which causes the OAuth server to reject it.

A simple fix is:

token = token.replace(/^Bearer /, '');

[rfk]

This creds.email property will only exist if the token had profile:email scope. @shane-tomlinson the simplest thing might be to request scope="basket:write profile:email" for the basket token, although when this functionality merges into basket proper that will no longer be necessary.

[rfk]

For basket API compatibility, this needs to be { "newsletters": "comma,separated,list,of,ids" } here and in the client code.

[rfk]

Need to check for body.scope.indexOf("basket:write") >= 0 in the response body here :-)

[rfk]

I had to add a trailing slash to /subscribe/ and /unsubscribe/ when talking to the dev basket server by hand, otherwise it would give me a 405.

[rfk]

Ah, this is probably basket trying to redirect me to the trailing-slash variant, and my HTTP client following it via GET rather than retrying the POST there.

[rfk]

AFAICT basket only accepts form-encded input, not JSON. We could use JSON for our own needs but should support form-encoded here as well.

[shane-tomlinson]

I'm a bit "meh" on supporting form-encoded input if our other services do not. Basket is a bit of an implementation detail, and AFAICT, all our other services only accept JSON input.

[rfk]

Well, hopefully long-term this oauth functionality will live directly in basket rather than in a proxy. In which case we'll be talking directly to basket and limited by whatever input formats it supports.

But yeah, JSON FTW, so let's upstream this: https://bugzilla.mozilla.org/show_bug.cgi?id=1168218

[shane-tomlinson]

@zaach - this is great stuff. I had to make some updates to perform end to end testing, so I opened a PR (#2467) against this PR.

[shane-tomlinson]

ref mozilla/fxa-content-experiments#6

[jrgm]

FYI, neither @pdehaan or myself can do a 'git checkout clean && npm install && npm start' with this branch on osx. It dies on a hard to explain error about loading eventemitter3 when calling require('http-proxy'). Might be due to the stale version of http-proxy@1.2.

[pdehaan]

Yeah, what @jrgm said. But it worked for me after I deleted the npm-shrinkwrap.json and did npm-next i http-proxy@latest -S and then npm start (using node 0.10.38 and npm 2.11.0).

¯_(ツ)_/¯

[rfk]

Per discussion with @jrgm in IRC; the marketing_email.api_url is the publicly-visible URL of this API. For hosting purposes we will want to listen on a localhost port. I suggest making a new basket.proxy_url config option to set the local listen address for this proxy to bind to, and keeping marketing_email.api_url as the public-facing one.

In practice, we'll host with some sort of nginx proxy so the settings might be something like:

• marketing_email.api_url: "https://accounts.firefox.com/basket/news"
• basket.proxy_url: "http://localhost:3034"

@zaach thoughts?

[zaach]

👍 SGTM

[rfk]

IMHO it would be better to explicitly check for "Bearer" and error out if there's some other weirdy auth type in the header, e.g.:

var authz = authHeader..split(/\s+/);
if (authz.length !== 2 || authz[0].toLowerCase() !== "bearer") {
  // error out
}

[rfk]

We should check that we actually got the email back as part of the response; the oauth server will only send it if the token had correct scopes

[rfk]

We need to check body.scopes for the presence of basket:write before allowing this through.

[rfk]

Those notes aside, this is looking really solid!

[jrgm]

Yeah, so this needs to change here and other places where we just pipe through the response. It needs to log errors at minimum, but really should be standard HTTP response code logging for success and failure for every request.

[zaach]

Aye. We should be able to reuse the route logger we have for the main server.

[rfk]

IIUC body.scopes is supposed to come back as an array; if it's a string here then we need to cross-check behaviour with oauth server

[zaach]

Ah, you're right. Fixing.

[shane-tomlinson]

Add error logging.

[shane-tomlinson]

Do we need to ensure scopes exists before calling indexOf?

[shane-tomlinson]

We do, while testing with the null proxy server:

fxa-content-server.CRITICAL: TypeError: Cannot call method 'match' of undefined
    at Request._callback (/Users/stomlinson/development/fxa-content-server/server/bin/basket-proxy-server.js:103:25)
    at Request.self.callback (/Users/stomlinson/development/fxa-content-server/node_modules/request/request.js:123:22)
    at Request.emit (events.js:98:17)
    at Request.<anonymous> (/Users/stomlinson/development/fxa-content-server/node_modules/request/request.js:1047:14)
    at Request.emit (events.js:117:20)
    at IncomingMessage.<anonymous> (/Users/stomlinson/development/fxa-content-server/node_modules/request/request.js:998:12)
    at IncomingMessage.emit (events.js:117:20)
    at _stream_readable.js:943:16
    at process._tickCallback (node.js:419:13)

[shane-tomlinson]

ahha, the oauth server returns scope, not scopes.

[rfk]

ugh, that's unfortunate; its API docs say it should return scopes but the code indeed returns scope.

[shane-tomlinson]

We might as well take the marketing_email section out of this PR and add it to #2452.