start session based on marketplace JWT buyer id (bug 1079529)

mozilla · Oct 21, 2014 · 438a839 · 438a839
1 parent 3a2ed7a
commit 438a839
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 4 deletions.
diff --git a/webpay/spa/tests/test_views.py b/webpay/spa/tests/test_views.py
@@ -8,7 +8,7 @@
 from nose.tools import eq_, ok_
 from pyquery import PyQuery as pq
 
-from webpay.provider.tests.test_views import ProviderTestCase
+from webpay.pay.tests import Base
 
 
 @mock.patch.object(settings, 'SPA_ENABLE', True)
@@ -51,3 +51,39 @@ def test_has_bango_logout_url(self):
         eq_(doc('body').attr('data-bango-logout-url'),
             settings.PAY_URLS['bango']['base'] +
             settings.PAY_URLS['bango']['logout'])
+
+
+@test.utils.override_settings(SPA_ENABLE=True, SPA_ENABLE_URLS=True)
+class TestBuyerEmailAuth(Base):
+    @test.utils.override_settings(KEY='marketplace.mozilla.com',
+                                  SECRET='test secret')
+    def test_marketplace_purchase(self):
+        jwt = self.request(
+            iss='marketplace.mozilla.com', app_secret='test secret',
+            extra_req={'productData':
+                       'my_product_id=1234&buyer_email=user@example.com'})
+        res = self.client.get('/mozpay/', {'req': jwt})
+        doc = pq(res.content)
+        eq_(doc('body').attr('data-logged-in-user'), 'user@example.com')
+
+    @test.utils.override_settings(KEY='marketplace.mozilla.com',
+                                  SECRET='test secret')
+    def test_bad_sig(self):
+        jwt = self.request(
+            iss='marketplace.mozilla.com', app_secret='wrong secret',
+            extra_req={'productData':
+                       'my_product_id=1234&buyer_email=user@example.com'})
+        res = self.client.get('/mozpay/', {'req': jwt})
+        doc = pq(res.content)
+        eq_(doc('body').attr('data-logged-in-user'), '')
+
+    @test.utils.override_settings(KEY='marketplace.mozilla.com',
+                                  SECRET='test secret')
+    def test_non_marketplace(self):
+        jwt = self.request(
+            iss='example.com', app_secret='test secret',
+            extra_req={'productData':
+                       'my_product_id=1234&buyer_email=user@example.com'})
+        res = self.client.get('/mozpay/', {'req': jwt})
+        doc = pq(res.content)
+        eq_(doc('body').attr('data-logged-in-user'), '')
diff --git a/webpay/spa/views.py b/webpay/spa/views.py
@@ -1,10 +1,11 @@
+import urlparse
 from django import http
 from django.conf import settings
 from django.core.urlresolvers import reverse
 from django.shortcuts import render
 
 from django_paranoia.decorators import require_GET
-
+from mozpay.verify import InvalidJWT, _get_issuer, verify_sig
 from lib.solitude.api import ProviderHelper
 from webpay.base.helpers import fxa_auth_info
 from webpay.base.logger import getLogger
@@ -14,11 +15,24 @@
 @require_GET
 def index(request, view_name=None):
     """Page that serves the static Single Page App (Spartacus)."""
-
     if not settings.SPA_ENABLE:
         return http.HttpResponseForbidden()
     ctx = {}
     if settings.USE_FXA:
         ctx['fxa_state'], ctx['fxa_auth_url'] = fxa_auth_info(request)
-
+    jwt = request.GET.get('req')
+    # If this is a Marketplace-issued JWT, verify its signature and skip login
+    # for the purchaser named in it.
+    if jwt and _get_issuer(jwt) == settings.KEY:
+        try:
+            data = verify_sig(jwt, settings.SECRET)
+            data = data['request'].get('productData', '')
+        except InvalidJWT:
+            pass
+        else:
+            product_data = urlparse.parse_qs(data)
+            emails = product_data.get('buyer_email')
+            if emails:
+                log.info("Creating session for marketplace user " + str(emails))
+                request.session['logged_in_user'] = emails[0]
     return render(request, 'spa/index.html', ctx)