refactor(openid): remove openid login support

Fixes #1336

config/index.js

@@ -362,12 +362,6 @@ var conf = convict({
       }
     }
   },
-  openIdProviders: {
-    doc: 'root urls of allowed OpenID providers',
-    format: Array,
-    default: [],
-    env: 'OPENID_PROVIDERS'
-  },
   statsd: {
     enabled: {
       doc: 'enable UDP based statsd reporting',
@@ -476,7 +470,4 @@ conf.set('smtp.verifyLoginUrl', conf.get('contentServer.url') + '/complete_signi
 
 conf.set('isProduction', conf.get('env') === 'prod')
 
-conf.set('openIdVerifyUrl', conf.get('publicUrl') + '/v1/account/openid/login')
-
-
 module.exports = conf

lib/db.js

@@ -432,24 +432,6 @@ module.exports = function (
       )
   }
 
-  DB.prototype.openIdRecord = function (id) {
-    log.trace({ op: 'DB.openIdRecord', id: id })
-    return this.pool.get('/openIdRecord/' + Buffer(id, 'utf8').toString('hex'))
-      .then(
-        function (body) {
-          var data = bufferize(body)
-          data.emailVerified = !!data.emailVerified
-          return data
-        },
-        function (err) {
-          if (err.statusCode === 404) {
-            err = error.unknownAccount()
-          }
-          throw err
-        }
-      )
-  }
-
   DB.prototype.account = function (uid) {
     log.trace({ op: 'DB.account', uid: uid })
     return this.pool.get('/account/' + uid.toString('hex'))

lib/routes/account.js

@@ -13,9 +13,7 @@ var URLSAFEBASE64 = validators.URLSAFEBASE64
 var MAX_ACTIVE_SESSIONS = 200
 
 var butil = require('../crypto/butil')
-var openid = require('openid')
 var userAgent = require('../userAgent')
-var url = require('url')
 var requestHelper = require('../routes/utils/request_helper')
 
 module.exports = function (
@@ -36,26 +34,8 @@ module.exports = function (
   metricsContext
   ) {
 
-  var OPENID_EXTENSIONS = [
-    new openid.AttributeExchange(
-      {
-        'http://axschema.org/contact/email': 'optional'
-      }
-    )
-  ]
-
   var verificationReminder = require('../verification-reminders')(log, db)
 
-  function isOpenIdProviderAllowed(id) {
-    if (typeof(id) !== 'string') { return false }
-    var hostname = url.parse(id).hostname
-    return config.openIdProviders.some(
-      function (allowed) {
-        return hostname === url.parse(allowed).hostname
-      }
-    )
-  }
-
   var routes = [
     {
       method: 'POST',
@@ -570,144 +550,6 @@ module.exports = function (
         }
       }
     },
-    {
-      method: 'GET',
-      path: '/account/openid/login',
-      handler: function (request, reply) {
-
-        var unverifiedId = request.url.query && request.url.query['openid.claimed_id']
-        if (!isOpenIdProviderAllowed(unverifiedId)) {
-          log.warn({op: 'Account.openid', id: unverifiedId })
-          return reply({ err: 'This OpenID Provider is not allowed' }).code(400)
-        }
-
-        openid.verifyAssertion(
-          url.format(request.url),
-          function (err, assertion) {
-            if (err || !assertion || !assertion.authenticated) {
-              log.warn({ op: 'Account.openid', err: err, assertion: assertion })
-              return reply({ err: err.message || 'Unknown Account' }).code(400)
-            }
-            var id = assertion.claimedIdentifier
-            var locale = request.app.acceptLanguage
-            var tokenVerificationId = crypto.randomBytes(16)
-
-            db.openIdRecord(id)
-              .then(
-                function (record) {
-                  return record
-                },
-                function (err) {
-                  if (err.errno !== error.ERRNO.ACCOUNT_UNKNOWN) {
-                    throw err
-                  }
-                  var uid = uuid.v4('binary')
-                  var email = assertion.email || uid.toString('hex') + '@uid.' + config.domain
-                  var authSalt = crypto.randomBytes(32)
-                  var kA = crypto.randomBytes(32)
-                  return db.createAccount(
-                    {
-                      uid: uid,
-                      createdAt: Date.now(),
-                      email: email,
-                      emailCode: crypto.randomBytes(16),
-                      emailVerified: true,
-                      kA: kA,
-                      wrapWrapKb: crypto.randomBytes(32),
-                      accountResetToken: null,
-                      passwordForgotToken: null,
-                      authSalt: authSalt,
-                      verifierVersion: 0,
-                      verifyHash: crypto.randomBytes(32),
-                      openId: id,
-                      verifierSetAt: Date.now(),
-                      locale: locale
-                    }
-                  )
-                }
-              )
-              .then(
-                function (account) {
-                  return db.createSessionToken(
-                    {
-                      uid: account.uid,
-                      email: account.email,
-                      emailCode: account.emailCode,
-                      emailVerified: true,
-                      verifierSetAt: account.verifierSetAt,
-                      tokenVerificationId: tokenVerificationId
-                    }
-                  )
-                  .then(
-                    function (sessionToken) {
-                      if (! requestHelper.wantsKeys(request)) {
-                        return P.resolve({
-                          sessionToken: sessionToken
-                        })
-                      }
-                      return db.createKeyFetchToken(
-                        {
-                          uid: account.uid,
-                          kA: account.kA,
-                          // wrapKb is undefined without a password.
-                          // wrapWrapKb has the properties we need for this
-                          // value; Its stable, random, and will change on
-                          // account reset.
-                          wrapKb: account.wrapWrapKb,
-                          emailVerified: true
-                        }
-                      )
-                      .then(
-                        function (keyFetchToken) {
-                          return {
-                            sessionToken: sessionToken,
-                            keyFetchToken: keyFetchToken,
-                            unwrapBKey: butil.xorBuffers(
-                              account.kA,
-                              account.wrapWrapKb
-                            )
-                            // The browser using these values for unwrapBKey
-                            // and wrapKb (from above) will yield kA
-                            // as the Sync key instead of kB
-                          }
-                        }
-                      )
-                    }
-                  )
-                  .then(
-                    function (tokens) {
-                      reply(
-                        {
-                          uid: tokens.sessionToken.uid.toString('hex'),
-                          email: account.email,
-                          session: tokens.sessionToken.data.toString('hex'),
-                          key: tokens.keyFetchToken ?
-                            tokens.keyFetchToken.data.toString('hex')
-                            : undefined,
-                          unwrap: tokens.unwrapBKey ?
-                            tokens.unwrapBKey.toString('hex')
-                            : undefined
-                        }
-                      )
-                    }
-                  )
-                }
-              )
-              .catch(
-                function (err) {
-                  log.error({ op: 'Account.openid', err: err })
-                  reply({
-                    err: err.message
-                  }).code(500)
-                }
-              )
-          },
-          true, // stateless
-          OPENID_EXTENSIONS,
-          false // strict
-        )
-      }
-    },
     {
       method: 'GET',
       path: '/account/status',

package.json

@@ -47,7 +47,6 @@
     "mozlog": "2.0.5",
     "node-statsd": "0.1.1",
     "node-uap": "git+https://github.com/vladikoff/node-uap.git#9cdd16247",
-    "openid": "1.0.0",
     "poolee": "1.0.0",
     "request": "2.65.0",
     "scrypt-hash": "1.1.13",