removed auth_token from domain registration table

integration/test/Test/DomainVerification.hs

@@ -105,7 +105,7 @@ testDomainVerificationWrongAuth = do
     )
     $ \resp -> do
       resp.status `shouldMatchInt` 403
-      resp.json %. "label" `shouldMatch` "invalid-domain-verification-auth-token"
+      resp.json %. "label" `shouldMatch` "domain-verification-failed"
   where
     generateWrongToken :: App String
     generateWrongToken = do

libs/wire-api/src/Wire/API/EnterpriseLogin.hs

@@ -230,8 +230,7 @@ data DomainRegistration = DomainRegistration
   { domain :: Domain,
     domainRedirect :: DomainRedirect,
     teamInvite :: TeamInvite,
-    dnsVerificationToken :: Maybe DnsVerificationToken,
-    authToken :: Maybe DomainVerificationAuthToken
+    dnsVerificationToken :: Maybe DnsVerificationToken
   }
   deriving stock (Eq, Show)
   deriving (ToJSON, FromJSON, OpenApi.ToSchema) via Schema DomainRegistration
@@ -244,7 +243,6 @@ instance ToSchema DomainRegistration where
         <*> (.domainRedirect) .= domainRedirectSchema
         <*> (.teamInvite) .= teamInviteObjectSchema
         <*> (.dnsVerificationToken) .= optField "dns_verification_token" (maybeWithDefault Aeson.Null schema)
-        <*> (.authToken) .= optField "auth_token" (maybeWithDefault Aeson.Null schema)
 
 -- | Bearer authentication token for domain verification requests.
 data DomainVerificationAuthToken
@@ -257,7 +255,9 @@ parseDomainVerificationAuthToken txt = do
   bytes <- B64U.decodeUnpadded (Text.encodeUtf8 txt)
   (flag, bytes') <- note "Empty authentication token" $ B.uncons bytes
   case flag of
-    0 -> pure (DomainVerificationAuthTokenRandom bytes')
+    0 -> do
+      unless (BS.length bytes' == 32) $ Left "Invalid random auth token length"
+      pure (DomainVerificationAuthTokenRandom bytes')
     1 ->
       DomainVerificationAuthTokenTeam . Id
         <$> note

libs/wire-api/test/golden/Test/Wire/API/Golden/Manual/EnterpriseLogin.hs

@@ -32,8 +32,7 @@ testObject_DomainRegistration_1 =
     { domain = Domain "example.com",
       domainRedirect = Locked,
       teamInvite = Allowed,
-      dnsVerificationToken = Nothing,
-      authToken = Nothing
+      dnsVerificationToken = Nothing
     }
 
 testObject_DomainRegistration_2 :: DomainRegistration
@@ -42,8 +41,7 @@ testObject_DomainRegistration_2 =
     { domain = Domain "example.com",
       domainRedirect = None,
       teamInvite = NotAllowed,
-      dnsVerificationToken = Nothing,
-      authToken = Nothing
+      dnsVerificationToken = Nothing
     }
 
 testObject_DomainRegistration_3 :: DomainRegistration
@@ -52,8 +50,7 @@ testObject_DomainRegistration_3 =
     { domain = Domain "example.com",
       domainRedirect = SSO (SAML.IdPId $ fromJust (UUID.fromString "abf7c0b2-f4e6-4588-8fbb-3b4bf2344284")),
       teamInvite = Team $ Id (fromJust (UUID.fromString "abf7c0b2-f4e6-4588-8fbb-3b4bf2344284")),
-      dnsVerificationToken = Nothing,
-      authToken = Nothing
+      dnsVerificationToken = Nothing
     }
 
 testObject_DomainRegistration_4 :: DomainRegistration
@@ -62,8 +59,7 @@ testObject_DomainRegistration_4 =
     { domain = Domain "example.com",
       domainRedirect = Backend (HttpsUrl (fromRight' (parseURI strictURIParserOptions "https://example.com/inv14"))),
       teamInvite = Allowed,
-      dnsVerificationToken = Nothing,
-      authToken = Nothing
+      dnsVerificationToken = Nothing
     }
 
 testObject_DomainRegistration_5 :: DomainRegistration
@@ -72,8 +68,7 @@ testObject_DomainRegistration_5 =
     { domain = Domain "example.com",
       domainRedirect = NoRegistration,
       teamInvite = Allowed,
-      dnsVerificationToken = Nothing,
-      authToken = Nothing
+      dnsVerificationToken = Nothing
     }
 
 testObject_DomainRegistration_6 :: DomainRegistration
@@ -82,8 +77,7 @@ testObject_DomainRegistration_6 =
     { domain = Domain "example.com",
       domainRedirect = PreAuthorized,
       teamInvite = Allowed,
-      dnsVerificationToken = Just $ DnsVerificationToken "wire-domain-Ym9vCg::example.com",
-      authToken = Just $ DomainVerificationAuthTokenRandom "Ym9vCg"
+      dnsVerificationToken = Just $ DnsVerificationToken "wire-domain-Ym9vCg::example.com"
     }
 
 testObject_DomainRegistrationUpdate_1 :: DomainRegistrationUpdate

libs/wire-api/test/golden/testObject_DomainRegistration_1.json

@@ -1,5 +1,4 @@
 {
-    "auth_token": null,
     "dns_verification_token": null,
     "domain": "example.com",
     "domain_redirect": "locked",

libs/wire-api/test/golden/testObject_DomainRegistration_2.json

@@ -1,5 +1,4 @@
 {
-    "auth_token": null,
     "dns_verification_token": null,
     "domain": "example.com",
     "domain_redirect": "none",

libs/wire-api/test/golden/testObject_DomainRegistration_3.json

@@ -1,5 +1,4 @@
 {
-    "auth_token": null,
     "dns_verification_token": null,
     "domain": "example.com",
     "domain_redirect": "sso",

libs/wire-api/test/golden/testObject_DomainRegistration_4.json

@@ -1,5 +1,4 @@
 {
-    "auth_token": null,
     "backend_url": "https://example.com/inv14",
     "dns_verification_token": null,
     "domain": "example.com",

libs/wire-api/test/golden/testObject_DomainRegistration_5.json

@@ -1,5 +1,4 @@
 {
-    "auth_token": null,
     "dns_verification_token": null,
     "domain": "example.com",
     "domain_redirect": "no-registration",

libs/wire-api/test/golden/testObject_DomainRegistration_6.json

@@ -1,5 +1,4 @@
 {
-    "auth_token": "Ym9vCg",
     "dns_verification_token": "wire-domain-Ym9vCg::example.com",
     "domain": "example.com",
     "domain_redirect": "pre-authorized",

libs/wire-subsystems/src/Wire/DomainRegistrationStore.hs

@@ -18,8 +18,7 @@ data StoredDomainRegistration = StoredDomainRegistration
     idpId :: Maybe SAML.IdPId,
     backendUrl :: Maybe HttpsUrl,
     team :: Maybe TeamId,
-    dnsVerificationToken :: Maybe DnsVerificationToken,
-    authToken :: Maybe DomainVerificationAuthToken
+    dnsVerificationToken :: Maybe DnsVerificationToken
   }
   deriving (Show, Eq, Ord, Generic)
 
@@ -29,6 +28,5 @@ data DomainRegistrationStore m a where
   Upsert :: StoredDomainRegistration -> DomainRegistrationStore m ()
   Lookup :: Domain -> DomainRegistrationStore m (Maybe StoredDomainRegistration)
   Delete :: Domain -> DomainRegistrationStore m ()
-  InsertAuthToken :: Domain -> DomainVerificationAuthToken -> DomainRegistrationStore m ()
 
 makeSem ''DomainRegistrationStore

libs/wire-subsystems/src/Wire/DomainRegistrationStore/Cassandra.hs

@@ -11,7 +11,6 @@ import Database.CQL.Protocol (Record (..), TupleType, asTuple)
 import Imports hiding (lookup)
 import Polysemy
 import SAML2.WebSSO qualified as SAML
-import Wire.API.EnterpriseLogin
 import Wire.DomainRegistrationStore (DomainRegistrationStore (..), StoredDomainRegistration (..))
 
 deriving instance Cql SAML.IdPId
@@ -27,7 +26,6 @@ interpretDomainRegistrationStoreToCassandra casClient =
       Upsert dr -> upsert dr
       Lookup domain -> lookup domain
       Delete domain -> delete domain
-      InsertAuthToken domain authToken -> insertAuthToken domain authToken
 
 upsert :: (MonadClient m) => StoredDomainRegistration -> m ()
 upsert dr = retry x5 $ write cqlUpsert (params LocalQuorum (asTuple dr))
@@ -40,17 +38,11 @@ lookup domain =
 delete :: (MonadClient m) => Domain -> m ()
 delete domain = retry x5 $ write cqlDelete (params LocalQuorum (Identity domain))
 
-insertAuthToken :: (MonadClient m) => Domain -> DomainVerificationAuthToken -> m ()
-insertAuthToken domain authToken = retry x5 $ write cqlInsertAuthToken (params LocalQuorum (authToken, domain))
-
 cqlUpsert :: PrepQuery W (TupleType StoredDomainRegistration) ()
-cqlUpsert = "INSERT INTO domain_registration (domain, domain_redirect, team_invite, idp_id, backend_url, team, dns_verification_token, auth_token) VALUES (?,?,?,?,?,?,?,?)"
+cqlUpsert = "INSERT INTO domain_registration (domain, domain_redirect, team_invite, idp_id, backend_url, team, dns_verification_token) VALUES (?,?,?,?,?,?,?)"
 
 cqlSelect :: PrepQuery R (Identity Domain) (TupleType StoredDomainRegistration)
-cqlSelect = "SELECT domain, domain_redirect, team_invite, idp_id, backend_url, team, dns_verification_token, auth_token FROM domain_registration WHERE domain = ?"
+cqlSelect = "SELECT domain, domain_redirect, team_invite, idp_id, backend_url, team, dns_verification_token FROM domain_registration WHERE domain = ?"
 
 cqlDelete :: PrepQuery W (Identity Domain) ()
 cqlDelete = "DELETE FROM domain_registration WHERE domain = ?"
-
-cqlInsertAuthToken :: PrepQuery W (DomainVerificationAuthToken, Domain) ()
-cqlInsertAuthToken = "UPDATE domain_registration SET auth_token = ? WHERE domain = ?"

libs/wire-subsystems/src/Wire/EnterpriseLoginSubsystem.hs

@@ -24,12 +24,7 @@ data EnterpriseLoginSubsystem m a where
     Domain ->
     DomainVerificationAuthToken ->
     EnterpriseLoginSubsystem m Bool
-  CheckAuthToken ::
-    Domain ->
-    DomainVerificationAuthToken ->
-    EnterpriseLoginSubsystem m Bool
   GenerateAuthToken ::
-    Domain ->
     EnterpriseLoginSubsystem m DomainVerificationAuthToken
 
 makeSem ''EnterpriseLoginSubsystem

libs/wire-subsystems/src/Wire/EnterpriseLoginSubsystem/Interpreter.hs

@@ -79,26 +79,14 @@ runEnterpriseLoginSubsystem = interpret $
     VerifyDNSRecord domain authToken ->
       runInputSem (wireServerEnterpriseEndpoint <$> input) $
         verifyDNSRecordImpl domain authToken
-    CheckAuthToken domain authToken -> checkAuthTokenImpl domain authToken
-    GenerateAuthToken domain -> generateAuthTokenImpl domain
-
-checkAuthTokenImpl :: (Member DomainRegistrationStore r) => Domain -> DomainVerificationAuthToken -> Sem r Bool
-checkAuthTokenImpl domain authToken = do
-  mDomRep <- lookup domain
-  pure $ fromMaybe False $ do
-    domRep <- mDomRep
-    pure $ domRep.authToken == Just authToken
+    GenerateAuthToken -> generateAuthTokenImpl
 
 generateAuthTokenImpl ::
-  ( Member Random r,
-    Member DomainRegistrationStore r
+  ( Member Random r
   ) =>
-  Domain ->
   Sem r DomainVerificationAuthToken
-generateAuthTokenImpl domain = do
-  authToken <- DomainVerificationAuthTokenRandom <$> Wire.Sem.Random.bytes 32
-  insertAuthToken domain authToken
-  pure authToken
+generateAuthTokenImpl =
+  DomainVerificationAuthTokenRandom <$> Wire.Sem.Random.bytes 32
 
 deleteDomainImpl ::
   ( Member DomainRegistrationStore r,
@@ -168,7 +156,7 @@ updateDomainRegistrationImpl domain update = do
       let new = dr {teamInvite = update.teamInvite, domainRedirect = update.domainRedirect} :: DomainRegistration
       audit mOld new *> upsert (toStored new)
     Nothing -> do
-      let new = DomainRegistration domain update.domainRedirect update.teamInvite Nothing Nothing
+      let new = DomainRegistration domain update.domainRedirect update.teamInvite Nothing
       audit mOld new *> upsert (toStored new)
   where
     audit :: Maybe DomainRegistration -> DomainRegistration -> Sem r ()
@@ -191,7 +179,7 @@ lockDomainImpl ::
   Sem r ()
 lockDomainImpl domain = do
   mOld <- tryGetDomainRegistrationImpl domain
-  let new = DomainRegistration domain Locked Allowed Nothing Nothing
+  let new = DomainRegistration domain Locked Allowed Nothing
   audit mOld new *> upsert (toStored new)
   where
     url :: Builder
@@ -243,7 +231,7 @@ preAuthorizeImpl domain = do
   mOld <- tryGetDomainRegistrationImpl domain
   case mOld of
     Nothing -> do
-      let new = DomainRegistration domain PreAuthorized Allowed Nothing Nothing
+      let new = DomainRegistration domain PreAuthorized Allowed Nothing
       audit mOld new *> upsert (toStored new)
     Just old | old.domainRedirect == None -> do
       let new = old {domainRedirect = PreAuthorized} :: DomainRegistration
@@ -349,11 +337,10 @@ fromStored sdr =
     <$> getDomainRedirect sdr
     <*> getTeamInvite sdr
     <*> pure sdr.dnsVerificationToken
-    <*> pure sdr.authToken
   where
     getTeamInvite :: StoredDomainRegistration -> Maybe TeamInvite
     getTeamInvite = \case
-      StoredDomainRegistration _ _ ti _ _ tid _ _ -> case (ti, tid) of
+      StoredDomainRegistration _ _ ti _ _ tid _ -> case (ti, tid) of
         (Just AllowedTag, Nothing) -> Just Allowed
         (Just NotAllowedTag, Nothing) -> Just NotAllowed
         (Just TeamTag, Just teamId) -> Just $ Team teamId
@@ -362,7 +349,7 @@ fromStored sdr =
 
     getDomainRedirect :: StoredDomainRegistration -> Maybe DomainRedirect
     getDomainRedirect = \case
-      StoredDomainRegistration _ dr _ ssoId url _ _ _ -> case (dr, ssoId, url) of
+      StoredDomainRegistration _ dr _ ssoId url _ _ -> case (dr, ssoId, url) of
         (Just NoneTag, Nothing, Nothing) -> Just None
         (Just LockedTag, Nothing, Nothing) -> Just Locked
         (Just PreAuthorizedTag, Nothing, Nothing) -> Just PreAuthorized
@@ -376,7 +363,7 @@ toStored :: DomainRegistration -> StoredDomainRegistration
 toStored dr =
   let (domainRedirect, idpId, backendUrl) = fromDomainRedirect dr.domainRedirect
       (teamInvite, team) = fromTeamInvite dr.teamInvite
-   in StoredDomainRegistration dr.domain (Just domainRedirect) (Just teamInvite) idpId backendUrl team dr.dnsVerificationToken dr.authToken
+   in StoredDomainRegistration dr.domain (Just domainRedirect) (Just teamInvite) idpId backendUrl team dr.dnsVerificationToken
   where
     fromTeamInvite :: TeamInvite -> (TeamInviteTag, Maybe TeamId)
     fromTeamInvite Allowed = (AllowedTag, Nothing)

services/brig/brig.cabal

@@ -186,7 +186,6 @@ library
     Brig.Schema.V86_WriteTimeBumper
     Brig.Schema.V87_DropInvitationTables
     Brig.Schema.V88_DomainRegistrationTable
-    Brig.Schema.V89_DomainRegistrationTable_addAuthToken
     Brig.Team.API
     Brig.Team.Email
     Brig.Team.Template

services/brig/src/Brig/API/Public.hs

@@ -1509,28 +1509,15 @@ getSystemSettingsInternal _ = do
   let iSettings = SystemSettingsInternal $ fromMaybe False optSettings.enableMLS
   pure $ SystemSettings pSettings iSettings
 
-ensureAuthTokenCorrect ::
-  (Member EnterpriseLoginSubsystem r) =>
-  Domain ->
-  Bearer DomainVerificationAuthToken ->
-  Handler r ()
-ensureAuthTokenCorrect domain token = do
-  matches <- lift . liftSem $ EnterpriseLogin.checkAuthToken domain (unBearer token)
-  if matches
-    then pure ()
-    else throwStd (errorToWai @E.InvalidDomainVerificationAuthToken)
-
 domainVerificationToken ::
   (Member EnterpriseLoginSubsystem r) =>
   Maybe (Bearer DomainVerificationAuthToken) ->
   Domain ->
   Handler r DomainVerificationTokenResponse
 domainVerificationToken mAuthToken domain = do
   authToken <- case mAuthToken of
-    Nothing -> lift . liftSem $ EnterpriseLogin.generateAuthToken domain
-    Just token -> do
-      ensureAuthTokenCorrect domain token
-      pure (unBearer token)
+    Nothing -> lift . liftSem $ EnterpriseLogin.generateAuthToken
+    Just token -> pure (unBearer token)
   dnsToken <- lift . liftSem $ EnterpriseLogin.getDomainVerificationToken domain authToken
   pure DomainVerificationTokenResponse {..}
 
@@ -1554,7 +1541,6 @@ updateDomainRegistration ::
   (DomainRegistration -> Maybe DomainRegistrationUpdate) ->
   Handler r ()
 updateDomainRegistration authToken domain computeUpdate = do
-  ensureAuthTokenCorrect domain authToken
   mbDomainReg <- lift . liftSem $ EnterpriseLogin.tryGetDomainRegistration domain
   update <- guardUpdate $ mbDomainReg >>= computeUpdate
   verifyDNSRecord authToken domain

services/brig/src/Brig/Schema/Run.hs

@@ -63,7 +63,6 @@ import Brig.Schema.V85_DropUserKeysHashed qualified as V85_DropUserKeysHashed
 import Brig.Schema.V86_WriteTimeBumper qualified as V86_WriteTimeBumper
 import Brig.Schema.V87_DropInvitationTables qualified as V87_DropInvitationTables
 import Brig.Schema.V88_DomainRegistrationTable qualified as V88_DomainRegistrationTable
-import Brig.Schema.V89_DomainRegistrationTable_addAuthToken qualified as V89_DomainRegistrationTable_addAuthToken
 import Cassandra.MigrateSchema (migrateSchema)
 import Cassandra.Schema
 import Control.Exception (finally)
@@ -133,8 +132,7 @@ migrations =
     V85_DropUserKeysHashed.migration,
     V86_WriteTimeBumper.migration,
     V87_DropInvitationTables.migration,
-    V88_DomainRegistrationTable.migration,
-    V89_DomainRegistrationTable_addAuthToken.migration
+    V88_DomainRegistrationTable.migration
     -- FUTUREWORK: undo V41 (searchable flag); we stopped using it in
     -- https://github.com/wireapp/wire-server/pull/964
   ]