feat(server): reject assertions if fxa-tokenVerified is false

mozilla-services · May 16, 2016 · e1c6f2a · e1c6f2a
1 parent 8b8263a
commit e1c6f2a
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/tokenserver/tests/test_service.py b/tokenserver/tests/test_service.py
@@ -163,6 +163,26 @@ def test_unauthorized_error_status(self):
             with self.assertRaises(ValueError):
                 res = self.app.get('/1.0/sync/1.1', headers=headers)
 
+    def test_unverified_token(self):
+        headers = {'Authorization': 'BrowserID %s' % self._getassertion()}
+        # Assertion should not be rejected if fxa-tokenVerified is unset
+        mock_response = {
+            "status": "okay",
+            "email": "[email protected]",
+            "idpClaims": {}
+        }
+        with self.mock_verifier(response=mock_response):
+            self.app.get("/1.0/sync/1.1", headers=headers, status=200)
+        # Assertion should not be rejected if fxa-tokenVerified is True
+        mock_response['idpClaims']['fxa-tokenVerified'] = True
+        with self.mock_verifier(response=mock_response):
+            self.app.get("/1.0/sync/1.1", headers=headers, status=200)
+        # Assertion should be rejected if fxa-tokenVerified is False
+        mock_response['idpClaims']['fxa-tokenVerified'] = False
+        with self.mock_verifier(response=mock_response):
+            res = self.app.get("/1.0/sync/1.1", headers=headers, status=401)
+        self.assertEqual(res.json['status'], 'invalid-credentials')
+
     def test_generation_number_change(self):
         headers = {"Authorization": "BrowserID %s" % self._getassertion()}
         # Start with no generation number.

diff --git a/tokenserver/views.py b/tokenserver/views.py
@@ -96,6 +96,15 @@ def valid_assertion(request):
             raise _unauthorized("invalid-timestamp")
         raise _unauthorized("invalid-credentials")
 
+    # FxA sign-in confirmation introduced the notion of unverified tokens.
+    # The default value is True to preserve backwards compatibility.
+    try:
+        tokenVerified = assertion['idpClaims']['fxa-tokenVerified']
+    except KeyError:
+        tokenVerified = True
+    if not tokenVerified:
+        raise _unauthorized("invalid-credentials")
+
     # everything sounds good, add the assertion to the list of validated fields
     # and continue
     request.metrics['token.assertion.verify_success'] = 1