feat(codes): add support for verifying token short code (#287) r=@vladikoff,@rfk

This PR exposes new APIs to create and verify sessionTokens using a short code. Couple notes

- Each code has an expiration date
- Codes are stored as hashes in database
- Support for resending (aka regenerating) a code to come in later PR.
- New endpoint `verifyTokensShortCode` used to explicitly verify shortCodes. 

Connects with mozilla/fxa-auth-server#2218

Feature doc: https://docs.google.com/document/d/1xQtCGBJ9XZuF1q9faZV3YIiOnxomQMHKiTP62YSf3v8/edit

Author: vbudhram

docs/API.md

@@ -35,6 +35,7 @@ There are a number of methods that a DB storage backend should implement:
     * .deleteKeyFetchToken(tokenId)
 * Unverified session tokens and key fetch tokens
     * .verifyTokens(tokenVerificationId, accountData)
+    * .verifyTokenCode(code, accountData)
 * Password Forgot Tokens
     * .createPasswordForgotToken(tokenId, passwordForgotToken)
     * .deletePasswordForgotToken(tokenId)
@@ -430,7 +431,7 @@ Parameters.
 Each token takes the following fields for it's create method respectively:
 
 * sessionToken : data, uid, createdAt, uaBrowser, uaBrowserVersion, uaOS, uaOSVersion, uaDeviceType,
-                 uaFormFactor, mustVerify, tokenVerificationId
+                 uaFormFactor, mustVerify, tokenVerificationId, tokenVerificationCodeHash, tokenVerificationCodeExpiresAt
 * keyFetchToken : authKey, uid, keyBundle, createdAt, tokenVerificationId
 * passwordChangeToken : data, uid, createdAt
 * passwordForgotToken : data, uid, passCode, createdAt, triesxb
@@ -480,7 +481,8 @@ These fields are represented as
 * sessionTokenWithVerificationStatus : t.tokenData, t.uid, t.createdAt, t.uaBrowser, t.uaBrowserVersion,
                                        t.uaOS, t.uaOSVersion, t.uaDeviceType, t.uaFormFactor, t.lastAccessTime,
                                        a.emailVerified, a.email, a.emailCode, a.verifierSetAt,
-                                       a.createdAt AS accountCreatedAt, ut.mustVerify, ut.tokenVerificationId
+                                       a.createdAt AS accountCreatedAt, ut.mustVerify, ut.tokenVerificationId,
+                                       ut.tokenVerificationCodeHash, ut.tokenVerificationCodeExpiresAt
 * keyFetchToken : t.authKey, t.uid, t.keyBundle, t.createdAt, a.emailVerified, a.verifierSetAt
 * keyFetchTokenWithVerificationStatus : t.authKey, t.uid, t.keyBundle, t.createdAt, a.emailVerified,
                                         a.verifierSetAt, ut.mustVerify, ut.tokenVerificationId
@@ -561,6 +563,27 @@ Returns a promise that:
   from the underlying storage system
   (wrapped in `error.wrap()`).
 
+## .verifyTokenCode(code, accountData)
+
+  Verifies sessionTokens and keyFetchTokens.
+  Note that it takes the code (separate from tokenVerificationId)
+  specified when creating the token,
+  NOT the tokenId.
+  `accountData` is an object
+  with a `uid` property.
+
+  Returns a promise that:
+
+  * Resolves with an object `{}`
+    if a token was verified.
+  * Rejects with error `{ code: 404, errno: 116 }`
+    if there was no matching token.
+  * Rejects with error `{ code: 400, errno: 137 }`
+    if token expired.
+  * Rejects with any error
+    from the underlying storage system
+    (wrapped in `error.wrap()`).  
+
 ## .forgotPasswordVerified(tokenId, accountResetToken) ##
 
 An extra function for `passwordForgotTokens`. This performs three operations:
@@ -613,7 +636,7 @@ The deviceCallbackPublicKey and deviceCallbackAuthKey fields are urlsafe-base64
                  d.callbackPublicKey AS deviceCallbackPublicKey,
                  d.callbackAuthKey AS deviceCallbackAuthKey,
                  d.callbackIsExpired AS deviceCallbackIsExpired,
-                 ut.mustVerify, ut.tokenVerificationId
+                 ut.mustVerify, ut.tokenVerificationId, ut.tokenVerificationCodeHash, ut.tokenVerificationCodeExpiresAt
 
 ## .createVerificationReminder(body) ##
 

fxa-auth-db-server/index.js

@@ -41,6 +41,12 @@ function createServer(db) {
     })
   }
 
+  function withParamsAndBody(fn) {
+    return reply(function (params, body, query) {
+      return fn.call(db, params, body)
+    })
+  }
+
   var api = restify.createServer({
     formatters: {
       'application/json; q=0.9': safeJsonFormatter
@@ -120,6 +126,7 @@ function createServer(db) {
   api.get('/sessionToken/:id/verified', withIdAndBody(db.sessionTokenWithVerificationStatus))
   api.get('/keyFetchToken/:id/verified', withIdAndBody(db.keyFetchTokenWithVerificationStatus))
   api.post('/tokens/:id/verify', withIdAndBody(db.verifyTokens))
+  api.post('/tokens/:code/verifyCode', withParamsAndBody(db.verifyTokenCode))
 
   api.get('/accountResetToken/:id', withIdAndBody(db.accountResetToken))
   api.del('/accountResetToken/:id', withIdAndBody(db.deleteAccountResetToken))

fxa-auth-db-server/lib/error.js

@@ -61,6 +61,17 @@ AppError.cannotDeletePrimaryEmail = function () {
   )
 }
 
+AppError.expiredTokenVerificationCode = function () {
+  return new AppError(
+    {
+      code: 400,
+      error: 'Bad request',
+      errno: 137,
+      message: 'Expired token verification code'
+    }
+  )
+}
+
 AppError.wrap = function (err) {
   return new AppError(
     {

fxa-auth-db-server/test/backend/db_tests.js

@@ -132,7 +132,9 @@ function makeMockSessionToken(uid) {
     uaOSVersion : 'mock OS version',
     uaDeviceType : 'mock device type',
     mustVerify: true,
-    tokenVerificationId : hex16()
+    tokenVerificationId : hex16(),
+    tokenVerificationCode: unblockCode(),
+    tokenVerificationCodeExpiresAt: Date.now() + 20000
   }
 
   return sessionToken
@@ -2580,6 +2582,97 @@ module.exports = function(config, DB) {
       })
     })
 
+    describe('db.verifyTokenCode', () => {
+      let account, anotherAccount, sessionToken, tokenVerificationCode, tokenId
+      before(() => {
+        account = createAccount()
+        account.emailVerified = true
+        return db.createAccount(account.uid, account)
+      })
+
+      it('should verify tokenVerificationCode', () => {
+        tokenId = hex32()
+        sessionToken = makeMockSessionToken(account.uid)
+        tokenVerificationCode = sessionToken.tokenVerificationCode
+        return db.createSessionToken(tokenId, sessionToken)
+          .then(() => {
+            return db.sessionTokenWithVerificationStatus(tokenId)
+          })
+          .then((session) => {
+            // Returns unverified session
+            assert.equal(session.mustVerify, sessionToken.mustVerify, 'mustVerify must match sessionToken')
+            assert.equal(session.tokenVerificationId.toString('hex'), sessionToken.tokenVerificationId.toString('hex'), 'tokenVerificationId must match sessionToken')
+            assert.ok(session.tokenVerificationCodeHash, 'tokenVerificationCodeHash exists')
+            assert.equal(session.tokenVerificationCodeExpiresAt, sessionToken.tokenVerificationCodeExpiresAt, 'tokenVerificationCodeExpiresAt must match sessionToken')
+
+            // Verify the session
+            return db.verifyTokenCode({code: tokenVerificationCode}, account)
+          })
+          .then(() => {
+            return db.sessionTokenWithVerificationStatus(tokenId)
+          })
+          .then((session) => {
+            // Returns verified session
+            assert.equal(session.mustVerify, null, 'mustVerify is not set')
+            assert.equal(session.tokenVerificationId, null, 'tokenVerificationId is not set')
+            assert.equal(session.tokenVerificationCodeHash, null, 'tokenVerificationCodeHash is not set')
+            assert.equal(session.tokenVerificationCodeExpiresAt, null, 'tokenVerificationCodeExpiresAt is not set')
+          })
+      })
+
+      it('shouldn\'t verify expired tokenVerificationCode', () => {
+        tokenId = hex32()
+        sessionToken = makeMockSessionToken(account.uid)
+        sessionToken.tokenVerificationCodeExpiresAt = Date.now() - 2000000000
+        tokenVerificationCode = sessionToken.tokenVerificationCode
+        return db.createSessionToken(tokenId, sessionToken)
+          .then(() => {
+            return db.verifyTokenCode({code: tokenVerificationCode}, account)
+              .then(() => {
+                assert.fail('should not have verified expired token')
+              }, (err) => {
+                assert.equal(err.errno, 137, 'correct errno, not found')
+              })
+          })
+      })
+
+      it('shouldn\'t verify unknown tokenVerificationCode', () => {
+        tokenId = hex32()
+        sessionToken = makeMockSessionToken(account.uid)
+        tokenVerificationCode = 'iamzinvalidz'
+        return db.createSessionToken(tokenId, sessionToken)
+          .then(() => {
+            return db.verifyTokenCode({code: tokenVerificationCode}, account)
+              .then(() => {
+                assert.fail('should not have verified unknown token')
+              }, (err) => {
+                assert.equal(err.errno, 116, 'correct errno, not found')
+              })
+          })
+      })
+
+      it('shouldn\'t verify tokenVerificationCode and uid mismatch', () => {
+        tokenId = hex32()
+        sessionToken = makeMockSessionToken(account.uid)
+        tokenVerificationCode = sessionToken.tokenVerificationCode
+        anotherAccount = createAccount()
+        anotherAccount.emailVerified = true
+        return db.createAccount(anotherAccount.uid, anotherAccount)
+          .then(() => {
+            return db.createSessionToken(tokenId, sessionToken)
+          })
+          .then(() => {
+            return db.verifyTokenCode({code: tokenVerificationCode}, anotherAccount)
+              .then(() => {
+                assert.fail('should not have verified unknown token')
+              }, (err) => {
+                assert.equal(err.errno, 116, 'correct errno, not found')
+              })
+          })
+      })
+
+    })
+
     after(() => db.close())
   })
 }

fxa-auth-db-server/test/backend/remote.js

@@ -1540,6 +1540,49 @@ module.exports = function(cfg, makeServer) {
       }
     )
 
+    describe(
+      'add account, verify session with tokenVerificationCode',
+      () => {
+        let user
+
+        before(() => {
+          user = fake.newUserDataHex()
+
+          return client.putThen('/account/' + user.accountId, user.account)
+            .then(function (r) {
+              respOkEmpty(r)
+            })
+        })
+
+        it('should verify session with tokenVerificationCode', () => {
+          return client.putThen('/sessionToken/' + user.sessionTokenId, user.sessionToken)
+            .then((r) => {
+              respOkEmpty(r)
+              return client.getThen('/sessionToken/' + user.sessionTokenId + '/verified')
+            })
+            .then(function (r) {
+              respOk(r)
+              const result = r.obj
+              assert.ok(result.tokenVerificationCodeHash, 'tokenVerificationCodeHash exists')
+              assert.equal(result.tokenVerificationCodeExpiresAt, user.sessionToken.tokenVerificationCodeExpiresAt, 'tokenVerificationCodeExpiresAt set')
+              return client.postThen('/tokens/' + user.sessionToken.tokenVerificationCode + '/verifyCode', {
+                uid: user.accountId
+              })
+            })
+            .then(function (r) {
+              respOk(r)
+              return client.getThen('/sessionToken/' + user.sessionTokenId + '/verified')
+            })
+            .then(function (r) {
+              respOk(r)
+              const result = r.obj
+              assert.equal(result.tokenVerificationCodeHash, null, 'tokenVerificationCodeHash not set')
+              assert.equal(result.tokenVerificationCodeExpiresAt, null, 'tokenVerificationCodeExpiresAt not set')
+            })
+        })
+      }
+    )
+
     after(() => server.close())
 
   })

fxa-auth-db-server/test/fake.js

@@ -59,7 +59,9 @@ module.exports.newUserDataHex = function() {
     uaDeviceType: 'fake device type',
     uaFormFactor: 'fake form factor',
     mustVerify: true,
-    tokenVerificationId: hex16()
+    tokenVerificationId: hex16(),
+    tokenVerificationCode: crypto.randomBytes(4).toString('hex'),
+    tokenVerificationCodeExpiresAt: Date.now() + 20000
   }
 
   // device

lib/db/mem.js

@@ -120,10 +120,13 @@ module.exports = function (log, error) {
     }
 
     if (sessionToken.tokenVerificationId) {
+      const tokenVerificationCodeHash = sessionToken.tokenVerificationCode ? dbUtil.createHash(sessionToken.tokenVerificationCode): null
       unverifiedTokens[tokenId] = {
-        tokenVerificationId: sessionToken.tokenVerificationId,
         mustVerify: !! sessionToken.mustVerify,
-        uid: sessionToken.uid
+        tokenVerificationId: sessionToken.tokenVerificationId,
+        tokenVerificationCodeHash: tokenVerificationCodeHash,
+        tokenVerificationCodeExpiresAt: sessionToken.tokenVerificationCodeExpiresAt,
+        uid: sessionToken.uid,
       }
     }
 
@@ -363,6 +366,54 @@ module.exports = function (log, error) {
     return P.resolve({})
   }
 
+  Memory.prototype.verifyTokenCode = function (tokenData, accountData) {
+    const uid = accountData.uid.toString('hex')
+    const tokenVerificationCodeHash = dbUtil.createHash(tokenData.code)
+    let expired = false
+
+    const tokenCount = Object.keys(unverifiedTokens).reduce((count, tokenId) => {
+      const t = unverifiedTokens[tokenId]
+
+      if (t.uid.toString('hex') !== uid) {
+        return count
+      }
+
+      if (! t.tokenVerificationCodeHash || ! t.tokenVerificationCodeExpiresAt) {
+        return count
+      }
+
+      // Is code expired?
+      if (t.tokenVerificationCodeHash.toString('hex') === tokenVerificationCodeHash.toString('hex')) {
+        if (t.tokenVerificationCodeExpiresAt <= Date.now()) {
+          expired = true
+
+          return count
+        }
+
+        // Remove token and update security table
+        (securityEvents[uid] || []).forEach(function (ev) {
+          if (ev.tokenId && ev.tokenId.toString('hex') === tokenId) {
+            ev.verified = true
+          }
+        })
+        delete unverifiedTokens[tokenId]
+
+        return count + 1
+      }
+      return count
+    }, 0)
+
+    if (expired) {
+      return P.reject(error.expiredTokenVerificationCode())
+    }
+
+    if (tokenCount === 0) {
+      return P.reject(error.notFound())
+    }
+
+    return P.resolve({})
+  }
+
   Memory.prototype.deleteAccountResetToken = function (tokenId) {
     delete accountResetTokens[tokenId.toString('hex')]
     return P.resolve({})
@@ -653,9 +704,14 @@ module.exports = function (log, error) {
         if (unverifiedTokens[tokenId]) {
           sessionToken.mustVerify = unverifiedTokens[tokenId].mustVerify
           sessionToken.tokenVerificationId = unverifiedTokens[tokenId].tokenVerificationId
+          sessionToken.tokenVerificationCodeHash = unverifiedTokens[tokenId].tokenVerificationCodeHash
+          sessionToken.tokenVerificationCodeExpiresAt = unverifiedTokens[tokenId].tokenVerificationCodeExpiresAt
+
         } else {
           sessionToken.mustVerify = null
           sessionToken.tokenVerificationId = null
+          sessionToken.tokenVerificationCodeHash = null
+          sessionToken.tokenVerificationCodeExpiresAt = null
         }
         return sessionToken
       })