feat(sessions): Add support for reauth on an existing session. (#305); r=philbooth

rfk · web-flow · commit fdff3e900777 · 2018-02-14T13:51:25.000+11:00
diff --git a/db-server/test/backend/db_tests.js b/db-server/test/backend/db_tests.js
@@ -268,7 +268,7 @@ module.exports = function (config, DB) {
             assert(Array.isArray(sessions), 'sessions is an array')
             assert.equal(sessions.length, 1, 'sessions has one item')
 
-            assert.equal(Object.keys(sessions[0]).length, 18, 'session has correct properties')
+            assert.equal(Object.keys(sessions[0]).length, 19, 'session has correct properties')
             assert.equal(sessions[0].tokenId.toString('hex'), sessionTokenData.tokenId.toString('hex'), 'tokenId is correct')
             assert.equal(sessions[0].uid.toString('hex'), accountData.uid.toString('hex'), 'uid is correct')
             assert.equal(sessions[0].createdAt, sessionTokenData.createdAt, 'createdAt is correct')
@@ -279,6 +279,7 @@ module.exports = function (config, DB) {
             assert.equal(sessions[0].uaDeviceType, sessionTokenData.uaDeviceType, 'uaDeviceType is correct')
             assert.equal(sessions[0].uaFormFactor, sessionTokenData.uaFormFactor, 'uaFormFactor is correct')
             assert.equal(sessions[0].lastAccessTime, sessionTokenData.createdAt, 'lastAccessTime is correct')
+            assert.equal(sessions[0].authAt, sessionTokenData.createdAt, 'authAt is correct')
           })
       })
 
@@ -311,6 +312,7 @@ module.exports = function (config, DB) {
             assert.equal(token.uaDeviceType, sessionTokenData.uaDeviceType, 'uaDeviceType is correct')
             assert.equal(token.uaFormFactor, sessionTokenData.uaFormFactor, 'uaFormFactor is correct')
             assert.equal(token.lastAccessTime, sessionTokenData.createdAt, 'lastAccessTime was set')
+            assert.equal(token.authAt, sessionTokenData.createdAt, 'authAt is correct')
             assert.equal(!! token.emailVerified, accountData.emailVerified, 'token emailVerified is same as account emailVerified')
             assert.equal(token.email, accountData.email, 'token email same as account email')
             assert.deepEqual(token.emailCode, accountData.emailCode, 'token emailCode same as account emailCode')
@@ -326,7 +328,8 @@ module.exports = function (config, DB) {
           uaOS: 'bar',
           uaOSVersion: '2',
           uaDeviceType: 'baz',
-          lastAccessTime: 42
+          lastAccessTime: 42,
+          authAt: 1234567
         }
         return db.updateSessionToken(sessionTokenData.tokenId, sessionTokenUpdates)
           .then((result) => {
@@ -344,6 +347,7 @@ module.exports = function (config, DB) {
             assert.equal(token.uaDeviceType, 'baz', 'uaDeviceType is correct')
             assert.equal(token.uaFormFactor, sessionTokenData.uaFormFactor, 'uaFormFactor is correct')
             assert.equal(token.lastAccessTime, 42, 'lastAccessTime is correct')
+            assert.equal(token.authAt, 1234567, 'authAt is correct')
             assert.equal(!! token.emailVerified, accountData.emailVerified, 'token emailVerified is same as account emailVerified')
             assert.equal(token.email, accountData.email, 'token email same as account email')
             assert.deepEqual(token.emailCode, accountData.emailCode, 'token emailCode same as account emailCode')
@@ -354,6 +358,32 @@ module.exports = function (config, DB) {
           })
       })
 
+      it('should update mustVerify to true, but not to false', () => {
+        return db.sessionTokenWithVerificationStatus(sessionTokenData.tokenId)
+          .then((token) => {
+            assert.equal(token.mustVerify, false, 'mustVerify starts out as false')
+            assert.equal(token.uaBrowser, 'mock browser', 'other fields have their default values')
+            return db.updateSessionToken(sessionTokenData.tokenId, { mustVerify: true })
+          })
+          .then((result) => {
+            assert.deepEqual(result, {}, 'Returned an empty object on session token update')
+            return db.sessionTokenWithVerificationStatus(sessionTokenData.tokenId)
+          })
+          .then((token) => {
+            assert.equal(token.mustVerify, true, 'mustVerify was correctly updated to true')
+            assert.equal(token.uaBrowser, 'mock browser', 'other fields were not updated')
+            return db.updateSessionToken(sessionTokenData.tokenId, { mustVerify: false })
+          })
+          .then((result) => {
+            assert.deepEqual(result, {}, 'Returned an empty object on session token update')
+            return db.sessionTokenWithVerificationStatus(sessionTokenData.tokenId)
+          })
+          .then((token) => {
+            assert.equal(token.mustVerify, true, 'mustVerify was not reset back to false')
+            assert.equal(token.uaBrowser, 'mock browser', 'other fields were not updated')
+          })
+      })
+
       it('should get verification state', () => {
         return db.sessionTokenWithVerificationStatus(sessionTokenData.tokenId)
           .then((token) => {
@@ -367,6 +397,7 @@ module.exports = function (config, DB) {
             assert.equal(token.uaDeviceType, sessionTokenData.uaDeviceType, 'uaDeviceType is correct')
             assert.equal(token.uaFormFactor, sessionTokenData.uaFormFactor, 'uaFormFactor is correct')
             assert.equal(token.lastAccessTime, sessionTokenData.createdAt, 'lastAccessTime was set')
+            assert.equal(token.authAt, sessionTokenData.createdAt, 'authAt is correct')
             assert.equal(!! token.emailVerified, accountData.emailVerified, 'token emailVerified is same as account emailVerified')
             assert.equal(token.email, accountData.email, 'token email same as account email')
             assert.deepEqual(token.emailCode, accountData.emailCode, 'token emailCode same as account emailCode')
diff --git a/db-server/test/backend/remote.js b/db-server/test/backend/remote.js
@@ -345,7 +345,7 @@ module.exports = function(cfg, makeServer) {
             respOk(r)
             var sessions = r.obj
             assert.equal(sessions.length, 1, 'sessions contains one item')
-            assert.equal(Object.keys(sessions[0]).length, 18, 'session has correct properties')
+            assert.equal(Object.keys(sessions[0]).length, 19, 'session has correct properties')
             assert.equal(sessions[0].tokenId, user.sessionTokenId, 'tokenId is correct')
             assert.equal(sessions[0].uid, user.accountId, 'uid is correct')
             assert.equal(sessions[0].createdAt, user.sessionToken.createdAt, 'createdAt is correct')
@@ -356,6 +356,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(sessions[0].uaDeviceType, user.sessionToken.uaDeviceType, 'uaDeviceType is correct')
             assert.equal(sessions[0].uaFormFactor, user.sessionToken.uaFormFactor, 'uaFormFactor is correct')
             assert.equal(sessions[0].lastAccessTime, user.sessionToken.createdAt, 'lastAccessTime is correct')
+            assert.equal(sessions[0].authAt, user.sessionToken.createdAt, 'authAt is correct')
 
             // Fetch the session token
             return client.getThen('/sessionToken/' + user.sessionTokenId)
@@ -373,6 +374,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(token.uaDeviceType, user.sessionToken.uaDeviceType, 'uaDeviceType matches')
             assert.equal(token.uaFormFactor, user.sessionToken.uaFormFactor, 'uaFormFactor matches')
             assert.equal(token.lastAccessTime, token.createdAt, 'lastAccessTime was set')
+            assert.equal(token.authAt, token.createdAt, 'authAt was set to default')
             assert.equal(!! token.emailVerified, user.account.emailVerified, 'emailVerified same as account emailVerified')
             assert.equal(token.email, user.account.email, 'token.email same as account email')
             assert.deepEqual(token.emailCode, user.account.emailCode, 'token emailCode same as account emailCode')
@@ -397,6 +399,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(token.uaDeviceType, user.sessionToken.uaDeviceType, 'uaDeviceType matches')
             assert.equal(token.uaFormFactor, user.sessionToken.uaFormFactor, 'uaFormFactor matches')
             assert.equal(token.lastAccessTime, token.createdAt, 'lastAccessTime was set')
+            assert.equal(token.authAt, token.createdAt, 'authAt was set to default')
             assert.equal(!! token.emailVerified, user.account.emailVerified, 'emailVerified same as account emailVerified')
             assert.equal(token.email, user.account.email, 'token.email same as account email')
             assert.deepEqual(token.emailCode, user.account.emailCode, 'token emailCode same as account emailCode')
@@ -427,6 +430,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(token.uaDeviceType, verifiedUser.sessionToken.uaDeviceType, 'uaDeviceType matches')
             assert.equal(token.uaFormFactor, verifiedUser.sessionToken.uaFormFactor, 'uaFormFactor matches')
             assert.equal(token.lastAccessTime, token.createdAt, 'lastAccessTime was set')
+            assert.equal(token.authAt, token.createdAt, 'authAt was set to default')
             assert.equal(!! token.emailVerified, verifiedUser.account.emailVerified, 'emailVerified same as account emailVerified')
             assert.equal(token.email, verifiedUser.account.email, 'token.email same as account email')
             assert.deepEqual(token.emailCode, verifiedUser.account.emailCode, 'token emailCode same as account emailCode')
@@ -451,6 +455,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(token.uaDeviceType, verifiedUser.sessionToken.uaDeviceType, 'uaDeviceType matches')
             assert.equal(token.uaFormFactor, verifiedUser.sessionToken.uaFormFactor, 'uaFormFactor matches')
             assert.equal(token.lastAccessTime, token.createdAt, 'lastAccessTime was set')
+            assert.equal(token.authAt, token.createdAt, 'authAt was set to default')
             assert.equal(!! token.emailVerified, verifiedUser.account.emailVerified, 'emailVerified same as account emailVerified')
             assert.equal(token.email, verifiedUser.account.email, 'token.email same as account email')
             assert.deepEqual(token.emailCode, verifiedUser.account.emailCode, 'token emailCode same as account emailCode')
@@ -517,7 +522,8 @@ module.exports = function(cfg, makeServer) {
               uaOS: 'different OS',
               uaOSVersion: 'different OS version',
               uaDeviceType: 'different device type',
-              lastAccessTime: 42
+              lastAccessTime: 42,
+              authAt: 1234567
             })
           })
           .then(function(r) {
@@ -539,6 +545,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(sessions[0].uaOSVersion, 'different OS version', 'uaOSVersion is correct')
             assert.equal(sessions[0].uaDeviceType, 'different device type', 'uaDeviceType is correct')
             assert.equal(sessions[0].lastAccessTime, 42, 'lastAccessTime is correct')
+            assert.equal(sessions[0].authAt, 1234567, 'authAt is correct')
 
             // Fetch the newly verified session token
             return client.getThen('/sessionToken/' + user.sessionTokenId)
@@ -555,6 +562,7 @@ module.exports = function(cfg, makeServer) {
             assert.equal(token.uaOSVersion, 'different OS version', 'uaOSVersion was updated')
             assert.equal(token.uaDeviceType, 'different device type', 'uaDeviceType was updated')
             assert.equal(token.lastAccessTime, 42, 'lastAccessTime was updated')
+            assert.equal(token.authAt, 1234567, 'authAt was updated')
 
             // Create a device
             return client.putThen('/account/' + user.accountId + '/device/' + user.deviceId, user.device)
diff --git a/lib/db/mem.js b/lib/db/mem.js
@@ -611,6 +611,7 @@ module.exports = function (log, error) {
           uaDeviceType: sessionToken.uaDeviceType || null,
           uaFormFactor: sessionToken.uaFormFactor || null,
           lastAccessTime: sessionToken.lastAccessTime,
+          authAt: sessionToken.authAt || sessionToken.createdAt,
           // device information
           deviceId: deviceInfo.id || null,
           deviceName: deviceInfo.name || null,
@@ -653,6 +654,7 @@ module.exports = function (log, error) {
     item.uaDeviceType = sessionTokens[id].uaDeviceType || null
     item.uaFormFactor = sessionTokens[id].uaFormFactor || null
     item.lastAccessTime = sessionTokens[id].lastAccessTime
+    item.authAt = sessionTokens[id].authAt || sessionTokens[id].createdAt
 
     var accountId = sessionTokens[id].uid.toString('hex')
     var account = accounts[accountId]
@@ -931,16 +933,15 @@ module.exports = function (log, error) {
   }
 
   Memory.prototype.updateSessionToken = function (id, data) {
-    var token = sessionTokens[id.toString('hex')]
+    const hexId = id.toString('hex')
+    const token = sessionTokens[hexId]
     if (! token) {
       return P.reject(error.notFound())
     }
-    token.uaBrowser = data.uaBrowser
-    token.uaBrowserVersion = data.uaBrowserVersion
-    token.uaOS = data.uaOS
-    token.uaOSVersion = data.uaOSVersion
-    token.uaDeviceType = data.uaDeviceType
-    token.lastAccessTime = data.lastAccessTime
+    Object.assign(token, data)
+    if (data.mustVerify && unverifiedTokens[hexId]) {
+      unverifiedTokens[hexId].mustVerify = true
+    }
     return P.resolve({})
   }
 
@@ -1058,7 +1059,6 @@ module.exports = function (log, error) {
     return P.resolve({ createdAt: timestamp })
   }
 
-
   Memory.prototype.createEmailBounce = function (data) {
     const row = emailBounces[data.email] || (emailBounces[data.email] = [])
     const bounce = extend({}, data)
diff --git a/lib/db/mysql.js b/lib/db/mysql.js
@@ -387,29 +387,30 @@ module.exports = function (log, error) {
 
   // Select : sessionTokens t, accounts a, devices d, unverifiedTokens ut
   // Fields : t.tokenData, t.uid, t.createdAt, t.uaBrowser, t.uaBrowserVersion, t.uaOS,
-  //          t.uaOSVersion, t.uaDeviceType, t.uaFormFactor, t.lastAccessTime, a.emailVerified,
-  //          a.email, a.emailCode, a.verifierSetAt, a.locale, a.createdAt AS accountCreatedAt,
+  //          t.uaOSVersion, t.uaDeviceType, t.uaFormFactor, t.lastAccessTime, t.authAt,
+  //          a.emailVerified, a.email, a.emailCode, a.verifierSetAt, a.locale,
+  //          a.createdAt AS accountCreatedAt,
   //          d.id AS deviceId, d.name AS deviceName, d.type AS deviceType, d.createdAt
   //          AS deviceCreatedAt, d.callbackURL AS deviceCallbackURL, d.callbackPublicKey
   //          AS deviceCallbackPublicKey, d.callbackAuthKey AS deviceCallbackAuthKey,
   //          d.callbackIsExpired AS deviceCallbackIsExpired,
   //          ut.tokenVerificationId, ut.mustVerify
   // Where  : t.tokenId = $1 AND t.uid = a.uid AND t.tokenId = d.sessionTokenId AND
   //          t.uid = d.uid AND t.tokenId = u.tokenId
-  var SESSION_DEVICE = 'CALL sessionWithDevice_10(?)'
+  var SESSION_DEVICE = 'CALL sessionWithDevice_11(?)'
 
   MySql.prototype.sessionWithDevice = function (id) {
     return this.readFirstResult(SESSION_DEVICE, [id])
   }
 
   // Select : sessionTokens
   // Fields : tokenId, uid, createdAt, uaBrowser, uaBrowserVersion,
-  //          uaOS, uaOSVersion, uaDeviceType, uaFormFactor, lastAccessTime,
+  //          uaOS, uaOSVersion, uaDeviceType, uaFormFactor, lastAccessTime, authAt,
   //          deviceId, deviceName, deviceType, deviceCreatedAt, deviceCallbackURL,
   //          deviceCallbackPublicKey, deviceCallbackAuthKey, deviceCallbackIsExpired
   // Where  : t.uid = $1 AND t.tokenId = d.sessionTokenId AND
   //          t.uid = d.uid AND t.tokenId = u.tokenId
-  var SESSIONS = 'CALL sessions_7(?)'
+  var SESSIONS = 'CALL sessions_8(?)'
 
   MySql.prototype.sessions = function (uid) {
     return this.readOneFromFirstResult(SESSIONS, [uid])
@@ -418,10 +419,11 @@ module.exports = function (log, error) {
   // Select : sessionTokens t, accounts a
   // Fields : t.tokenData, t.uid, t.createdAt, t.uaBrowser, t.uaBrowserVersion,
   //          t.uaOS, t.uaOSVersion, t.uaDeviceType, t.uaFormFactor, t.lastAccessTime,
+  //          t.authAt,
   //          a.emailVerified, a.email, a.emailCode, a.verifierSetAt, a.locale,
   //          a.createdAt AS accountCreatedAt
   // Where  : t.tokenId = $1 AND t.uid = a.uid
-  var SESSION_TOKEN = 'CALL sessionToken_7(?)'
+  var SESSION_TOKEN = 'CALL sessionToken_8(?)'
 
   MySql.prototype.sessionToken = function (id) {
     return this.readFirstResult(SESSION_TOKEN, [id])
@@ -430,10 +432,11 @@ module.exports = function (log, error) {
   // Select : sessionTokens t, accounts a, unverifiedTokens ut
   // Fields : t.tokenData, t.uid, t.createdAt, t.uaBrowser, t.uaBrowserVersion,
   //          t.uaOS, t.uaOSVersion, t.uaDeviceType, t.uaFormFactor, t.lastAccessTime,
+  //          t.authAt,
   //          a.emailVerified, a.email, a.emailCode, a.verifierSetAt, a.locale,
   //          a.createdAt AS accountCreatedAt, ut.tokenVerificationId, ut.mustVerify
   // Where  : t.tokenId = $1 AND t.uid = a.uid AND t.tokenId = ut.tokenId
-  var SESSION_TOKEN_VERIFIED = 'CALL sessionTokenWithVerificationStatus_7(?)'
+  var SESSION_TOKEN_VERIFIED = 'CALL sessionTokenWithVerificationStatus_8(?)'
 
   MySql.prototype.sessionTokenWithVerificationStatus = function (tokenId) {
     return this.readFirstResult(SESSION_TOKEN_VERIFIED, [tokenId])
@@ -514,22 +517,26 @@ module.exports = function (log, error) {
   }
 
   // Update : sessionTokens
-  // Set    : uaBrowser = $1, uaBrowserVersion = $2, uaOS = $3, uaOSVersion = $4,
-  //          uaDeviceType = $5, lastAccessTime = $6
-  // Where  : tokenId = $7
-  var UPDATE_SESSION_TOKEN = 'CALL updateSessionToken_1(?, ?, ?, ?, ?, ?, ?)'
+  // Set    : uaBrowser = $2, uaBrowserVersion = $3, uaOS = $4, uaOSVersion = $5,
+  //          uaDeviceType = $6, uaFormFactor = $7, lastAccessTime = $8,
+  //          authAt = $9, mustVerify = $10
+  // Where  : tokenId = $1
+  var UPDATE_SESSION_TOKEN = 'CALL updateSessionToken_2(?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'
 
   MySql.prototype.updateSessionToken = function (tokenId, token) {
     return this.write(
       UPDATE_SESSION_TOKEN,
       [
+        tokenId,
         token.uaBrowser,
         token.uaBrowserVersion,
         token.uaOS,
         token.uaOSVersion,
         token.uaDeviceType,
+        token.uaFormFactor,
         token.lastAccessTime,
-        tokenId
+        token.authAt,
+        token.mustVerify
       ]
     )
   }
@@ -803,7 +810,6 @@ module.exports = function (log, error) {
     )
   }
 
-
   // USER EMAILS
   // Insert : emails
   // Values : normalizedEmail = $1, email = $2, uid = $3, emailCode = $4, isVerified = $5, verifiedAt = $7, createdAt = $8
diff --git a/lib/db/patch.js b/lib/db/patch.js
@@ -4,4 +4,4 @@
 
 // The expected patch level of the database. Update if you add a new
 // patch in the ./schema/ directory.
-module.exports.level = 71
+module.exports.level = 72
diff --git a/lib/db/schema/patch-071-072.sql b/lib/db/schema/patch-071-072.sql
diff --git a/lib/db/schema/patch-072-071.sql b/lib/db/schema/patch-072-071.sql
