Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

revert openid-tool, remove /a/ check in claimed_id

  • Loading branch information...
commit fc68e38c9b871e084bc04026afd2eab9bc7b30de 1 parent 22d78db
@seanmonstar seanmonstar authored
Showing with 41 additions and 108 deletions.
  1. +41 −108 server/lib/openid-tool.js
View
149 server/lib/openid-tool.js
@@ -2,126 +2,59 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-const pinCode = require('./pin_code'),
-config = require('../lib/configuration'),
-YahooStrategy = require('passport-yahoo').Strategy,
-logger = require('./logging').logger,
-oidTool = require('./openid-tool'),
-passport = require('passport'),
-session = require('./session_context'),
-statsd = require('./statsd'),
-util = require('util');
+const email = require('./validation/email');
-const RETURN_PATH = '/auth/yahoo/return';
+function validParams(params) {
+ /* jshint maxcomplexity:15 */
-var
-baseUrl = util.format("https://%s", config.get('issuer')),
-return_url = util.format("%s%s", baseUrl, RETURN_PATH),
-realm = util.format("%s/", baseUrl);
+ // Find all AXSchema email types
+ var emailTypes = [];
-// Register the YahooStrategy with Passport.
-var strategy = new YahooStrategy({
- returnURL: return_url,
- realm: realm,
- stateless: true
- },
- function(identifier, profile, done) {
- return done(null, profile);
+ Object.keys(params).forEach(function (key) {
+ if (params[key] === 'http://axschema.org/contact/email') {
+ emailTypes.push(key);
+ }
});
-passport.use(strategy);
+ // We should only have one potential email type to inspect.
+ if (emailTypes.length !== 1) { return false; }
-exports.init = function(app) {
- app.use(passport.initialize());
- app.use(passport.session());
-};
+ // That type should be under a key formatted 'openid.NAMESPACE.type.TYPENAME'
+ // If the regex matches, it returns [match, NAMESPACE, TYPENAME]
+ var parts = emailTypes[0].match(/^openid\.([^\.]+)\.type\.([^\.]+)$/);
+ if (!parts || parts.length !== 3) { return false; }
-exports.views = function(app) {
- // GET /auth/yahoo/return
- app.get(RETURN_PATH,
- function(req, res, next) {
- // Bug#920301 detect MITM which would have removed email value from
- // the signed components.
- if (! oidTool.validParams(req.query)) {
- statsd.increment('warn.routes.auth.yahoo.return.mitm');
- logger.error('MITM detected');
- throw new Error('email not signed');
- }
- next();
- },
- passport.authenticate('yahoo', { failureRedirect: '/cancel' }),
- function(req, res) {
- // Are we who we said we are?
- var start = new Date(),
- metric = 'routes.auth.yahoo.return',
- match = false;
+ var namespace = parts[1];
+ var typename = parts[2];
- statsd.increment('routes.auth.yahoo.return.get');
+ // The associated value should exist at openid.NAMESPACE.value.TYPENAME.
+ // It should be a valid email address.
+ var emailValuePath = 'openid.' + namespace + '.value.' + typename;
+ if (!email(params[emailValuePath])) { return false; }
- // keep track of emails reported by yahoo for logging in case
- // of failure
- var openid_emails = [];
+ // NAMESPACE must be registered under openid.ns.NAMESPACE
+ var nsPath = 'openid.ns.' + namespace;
- if (req.user && req.user.emails) {
- var rawClaimedEmail = session.getClaimedEmail(req) || "";
- var claimedEmail = rawClaimedEmail.toLowerCase();
- req.user.emails.forEach(function(email_obj, i) {
+ console.log(nsPath, params[nsPath]);
+ if (params[nsPath] !== 'http://openid.net/srv/ax/1.0') { return false; }
- // add the email to the list of all emails reported by
- // yahoo for logging in case of failure
- openid_emails.push(email_obj.value);
+ // The namespace, email type, and email value must all be signed
+ var signed = (params['openid.signed'] || '').split(',');
+ if (signed.indexOf('ns.' + namespace) === -1) { return false; }
+ if (signed.indexOf(namespace + '.value.' + typename) === -1) { return false; }
+ if (signed.indexOf(namespace + '.type.' + typename) === -1) { return false; }
- if (match) { return; }
+ // Lastly, because this is only a Gmail bridge, hardcode the OpenID Endpoint
@lloyd
lloyd added a note

comment is out of date - s/Gmail/Yahoo/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ var yahooEndpoint = 'https://open.login.yahooapis.com/openid/op/auth';
+ if (params['openid.op_endpoint'] !== yahooEndpoint) { return false; }
+ if (signed.indexOf('op_endpoint') === -1 ) { return false; }
- if (! email_obj.value) {
- statsd.increment('warn.routes.auth.yahoo.return.no_email_value');
- logger.warn("Yahoo should have had list of emails with a value property on each " + email_obj);
- }
- var email = email_obj.value.toLowerCase();
- if (! match) {
- if (email === claimedEmail ||
- pinCode.wasValidated(claimedEmail, req)) {
+ // ...and make sure the Claimed ID is a Yahoo one.
+ var yahooAccountRegex = /^https:\/\/me\.yahoo\.com/;
+ if (!yahooAccountRegex.test(params['openid.claimed_id'])) { return false; }
+ if (signed.indexOf('claimed_id') === -1 ) { return false; }
- if (email === claimedEmail) {
- statsd.increment('routes.auth.yahoo.return.email_matched');
- } else {
- // With a previously PIN verified claimed email,
- // it is okay to treat it like the user's current email
- email = claimedEmail;
- statsd.increment('routes.auth.yahoo.return.emails_linked');
- }
+ return true;
+}
- var redirect_url = session.getBidUrl(baseUrl, req);
- match = true;
-
- session.clearClaimedEmail(req);
- session.clearBidUrl(req);
-
- session.setCurrentUser(req, email);
- res.redirect(redirect_url);
- statsd.timing(metric, new Date() - start);
- return;
- }
- }
- }); //forEach emails
- } else {
- logger.warn("Yahoo should have had user and user.emails" + req.user);
- statsd.increment('warn.routes.auth.yahoo.return.no_emails');
- res.redirect(session.getErrorUrl(baseUrl, req));
- statsd.timing(metric, new Date() - start);
- }
-
- if (!match) {
- statsd.increment('warn.routes.auth.yahoo.return.no_emails_matched');
- logger.error('No email matched...');
- // We store these wrong email addresses (okay address... Yahoo only returns
- // one) under "mismatchedEmail". We will use this later to either:
- // * Inform the user there is an auth error a@yahoo.com versus b@yahoo.com
- // * Let the user do email verification loop for a@yahoo.com
- session.setMismatchEmail(openid_emails.join(", "), req);
- res.redirect(session.getMismatchUrl(baseUrl, req));
- statsd.timing(metric, new Date() - start);
- }
-
- });
-};
+exports.validParams = validParams;
@lloyd

comment is out of date - s/Gmail/Yahoo/

Please sign in to comment.
Something went wrong with that request. Please try again.