Bug 740256 - Correct password check for BID sourced credentials

Author: jrconlin

apps/constants/base.py

@@ -430,3 +430,7 @@
 
 # Percentage of what developers earn after Marketplace's cut.
 MKT_CUT = .70
+
+# Login credential source
+LOGIN_SOURCE_UNKNOWN = 0
+LOGIN_SOURCE_BROWSERID = 1

apps/users/models.py

@@ -130,7 +130,8 @@ class UserProfile(amo.models.OnChangeMixin, amo.models.ModelBase):
                                              editable=False)
     failed_login_attempts = models.PositiveIntegerField(default=0,
                                                         editable=False)
-
+    source = models.PositiveIntegerField(default=amo.LOGIN_SOURCE_UNKNOWN,
+                                         editable=False)
     user = models.ForeignKey(DjangoUser, null=True, editable=False, blank=True)
 
     class Meta:
@@ -221,6 +222,8 @@ def is_artist(self):
 
     @amo.cached_property
     def needs_tougher_password(user):
+        if user.source == amo.LOGIN_SOURCE_BROWSERID:
+            return False
         from access import acl
         return (acl.action_allowed_user(user, 'Admin', '%') or
                 acl.action_allowed_user(user, 'Addons', 'Edit') or
@@ -303,6 +306,9 @@ def save(self, force_insert=False, force_update=False, using=None):
             delete_user.delete()
 
     def check_password(self, raw_password):
+        # BrowserID does not store a password.
+        if self.source == amo.LOGIN_SOURCE_BROWSERID:
+            return True
         if '$' not in self.password:
             valid = (get_hexdigest('md5', '', raw_password) == self.password)
             if valid:

apps/users/tests/test_forms.py

@@ -481,10 +481,10 @@ def test_already_logged_in(self):
         self.assertNotContains(r, '<button type="submit">Register</button>')
 
     def test_browserid_registered(self):
-        u = UserProfile.objects.get(email='jbalogh@mozilla.com')
-        u.password = ''
-        u.save()
-        data = {'email': 'jbalogh@mozilla.com'}
+        u = UserProfile.objects.create(email='bid_test@mozilla.com',
+                                       source=amo.LOGIN_SOURCE_BROWSERID,
+                                       password='')
+        data = {'email': u.email}
         r = self.client.post('/en-US/firefox/users/register', data)
         self.assertContains(r, 'already have an account')
 

apps/users/views.py

@@ -235,7 +235,6 @@ def edit(request):
                                       'resubmit.'))
     else:
         form = forms.UserEditForm(instance=amouser, webapp=webapp)
-
     return jingo.render(request, 'users/edit.html',
                         {'form': form, 'amouser': amouser, 'webapp': webapp})
 
@@ -339,7 +338,9 @@ def browserid_authenticate(request, assertion):
               'Learn more</a>')
         return (None, _m)
     profile = UserProfile.objects.create(username=username, email=email,
+                                         source=amo.LOGIN_SOURCE_BROWSERID,
                                          display_name=username)
+
     profile.create_django_user()
     profile.user.backend = 'django_browserid.auth.BrowserIDBackend'
     if settings.APP_PREVIEW:
@@ -652,6 +653,12 @@ def register(request):
             return http.HttpResponseRedirect(reverse('users.login'))
 
         elif mkt_user.exists():
+            # Handle BrowserID
+            if (mkt_user.count() == 1 and
+                mkt_user[0].source == amo.LOGIN_SOURCE_BROWSERID):
+                messages.info(request, _('You already have an account.'))
+                form = None
+            else:
                 f = PasswordResetForm()
                 f.users_cache = [mkt_user[0]]
                 f.save(use_https=request.is_secure(),

migrations/458-add-login-source.sql

@@ -0,0 +1,5 @@
+ALTER TABLE `users` ADD COLUMN `source` integer(11) NOT NULL DEFAULT 0;
+
+-- apps/constant/base LOGIN_SOURCE_*
+
+UPDATE `users` SET `source`=1 WHERE `password`='' and `notes`='__market__';