2012.11.23 hotfix issue2822

ChangeLog

@@ -1,6 +1,8 @@
 train-2012.11.23:
   * New selenium tests authored in node.js merged.
   * Verifier rejects requests that don't supply a proper hostname: bug #806577
+  * (hotfix 2012.12.03) nodejs version in .spec file >= 0.8.12
+  * (hotfix 2012.12.05) when an email is re-staged, ensure the latest password is used: issue #2822
 
 train-2012.11.09:
   * code cleanup, including jshinting of source and code coverage: #2643, #2272

lib/configuration.js

@@ -179,7 +179,8 @@ var conf = module.exports = convict({
   },
   min_time_between_emails_ms: {
     doc: "What is the most frequently we'll allow emails to be sent to the same user?",
-    format: 'integer = 60000'
+    format: 'integer = 60000',
+    env: 'MIN_TIME_BETWEEN_EMAILS_MS'
   },
   http_proxy: {
     port: 'integer{1,65535}?',

lib/db/mysql.js

@@ -263,7 +263,7 @@ exports.stageUser = function(email, hash, cb) {
   secrets.generate(48, function(secret) {
     // overwrite previously staged users
     client.query('INSERT INTO staged (secret, new_acct, email, passwd) VALUES(?,TRUE,?,?) ' +
-                 'ON DUPLICATE KEY UPDATE secret=VALUES(secret), existing_user=NULL, new_acct=TRUE, ts=NOW()',
+                 'ON DUPLICATE KEY UPDATE secret=VALUES(secret), existing_user=NULL, new_acct=TRUE, ts=NOW(), passwd=VALUES(passwd)',
                  [ secret, email, hash ],
                  function(err) {
                    cb(err, err ? undefined : secret);

scripts/browserid.spec

@@ -2,7 +2,7 @@
 
 Name:          browserid-server
 Version:       0.2012.11.23
-Release:       1%{?dist}_%{svnrev}
+Release:       3%{?dist}_%{svnrev}
 Summary:       BrowserID server
 Packager:      Gene Wood <[email protected]>
 Group:         Development/Libraries
@@ -11,8 +11,8 @@ URL:           https://github.com/mozilla/browserid
 Source0:       %{name}.tar.gz
 BuildRoot:     %{_tmppath}/%{name}-%{version}-%{release}-root
 AutoReqProv:   no
-Requires:      openssl, nodejs == 0.8.12
-BuildRequires: gcc-c++, git, jre, make, npm, openssl-devel, expat-devel, nodejs == 0.8.12
+Requires:      openssl, nodejs >= 0.8.12
+BuildRequires: gcc-c++, git, jre, make, npm, openssl-devel, expat-devel, nodejs >= 0.8.12
 
 %description
 persona server & web home for persona.org

tests/double-stage-updates-password.js

@@ -0,0 +1,120 @@
+#!/usr/bin/env node
+
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+require('./lib/test_env.js');
+
+// this test is for issue 2822 - it tests that when an email is re-staged
+// the password hash is updated.
+
+// disable email throttling so we can stage the same email twice without delay
+process.env['MIN_TIME_BETWEEN_EMAILS_MS'] = 0;
+
+const
+assert = require('assert'),
+vows = require('vows'),
+start_stop = require('./lib/start-stop.js'),
+wsapi = require('./lib/wsapi.js');
+
+var suite = vows.describe('double-stage-updates-password');
+
+// disable vows (often flakey?) async error behavior
+suite.options.error = false;
+
+start_stop.addStartupBatches(suite);
+
+const EMAIL = '[email protected]',
+       SITE = 'http://rp.example.com';
+
+var token;
+
+// stage with password 1
+suite.addBatch({
+  "staging an account": {
+    topic: wsapi.post('/wsapi/stage_user', {
+      email: EMAIL,
+      pass: 'password1',
+      site: SITE
+    }),
+    "succeeds": function(err, r) {
+      assert.strictEqual(r.code, 200);
+    },
+    "yields": {
+      topic: function() {
+        start_stop.waitForToken(this.callback);
+      },
+      "a verification token": function (t) {
+        assert.strictEqual(typeof t, 'string');
+        token = t;
+      }
+    }
+  }
+});
+
+// now stage again with password 2
+suite.addBatch({
+  "staging an account": {
+    topic: wsapi.post('/wsapi/stage_user', {
+      email: EMAIL,
+      pass: 'password2',
+      site: SITE
+    }),
+    "succeeds": function(err, r) {
+      assert.strictEqual(r.code, 200);
+    },
+    "yields": {
+      topic: function() {
+        start_stop.waitForToken(this.callback);
+      },
+      "a verification token": function (t) {
+        assert.strictEqual(typeof t, 'string');
+        token = t;
+      }
+    }
+  }
+});
+
+// verify with the most recent token (associated with password2)
+suite.addBatch({
+  "verifying account ownership": {
+    topic: function() {
+      wsapi.post('/wsapi/complete_user_creation', { token: token }).call(this);
+    },
+    "works": function(err, r) {
+      assert.equal(r.code, 200);
+      assert.strictEqual(true, JSON.parse(r.body).success);
+    }
+  }
+});
+
+// test that password2 works
+suite.addBatch({
+  "first password": {
+    topic: wsapi.post('/wsapi/authenticate_user', {
+      email: EMAIL,
+      pass: 'password1',
+      ephemeral: false
+    }),
+    "fails": function(err, r) {
+      assert.strictEqual(JSON.parse(r.body).success, false);
+    }
+  },
+  "second password": {
+    topic: wsapi.post('/wsapi/authenticate_user', {
+      email: EMAIL,
+      pass: 'password2',
+      ephemeral: false
+    }),
+    "succeeds": function(err, r) {
+      assert.strictEqual(JSON.parse(r.body).success, true);
+    }
+  }
+});
+
+start_stop.addShutdownBatches(suite);
+
+// run or export the suite.
+if (process.argv[1] === __filename) suite.run();
+else suite.export(module);