/* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ "use strict"; const { PromiseUtils } = ChromeUtils.importESModule( "resource://gre/modules/PromiseUtils.sys.mjs" ); const { CryptoUtils } = ChromeUtils.import( "resource://services-crypto/utils.js" ); const { XPCOMUtils } = ChromeUtils.importESModule( "resource://gre/modules/XPCOMUtils.sys.mjs" ); const { clearTimeout, setTimeout } = ChromeUtils.importESModule( "resource://gre/modules/Timer.sys.mjs" ); const { FxAccountsStorageManager } = ChromeUtils.import( "resource://gre/modules/FxAccountsStorage.jsm" ); const { ERRNO_INVALID_AUTH_TOKEN, ERROR_AUTH_ERROR, ERROR_INVALID_PARAMETER, ERROR_NO_ACCOUNT, ERROR_TO_GENERAL_ERROR_CLASS, ERROR_UNKNOWN, ERROR_UNVERIFIED_ACCOUNT, FXA_PWDMGR_PLAINTEXT_FIELDS, FXA_PWDMGR_REAUTH_ALLOWLIST, FXA_PWDMGR_SECURE_FIELDS, FX_OAUTH_CLIENT_ID, ON_ACCOUNT_STATE_CHANGE_NOTIFICATION, ONLOGIN_NOTIFICATION, ONLOGOUT_NOTIFICATION, ON_PRELOGOUT_NOTIFICATION, ONVERIFIED_NOTIFICATION, ON_DEVICE_DISCONNECTED_NOTIFICATION, POLL_SESSION, PREF_ACCOUNT_ROOT, PREF_LAST_FXA_USER, SERVER_ERRNO_TO_ERROR, log, logPII, logManager, } = ChromeUtils.import("resource://gre/modules/FxAccountsCommon.js"); const lazy = {}; ChromeUtils.defineModuleGetter( lazy, "FxAccountsClient", "resource://gre/modules/FxAccountsClient.jsm" ); ChromeUtils.defineModuleGetter( lazy, "FxAccountsConfig", "resource://gre/modules/FxAccountsConfig.jsm" ); ChromeUtils.defineModuleGetter( lazy, "FxAccountsCommands", "resource://gre/modules/FxAccountsCommands.js" ); ChromeUtils.defineModuleGetter( lazy, "FxAccountsDevice", "resource://gre/modules/FxAccountsDevice.jsm" ); ChromeUtils.defineModuleGetter( lazy, "FxAccountsKeys", "resource://gre/modules/FxAccountsKeys.jsm" ); ChromeUtils.defineModuleGetter( lazy, "FxAccountsProfile", "resource://gre/modules/FxAccountsProfile.jsm" ); ChromeUtils.defineModuleGetter( lazy, "FxAccountsTelemetry", "resource://gre/modules/FxAccountsTelemetry.jsm" ); XPCOMUtils.defineLazyGetter(lazy, "mpLocked", () => { return ChromeUtils.import("resource://services-sync/util.js").Utils.mpLocked; }); XPCOMUtils.defineLazyGetter(lazy, "ensureMPUnlocked", () => { return ChromeUtils.import("resource://services-sync/util.js").Utils .ensureMPUnlocked; }); ChromeUtils.defineESModuleGetters(lazy, { Preferences: "resource://gre/modules/Preferences.sys.mjs", }); XPCOMUtils.defineLazyPreferenceGetter( lazy, "FXA_ENABLED", "identity.fxaccounts.enabled", true ); // An AccountState object holds all state related to one specific account. // It is considered "private" to the FxAccounts modules. // Only one AccountState is ever "current" in the FxAccountsInternal object - // whenever a user logs out or logs in, the current AccountState is discarded, // making it impossible for the wrong state or state data to be accidentally // used. // In addition, it has some promise-related helpers to ensure that if an // attempt is made to resolve a promise on a "stale" state (eg, if an // operation starts, but a different user logs in before the operation // completes), the promise will be rejected. // It is intended to be used thusly: // somePromiseBasedFunction: function() { // let currentState = this.currentAccountState; // return someOtherPromiseFunction().then( // data => currentState.resolve(data) // ); // } // If the state has changed between the function being called and the promise // being resolved, the .resolve() call will actually be rejected. function AccountState(storageManager) { this.storageManager = storageManager; this.inFlightTokenRequests = new Map(); this.promiseInitialized = this.storageManager .getAccountData() .then(data => { this.oauthTokens = data && data.oauthTokens ? data.oauthTokens : {}; }) .catch(err => { log.error("Failed to initialize the storage manager", err); // Things are going to fall apart, but not much we can do about it here. }); } AccountState.prototype = { oauthTokens: null, whenVerifiedDeferred: null, whenKeysReadyDeferred: null, // If the storage manager has been nuked then we are no longer current. get isCurrent() { return this.storageManager != null; }, abort() { if (this.whenVerifiedDeferred) { this.whenVerifiedDeferred.reject( new Error("Verification aborted; Another user signing in") ); this.whenVerifiedDeferred = null; } if (this.whenKeysReadyDeferred) { this.whenKeysReadyDeferred.reject( new Error("Key fetching aborted; Another user signing in") ); this.whenKeysReadyDeferred = null; } this.inFlightTokenRequests.clear(); return this.signOut(); }, // Clobber all cached data and write that empty data to storage. async signOut() { this.cert = null; this.keyPair = null; this.oauthTokens = null; this.inFlightTokenRequests.clear(); // Avoid finalizing the storageManager multiple times (ie, .signOut() // followed by .abort()) if (!this.storageManager) { return; } const storageManager = this.storageManager; this.storageManager = null; await storageManager.deleteAccountData(); await storageManager.finalize(); }, // Get user account data. Optionally specify explicit field names to fetch // (and note that if you require an in-memory field you *must* specify the // field name(s).) getUserAccountData(fieldNames = null) { if (!this.isCurrent) { return Promise.reject(new Error("Another user has signed in")); } return this.storageManager.getAccountData(fieldNames).then(result => { return this.resolve(result); }); }, async updateUserAccountData(updatedFields) { if ("uid" in updatedFields) { const existing = await this.getUserAccountData(["uid"]); if (existing.uid != updatedFields.uid) { throw new Error( "The specified credentials aren't for the current user" ); } // We need to nuke uid as storage will complain if we try and // update it (even when the value is the same) updatedFields = Cu.cloneInto(updatedFields, {}); // clone it first delete updatedFields.uid; } if (!this.isCurrent) { return Promise.reject(new Error("Another user has signed in")); } return this.storageManager.updateAccountData(updatedFields); }, resolve(result) { if (!this.isCurrent) { log.info( "An accountState promise was resolved, but was actually rejected" + " due to a different user being signed in. Originally resolved" + " with", result ); return Promise.reject(new Error("A different user signed in")); } return Promise.resolve(result); }, reject(error) { // It could be argued that we should just let it reject with the original // error - but this runs the risk of the error being (eg) a 401, which // might cause the consumer to attempt some remediation and cause other // problems. if (!this.isCurrent) { log.info( "An accountState promise was rejected, but we are ignoring that " + "reason and rejecting it due to a different user being signed in. " + "Originally rejected with", error ); return Promise.reject(new Error("A different user signed in")); } return Promise.reject(error); }, // Abstractions for storage of cached tokens - these are all sync, and don't // handle revocation etc - it's just storage (and the storage itself is async, // but we don't return the storage promises, so it *looks* sync) // These functions are sync simply so we can handle "token races" - when there // are multiple in-flight requests for the same scope, we can detect this // and revoke the redundant token. // A preamble for the cache helpers... _cachePreamble() { if (!this.isCurrent) { throw new Error("Another user has signed in"); } }, // Set a cached token. |tokenData| must have a 'token' element, but may also // have additional fields. // The 'get' functions below return the entire |tokenData| value. setCachedToken(scopeArray, tokenData) { this._cachePreamble(); if (!tokenData.token) { throw new Error("No token"); } let key = getScopeKey(scopeArray); this.oauthTokens[key] = tokenData; // And a background save... this._persistCachedTokens(); }, // Return data for a cached token or null (or throws on bad state etc) getCachedToken(scopeArray) { this._cachePreamble(); let key = getScopeKey(scopeArray); let result = this.oauthTokens[key]; if (result) { // later we might want to check an expiry date - but we currently // have no such concept, so just return it. log.trace("getCachedToken returning cached token"); return result; } return null; }, // Remove a cached token from the cache. Does *not* revoke it from anywhere. // Returns the entire token entry if found, null otherwise. removeCachedToken(token) { this._cachePreamble(); let data = this.oauthTokens; for (let [key, tokenValue] of Object.entries(data)) { if (tokenValue.token == token) { delete data[key]; // And a background save... this._persistCachedTokens(); return tokenValue; } } return null; }, // A hook-point for tests. Returns a promise that's ignored in most cases // (notable exceptions are tests and when we explicitly are saving the entire // set of user data.) _persistCachedTokens() { this._cachePreamble(); return this.updateUserAccountData({ oauthTokens: this.oauthTokens }).catch( err => { log.error("Failed to update cached tokens", err); } ); }, }; /* Given an array of scopes, make a string key by normalizing. */ function getScopeKey(scopeArray) { let normalizedScopes = scopeArray.map(item => item.toLowerCase()); return normalizedScopes.sort().join("|"); } function getPropertyDescriptor(obj, prop) { return ( Object.getOwnPropertyDescriptor(obj, prop) || getPropertyDescriptor(Object.getPrototypeOf(obj), prop) ); } /** * Copies properties from a given object to another object. * * @param from (object) * The object we read property descriptors from. * @param to (object) * The object that we set property descriptors on. * @param thisObj (object) * The object that will be used to .bind() all function properties we find to. * @param keys ([...]) * The names of all properties to be copied. */ function copyObjectProperties(from, to, thisObj, keys) { for (let prop of keys) { // Look for the prop in the prototype chain. let desc = getPropertyDescriptor(from, prop); if (typeof desc.value == "function") { desc.value = desc.value.bind(thisObj); } if (desc.get) { desc.get = desc.get.bind(thisObj); } if (desc.set) { desc.set = desc.set.bind(thisObj); } Object.defineProperty(to, prop, desc); } } /** * The public API. * * TODO - *all* non-underscore stuff here should have sphinx docstrings so * that docs magically appear on https://firefox-source-docs.mozilla.org/ * (although |./mach doc| is broken on windows (bug 1232403) and on Linux for * markh (some obscure npm issue he gave up on) - so later...) */ class FxAccounts { constructor(mocks = null) { this._internal = new FxAccountsInternal(); if (mocks) { // it's slightly unfortunate that we need to mock the main "internal" object // before calling initialize, primarily so a mock `newAccountState` is in // place before initialize calls it, but we need to initialize the // "sub-object" mocks after. This can probably be fixed, but whatever... copyObjectProperties( mocks, this._internal, this._internal, Object.keys(mocks).filter(key => !["device", "commands"].includes(key)) ); } this._internal.initialize(); // allow mocking our "sub-objects" too. if (mocks) { for (let subobject of [ "currentAccountState", "keys", "fxaPushService", "device", "commands", ]) { if (typeof mocks[subobject] == "object") { copyObjectProperties( mocks[subobject], this._internal[subobject], this._internal[subobject], Object.keys(mocks[subobject]) ); } } } } get commands() { return this._internal.commands; } static get config() { return lazy.FxAccountsConfig; } get device() { return this._internal.device; } get keys() { return this._internal.keys; } get telemetry() { return this._internal.telemetry; } _withCurrentAccountState(func) { return this._internal.withCurrentAccountState(func); } _withVerifiedAccountState(func) { return this._internal.withVerifiedAccountState(func); } _withSessionToken(func, mustBeVerified = true) { return this._internal.withSessionToken(func, mustBeVerified); } /** * Returns an array listing all the OAuth clients connected to the * authenticated user's account. This includes browsers and web sessions - no * filtering is done of the set returned by the FxA server. * * @typedef {Object} AttachedClient * @property {String} id - OAuth `client_id` of the client. * @property {Number} lastAccessedDaysAgo - How many days ago the client last * accessed the FxA server APIs. * * @returns {Array.} A list of attached clients. */ async listAttachedOAuthClients() { // We expose last accessed times in 'days ago' const ONE_DAY = 24 * 60 * 60 * 1000; return this._withSessionToken(async sessionToken => { const response = await this._internal.fxAccountsClient.attachedClients( sessionToken ); const attachedClients = response.body; const timestamp = response.headers["x-timestamp"]; const now = timestamp !== undefined ? new Date(parseInt(timestamp, 10)) : Date.now(); return attachedClients.map(client => { const daysAgo = client.lastAccessTime ? Math.max(Math.floor((now - client.lastAccessTime) / ONE_DAY), 0) : null; return { id: client.clientId, lastAccessedDaysAgo: daysAgo, }; }); }); } /** * Get an OAuth token for the user. * * @param options * { * scope: (string/array) the oauth scope(s) being requested. As a * convenience, you may pass a string if only one scope is * required, or an array of strings if multiple are needed. * ttl: (number) OAuth token TTL in seconds. * } * * @return Promise. * The promise resolves the oauth token as a string or rejects with * an error object ({error: ERROR, details: {}}) of the following: * INVALID_PARAMETER * NO_ACCOUNT * UNVERIFIED_ACCOUNT * NETWORK_ERROR * AUTH_ERROR * UNKNOWN_ERROR */ async getOAuthToken(options = {}) { try { return await this._internal.getOAuthToken(options); } catch (err) { throw this._internal._errorToErrorClass(err); } } /** * Remove an OAuth token from the token cache. Callers should call this * after they determine a token is invalid, so a new token will be fetched * on the next call to getOAuthToken(). * * @param options * { * token: (string) A previously fetched token. * } * @return Promise. This function will always resolve, even if * an unknown token is passed. */ removeCachedOAuthToken(options) { return this._internal.removeCachedOAuthToken(options); } /** * Get details about the user currently signed in to Firefox Accounts. * * @return Promise * The promise resolves to the credentials object of the signed-in user: * { * email: String: The user's email address * uid: String: The user's unique id * verified: Boolean: email verification status * displayName: String or null if not known. * avatar: URL of the avatar for the user. May be the default * avatar, or null in edge-cases (eg, if there's an account * issue, etc * avatarDefault: boolean - whether `avatar` is specific to the user * or the default avatar. * } * * or null if no user is signed in. This function never fails except * in pathological cases (eg, file-system errors, etc) */ getSignedInUser() { // Note we don't return the session token, but use it to see if we // should fetch the profile. const ACCT_DATA_FIELDS = ["email", "uid", "verified", "sessionToken"]; const PROFILE_FIELDS = ["displayName", "avatar", "avatarDefault"]; return this._withCurrentAccountState(async currentState => { const data = await currentState.getUserAccountData(ACCT_DATA_FIELDS); if (!data) { return null; } if (!lazy.FXA_ENABLED) { await this.signOut(); return null; } if (!this._internal.isUserEmailVerified(data)) { // If the email is not verified, start polling for verification, // but return null right away. We don't want to return a promise // that might not be fulfilled for a long time. this._internal.startVerifiedCheck(data); } let profileData = null; if (data.sessionToken) { delete data.sessionToken; try { profileData = await this._internal.profile.getProfile(); } catch (error) { log.error("Could not retrieve profile data", error); } } for (let field of PROFILE_FIELDS) { data[field] = profileData ? profileData[field] : null; } // and email is a special case - if we have profile data we prefer the // email from that, as the email we stored for the account itself might // not have been updated if the email changed since the user signed in. if (profileData && profileData.email) { data.email = profileData.email; } return data; }); } /** * Checks the status of the account. Resolves with Promise, where * true indicates the account status is OK and false indicates there's some * issue with the account - either that there's no user currently signed in, * the entire account has been deleted (in which case there will be no user * signed in after this call returns), or that the user must reauthenticate (in * which case `this.hasLocalSession()` will return `false` after this call * returns). * * Typically used when some external code which uses, for example, oauth tokens * received a 401 error using the token, or that this external code has some * other reason to believe the account status may be bad. Note that this will * be called automatically in many cases - for example, if calls to fetch the * profile, or fetch keys, etc return a 401, there's no need to call this * function. * * Because this hits the server, you should only call this method when you have * good reason to believe the session very recently became invalid (eg, because * you saw an auth related exception from a remote service.) */ checkAccountStatus() { // Note that we don't use _withCurrentAccountState here because that will // cause an exception to be thrown if we end up signing out due to the // account not existing, which isn't what we want here. let state = this._internal.currentAccountState; return this._internal.checkAccountStatus(state); } /** * Checks if we have a valid local session state for the current account. * * @return Promise * Resolves with a boolean, with true indicating that we appear to * have a valid local session, or false if we need to reauthenticate * with the content server to obtain one. * Note that this only checks local state, although typically that's * OK, because we drop the local session information whenever we detect * we are in this state. However, see checkAccountStatus() for a way to * check the account and session status with the server, which can be * considered the canonical, albiet expensive, way to determine the * status of the account. */ hasLocalSession() { return this._withCurrentAccountState(async state => { let data = await state.getUserAccountData(["sessionToken"]); return !!(data && data.sessionToken); }); } /** Returns a promise that resolves to true if we can currently connect (ie, * sign in, or re-connect after a password change) to a Firefox Account. * If this returns false, the caller can assume that some UI was shown * which tells the user why we could not connect. * * Currently, the primary password being locked is the only reason why * this returns false, and in this scenario, the primary password unlock * dialog will have been shown. * * This currently doesn't need to return a promise, but does so that * future enhancements, such as other explanatory UI which requires * async can work without modification of the call-sites. */ static canConnectAccount() { return Promise.resolve(!lazy.mpLocked() || lazy.ensureMPUnlocked()); } /** * Send a message to a set of devices in the same account * * @param deviceIds: (null/string/array) The device IDs to send the message to. * If null, will be sent to all devices. * * @param excludedIds: (null/string/array) If deviceIds is null, this may * list device IDs which should not receive the message. * * @param payload: (object) The payload, which will be JSON.stringified. * * @param TTL: How long the message should be retained before it is discarded. */ // XXX - used only by sync to tell other devices that the clients collection // has changed so they should sync asap. The API here is somewhat vague (ie, // "an object"), but to be useful across devices, the payload really needs // formalizing. We should try and do something better here. notifyDevices(deviceIds, excludedIds, payload, TTL) { return this._internal.notifyDevices(deviceIds, excludedIds, payload, TTL); } /** * Resend the verification email for the currently signed-in user. * */ resendVerificationEmail() { return this._withSessionToken((token, currentState) => { this._internal.startPollEmailStatus(currentState, token, "start"); return this._internal.fxAccountsClient.resendVerificationEmail(token); }, false); } async signOut(localOnly) { // Note that we do not use _withCurrentAccountState here, otherwise we // end up with an exception due to the user signing out before the call is // complete - but that's the entire point of this method :) return this._internal.signOut(localOnly); } // XXX - we should consider killing this - the only reason it is public is // so that sync can change it when it notices the device name being changed, // and that could probably be replaced with a pref observer. updateDeviceRegistration() { return this._withCurrentAccountState(_ => { return this._internal.updateDeviceRegistration(); }); } // we should try and kill this too. whenVerified(data) { return this._withCurrentAccountState(_ => { return this._internal.whenVerified(data); }); } /** * Generate a log file for the FxA action that just completed * and refresh the input & output streams. */ async flushLogFile() { const logType = await logManager.resetFileLog(); if (logType == logManager.ERROR_LOG_WRITTEN) { console.error( "FxA encountered an error - see about:sync-log for the log file." ); } Services.obs.notifyObservers(null, "service:log-manager:flush-log-file"); } } var FxAccountsInternal = function() {}; /** * The internal API's prototype. */ FxAccountsInternal.prototype = { // Make a local copy of this constant so we can mock it in testing POLL_SESSION, // The timeout (in ms) we use to poll for a verified mail for the first // VERIFICATION_POLL_START_SLOWDOWN_THRESHOLD minutes if the user has // logged-in in this session. VERIFICATION_POLL_TIMEOUT_INITIAL: 60000, // 1 minute. // All the other cases (> 5 min, on restart etc). VERIFICATION_POLL_TIMEOUT_SUBSEQUENT: 5 * 60000, // 5 minutes. // After X minutes, the polling will slow down to _SUBSEQUENT if we have // logged-in in this session. VERIFICATION_POLL_START_SLOWDOWN_THRESHOLD: 5, _fxAccountsClient: null, // All significant initialization should be done in this initialize() method // to help with our mocking story. initialize() { XPCOMUtils.defineLazyGetter(this, "fxaPushService", function() { return Cc["@mozilla.org/fxaccounts/push;1"].getService( Ci.nsISupports ).wrappedJSObject; }); this.keys = new lazy.FxAccountsKeys(this); if (!this.observerPreloads) { // A registry of promise-returning functions that `notifyObservers` should // call before sending notifications. Primarily used so parts of Firefox // which have yet to load for performance reasons can be force-loaded, and // thus not miss notifications. this.observerPreloads = [ // Sync () => { let { Weave } = ChromeUtils.import( "resource://services-sync/main.js" ); return Weave.Service.promiseInitialized; }, ]; } this.currentTimer = null; // This object holds details about, and storage for, the current user. It // is replaced when a different user signs in. Instead of using it directly, // you should try and use `withCurrentAccountState`. this.currentAccountState = this.newAccountState(); }, async withCurrentAccountState(func) { const state = this.currentAccountState; let result; try { result = await func(state); } catch (ex) { return state.reject(ex); } return state.resolve(result); }, async withVerifiedAccountState(func) { return this.withCurrentAccountState(async state => { let data = await state.getUserAccountData(); if (!data) { // No signed-in user throw this._error(ERROR_NO_ACCOUNT); } if (!this.isUserEmailVerified(data)) { // Signed-in user has not verified email throw this._error(ERROR_UNVERIFIED_ACCOUNT); } return func(state); }); }, async withSessionToken(func, mustBeVerified = true) { const state = this.currentAccountState; let data = await state.getUserAccountData(); if (!data) { // No signed-in user throw this._error(ERROR_NO_ACCOUNT); } if (mustBeVerified && !this.isUserEmailVerified(data)) { // Signed-in user has not verified email throw this._error(ERROR_UNVERIFIED_ACCOUNT); } if (!data.sessionToken) { throw this._error(ERROR_AUTH_ERROR, "no session token"); } try { // Anyone who needs the session token is going to send it to the server, // so there's a chance we'll see an auth related error - so handle that // here rather than requiring each caller to remember to. let result = await func(data.sessionToken, state); return state.resolve(result); } catch (err) { return this._handleTokenError(err); } }, get fxAccountsClient() { if (!this._fxAccountsClient) { this._fxAccountsClient = new lazy.FxAccountsClient(); } return this._fxAccountsClient; }, // The profile object used to fetch the actual user profile. _profile: null, get profile() { if (!this._profile) { let profileServerUrl = Services.urlFormatter.formatURLPref( "identity.fxaccounts.remote.profile.uri" ); this._profile = new lazy.FxAccountsProfile({ fxa: this, profileServerUrl, }); } return this._profile; }, _commands: null, get commands() { if (!this._commands) { this._commands = new lazy.FxAccountsCommands(this); } return this._commands; }, _device: null, get device() { if (!this._device) { this._device = new lazy.FxAccountsDevice(this); } return this._device; }, _telemetry: null, get telemetry() { if (!this._telemetry) { this._telemetry = new lazy.FxAccountsTelemetry(this); } return this._telemetry; }, // A hook-point for tests who may want a mocked AccountState or mocked storage. newAccountState(credentials) { let storage = new FxAccountsStorageManager(); storage.initialize(credentials); return new AccountState(storage); }, notifyDevices(deviceIds, excludedIds, payload, TTL) { if (typeof deviceIds == "string") { deviceIds = [deviceIds]; } return this.withSessionToken(sessionToken => { return this.fxAccountsClient.notifyDevices( sessionToken, deviceIds, excludedIds, payload, TTL ); }); }, /** * Return the current time in milliseconds as an integer. Allows tests to * manipulate the date to simulate token expiration. */ now() { return this.fxAccountsClient.now(); }, /** * Return clock offset in milliseconds, as reported by the fxAccountsClient. * This can be overridden for testing. * * The offset is the number of milliseconds that must be added to the client * clock to make it equal to the server clock. For example, if the client is * five minutes ahead of the server, the localtimeOffsetMsec will be -300000. */ get localtimeOffsetMsec() { return this.fxAccountsClient.localtimeOffsetMsec; }, /** * Ask the server whether the user's email has been verified */ checkEmailStatus: function checkEmailStatus(sessionToken, options = {}) { if (!sessionToken) { return Promise.reject( new Error("checkEmailStatus called without a session token") ); } return this.fxAccountsClient .recoveryEmailStatus(sessionToken, options) .catch(error => this._handleTokenError(error)); }, // set() makes sure that polling is happening, if necessary. // get() does not wait for verification, and returns an object even if // unverified. The caller of get() must check .verified . // The "fxaccounts:onverified" event will fire only when the verified // state goes from false to true, so callers must register their observer // and then call get(). In particular, it will not fire when the account // was found to be verified in a previous boot: if our stored state says // the account is verified, the event will never fire. So callers must do: // register notification observer (go) // userdata = get() // if (userdata.verified()) {go()} /** * Set the current user signed in to Firefox Accounts. * * @param credentials * The credentials object obtained by logging in or creating * an account on the FxA server: * { * authAt: The time (seconds since epoch) that this record was * authenticated * email: The users email address * keyFetchToken: a keyFetchToken which has not yet been used * sessionToken: Session for the FxA server * uid: The user's unique id * unwrapBKey: used to unwrap kB, derived locally from the * password (not revealed to the FxA server) * verified: true/false * } * @return Promise * The promise resolves to null when the data is saved * successfully and is rejected on error. */ async setSignedInUser(credentials) { if (!lazy.FXA_ENABLED) { throw new Error("Cannot call setSignedInUser when FxA is disabled."); } lazy.Preferences.resetBranch(PREF_ACCOUNT_ROOT); log.debug("setSignedInUser - aborting any existing flows"); const signedInUser = await this.currentAccountState.getUserAccountData(); if (signedInUser) { await this._signOutServer( signedInUser.sessionToken, signedInUser.oauthTokens ); } await this.abortExistingFlow(); let currentAccountState = (this.currentAccountState = this.newAccountState( Cu.cloneInto(credentials, {}) // Pass a clone of the credentials object. )); // This promise waits for storage, but not for verification. // We're telling the caller that this is durable now (although is that // really something we should commit to? Why not let the write happen in // the background? Already does for updateAccountData ;) await currentAccountState.promiseInitialized; // Starting point for polling if new user if (!this.isUserEmailVerified(credentials)) { this.startVerifiedCheck(credentials); } await this.notifyObservers(ONLOGIN_NOTIFICATION); await this.updateDeviceRegistration(); return currentAccountState.resolve(); }, /** * Update account data for the currently signed in user. * * @param credentials * The credentials object containing the fields to be updated. * This object must contain the |uid| field and it must * match the currently signed in user. */ updateUserAccountData(credentials) { log.debug( "updateUserAccountData called with fields", Object.keys(credentials) ); if (logPII) { log.debug("updateUserAccountData called with data", credentials); } let currentAccountState = this.currentAccountState; return currentAccountState.promiseInitialized.then(() => { if (!credentials.uid) { throw new Error("The specified credentials have no uid"); } return currentAccountState.updateUserAccountData(credentials); }); }, /* * Reset state such that any previous flow is canceled. */ abortExistingFlow() { if (this.currentTimer) { log.debug("Polling aborted; Another user signing in"); clearTimeout(this.currentTimer); this.currentTimer = 0; } if (this._profile) { this._profile.tearDown(); this._profile = null; } if (this._commands) { this._commands = null; } if (this._device) { this._device.reset(); } // We "abort" the accountState and assume our caller is about to throw it // away and replace it with a new one. return this.currentAccountState.abort(); }, async checkVerificationStatus() { log.trace("checkVerificationStatus"); let state = this.currentAccountState; let data = await state.getUserAccountData(); if (!data) { log.trace("checkVerificationStatus - no user data"); return null; } // Always check the verification status, even if the local state indicates // we're already verified. If the user changed their password, the check // will fail, and we'll enter the reauth state. log.trace("checkVerificationStatus - forcing verification status check"); return this.startPollEmailStatus(state, data.sessionToken, "push"); }, _destroyOAuthToken(tokenData) { return this.fxAccountsClient.oauthDestroy( FX_OAUTH_CLIENT_ID, tokenData.token ); }, _destroyAllOAuthTokens(tokenInfos) { if (!tokenInfos) { return Promise.resolve(); } // let's just destroy them all in parallel... let promises = []; for (let tokenInfo of Object.values(tokenInfos)) { promises.push(this._destroyOAuthToken(tokenInfo)); } return Promise.all(promises); }, async signOut(localOnly) { let sessionToken; let tokensToRevoke; const data = await this.currentAccountState.getUserAccountData(); // Save the sessionToken, tokens before resetting them in _signOutLocal(). if (data) { sessionToken = data.sessionToken; tokensToRevoke = data.oauthTokens; } await this.notifyObservers(ON_PRELOGOUT_NOTIFICATION); await this._signOutLocal(); if (!localOnly) { // Do this in the background so *any* slow request won't // block the local sign out. Services.tm.dispatchToMainThread(async () => { await this._signOutServer(sessionToken, tokensToRevoke); lazy.FxAccountsConfig.resetConfigURLs(); this.notifyObservers("testhelper-fxa-signout-complete"); }); } else { // We want to do this either way -- but if we're signing out remotely we // need to wait until we destroy the oauth tokens if we want that to succeed. lazy.FxAccountsConfig.resetConfigURLs(); } return this.notifyObservers(ONLOGOUT_NOTIFICATION); }, async _signOutLocal() { lazy.Preferences.resetBranch(PREF_ACCOUNT_ROOT); await this.currentAccountState.signOut(); // this "aborts" this.currentAccountState but doesn't make a new one. await this.abortExistingFlow(); this.currentAccountState = this.newAccountState(); return this.currentAccountState.promiseInitialized; }, async _signOutServer(sessionToken, tokensToRevoke) { log.debug("Unsubscribing from FxA push."); try { await this.fxaPushService.unsubscribe(); } catch (err) { log.error("Could not unsubscribe from push.", err); } if (sessionToken) { log.debug("Destroying session and device."); try { await this.fxAccountsClient.signOut(sessionToken, { service: "sync" }); } catch (err) { log.error("Error during remote sign out of Firefox Accounts", err); } } else { log.warn("Missing session token; skipping remote sign out"); } log.debug("Destroying all OAuth tokens."); try { await this._destroyAllOAuthTokens(tokensToRevoke); } catch (err) { log.error("Error during destruction of oauth tokens during signout", err); } }, getUserAccountData(fieldNames = null) { return this.currentAccountState.getUserAccountData(fieldNames); }, isUserEmailVerified: function isUserEmailVerified(data) { return !!(data && data.verified); }, /** * Setup for and if necessary do email verification polling. */ loadAndPoll() { let currentState = this.currentAccountState; return currentState.getUserAccountData().then(data => { if (data) { if (!this.isUserEmailVerified(data)) { this.startPollEmailStatus( currentState, data.sessionToken, "browser-startup" ); } } return data; }); }, startVerifiedCheck(data) { log.debug("startVerifiedCheck", data && data.verified); if (logPII) { log.debug("startVerifiedCheck with user data", data); } // Get us to the verified state. This returns a promise that will fire when // verification is complete. // The callers of startVerifiedCheck never consume a returned promise (ie, // this is simply kicking off a background fetch) so we must add a rejection // handler to avoid runtime warnings about the rejection not being handled. this.whenVerified(data).catch(err => log.info("startVerifiedCheck promise was rejected: " + err) ); }, whenVerified(data) { let currentState = this.currentAccountState; if (data.verified) { log.debug("already verified"); return currentState.resolve(data); } if (!currentState.whenVerifiedDeferred) { log.debug("whenVerified promise starts polling for verified email"); this.startPollEmailStatus(currentState, data.sessionToken, "start"); } return currentState.whenVerifiedDeferred.promise.then(result => currentState.resolve(result) ); }, async notifyObservers(topic, data) { for (let f of this.observerPreloads) { try { await f(); } catch (O_o) {} } log.debug("Notifying observers of " + topic); Services.obs.notifyObservers(null, topic, data); }, startPollEmailStatus(currentState, sessionToken, why) { log.debug("entering startPollEmailStatus: " + why); // If we were already polling, stop and start again. This could happen // if the user requested the verification email to be resent while we // were already polling for receipt of an earlier email. if (this.currentTimer) { log.debug( "startPollEmailStatus starting while existing timer is running" ); clearTimeout(this.currentTimer); this.currentTimer = null; } this.pollStartDate = Date.now(); if (!currentState.whenVerifiedDeferred) { currentState.whenVerifiedDeferred = PromiseUtils.defer(); // This deferred might not end up with any handlers (eg, if sync // is yet to start up.) This might cause "A promise chain failed to // handle a rejection" messages, so add an error handler directly // on the promise to log the error. currentState.whenVerifiedDeferred.promise.then( () => { log.info("the user became verified"); // We are now ready for business. This should only be invoked once // per setSignedInUser(), regardless of whether we've rebooted since // setSignedInUser() was called. this.notifyObservers(ONVERIFIED_NOTIFICATION); }, err => { log.info("the wait for user verification was stopped: " + err); } ); } return this.pollEmailStatus(currentState, sessionToken, why); }, // We return a promise for testing only. Other callers can ignore this, // since verification polling continues in the background. async pollEmailStatus(currentState, sessionToken, why) { log.debug("entering pollEmailStatus: " + why); let nextPollMs; try { const response = await this.checkEmailStatus(sessionToken, { reason: why, }); log.debug("checkEmailStatus -> " + JSON.stringify(response)); if (response && response.verified) { await this.onPollEmailSuccess(currentState); return; } } catch (error) { if (error && error.code && error.code == 401) { let error = new Error("Verification status check failed"); this._rejectWhenVerified(currentState, error); return; } if (error && error.retryAfter) { // If the server told us to back off, back off the requested amount. nextPollMs = (error.retryAfter + 3) * 1000; log.warn( `the server rejected our email status check and told us to try again in ${nextPollMs}ms` ); } else { log.error(`checkEmailStatus failed to poll`, error); } } if (why == "push") { return; } let pollDuration = Date.now() - this.pollStartDate; // Polling session expired. if (pollDuration >= this.POLL_SESSION) { if (currentState.whenVerifiedDeferred) { let error = new Error("User email verification timed out."); this._rejectWhenVerified(currentState, error); } log.debug("polling session exceeded, giving up"); return; } // Poll email status again after a short delay. if (nextPollMs === undefined) { let currentMinute = Math.ceil(pollDuration / 60000); nextPollMs = why == "start" && currentMinute < this.VERIFICATION_POLL_START_SLOWDOWN_THRESHOLD ? this.VERIFICATION_POLL_TIMEOUT_INITIAL : this.VERIFICATION_POLL_TIMEOUT_SUBSEQUENT; } this._scheduleNextPollEmailStatus( currentState, sessionToken, nextPollMs, why ); }, // Easy-to-mock testable method _scheduleNextPollEmailStatus(currentState, sessionToken, nextPollMs, why) { log.debug("polling with timeout = " + nextPollMs); this.currentTimer = setTimeout(() => { this.pollEmailStatus(currentState, sessionToken, why); }, nextPollMs); }, async onPollEmailSuccess(currentState) { try { await currentState.updateUserAccountData({ verified: true }); const accountData = await currentState.getUserAccountData(); this._setLastUserPref(accountData.email); // Now that the user is verified, we can proceed to fetch keys if (currentState.whenVerifiedDeferred) { currentState.whenVerifiedDeferred.resolve(accountData); delete currentState.whenVerifiedDeferred; } } catch (e) { log.error(e); } }, _rejectWhenVerified(currentState, error) { currentState.whenVerifiedDeferred.reject(error); delete currentState.whenVerifiedDeferred; }, /** * Does the actual fetch of an oauth token for getOAuthToken() * using the account session token. * * It's split out into a separate method so that we can easily * stash in-flight calls in a cache. * * @param {String} scopeString * @param {Number} ttl * @returns {Promise} * @private */ async _doTokenFetchWithSessionToken(sessionToken, scopeString, ttl) { const result = await this.fxAccountsClient.accessTokenWithSessionToken( sessionToken, FX_OAUTH_CLIENT_ID, scopeString, ttl ); return result.access_token; }, getOAuthToken(options = {}) { log.debug("getOAuthToken enter"); let scope = options.scope; if (typeof scope === "string") { scope = [scope]; } if (!scope || !scope.length) { return Promise.reject( this._error( ERROR_INVALID_PARAMETER, "Missing or invalid 'scope' option" ) ); } return this.withSessionToken(async (sessionToken, currentState) => { // Early exit for a cached token. let cached = currentState.getCachedToken(scope); if (cached) { log.debug("getOAuthToken returning a cached token"); return cached.token; } // Build the string we use in our "inflight" map and that we send to the // server. Because it's used as a key in the map we sort the scopes. let scopeString = scope.sort().join(" "); // We keep a map of in-flight requests to avoid multiple promise-based // consumers concurrently requesting the same token. let maybeInFlight = currentState.inFlightTokenRequests.get(scopeString); if (maybeInFlight) { log.debug("getOAuthToken has an in-flight request for this scope"); return maybeInFlight; } // We need to start a new fetch and stick the promise in our in-flight map // and remove it when it resolves. let promise = this._doTokenFetchWithSessionToken( sessionToken, scopeString, options.ttl ) .then(token => { // As a sanity check, ensure something else hasn't raced getting a token // of the same scope. If something has we just make noise rather than // taking any concrete action because it should never actually happen. if (currentState.getCachedToken(scope)) { log.error(`detected a race for oauth token with scope ${scope}`); } // If we got one, cache it. if (token) { let entry = { token }; currentState.setCachedToken(scope, entry); } return token; }) .finally(() => { // Remove ourself from the in-flight map. There's no need to check the // result of .delete() to handle a signout race, because setCachedToken // above will fail in that case and cause the entire call to fail. currentState.inFlightTokenRequests.delete(scopeString); }); currentState.inFlightTokenRequests.set(scopeString, promise); return promise; }); }, /** * Remove an OAuth token from the token cache * and makes a network request to FxA server to destroy the token. * * @param options * { * token: (string) A previously fetched token. * } * @return Promise. This function will always resolve, even if * an unknown token is passed. */ removeCachedOAuthToken(options) { if (!options.token || typeof options.token !== "string") { throw this._error( ERROR_INVALID_PARAMETER, "Missing or invalid 'token' option" ); } return this.withCurrentAccountState(currentState => { let existing = currentState.removeCachedToken(options.token); if (existing) { // background destroy. this._destroyOAuthToken(existing).catch(err => { log.warn("FxA failed to revoke a cached token", err); }); } }); }, async _getVerifiedAccountOrReject() { let data = await this.currentAccountState.getUserAccountData(); if (!data) { // No signed-in user throw this._error(ERROR_NO_ACCOUNT); } if (!this.isUserEmailVerified(data)) { // Signed-in user has not verified email throw this._error(ERROR_UNVERIFIED_ACCOUNT); } return data; }, // _handle* methods used by push, used when the account/device status is // changed on a different device. async _handleAccountDestroyed(uid) { let state = this.currentAccountState; const accountData = await state.getUserAccountData(); const localUid = accountData ? accountData.uid : null; if (!localUid) { log.info( `Account destroyed push notification received, but we're already logged-out` ); return null; } if (uid == localUid) { const data = JSON.stringify({ isLocalDevice: true }); await this.notifyObservers(ON_DEVICE_DISCONNECTED_NOTIFICATION, data); return this.signOut(true); } log.info( `The destroyed account uid doesn't match with the local uid. ` + `Local: ${localUid}, account uid destroyed: ${uid}` ); return null; }, async _handleDeviceDisconnection(deviceId) { let state = this.currentAccountState; const accountData = await state.getUserAccountData(); if (!accountData || !accountData.device) { // Nothing we can do here. return; } const localDeviceId = accountData.device.id; const isLocalDevice = deviceId == localDeviceId; if (isLocalDevice) { this.signOut(true); } const data = JSON.stringify({ isLocalDevice }); await this.notifyObservers(ON_DEVICE_DISCONNECTED_NOTIFICATION, data); }, _setLastUserPref(newEmail) { Services.prefs.setStringPref( PREF_LAST_FXA_USER, CryptoUtils.sha256Base64(newEmail) ); }, async _handleEmailUpdated(newEmail) { this._setLastUserPref(newEmail); await this.currentAccountState.updateUserAccountData({ email: newEmail }); }, /* * Coerce an error into one of the general error cases: * NETWORK_ERROR * AUTH_ERROR * UNKNOWN_ERROR * * These errors will pass through: * INVALID_PARAMETER * NO_ACCOUNT * UNVERIFIED_ACCOUNT */ _errorToErrorClass(aError) { if (aError.errno) { let error = SERVER_ERRNO_TO_ERROR[aError.errno]; return this._error( ERROR_TO_GENERAL_ERROR_CLASS[error] || ERROR_UNKNOWN, aError ); } else if ( aError.message && (aError.message === "INVALID_PARAMETER" || aError.message === "NO_ACCOUNT" || aError.message === "UNVERIFIED_ACCOUNT" || aError.message === "AUTH_ERROR") ) { return aError; } return this._error(ERROR_UNKNOWN, aError); }, _error(aError, aDetails) { log.error("FxA rejecting with error ${aError}, details: ${aDetails}", { aError, aDetails, }); let reason = new Error(aError); if (aDetails) { reason.details = aDetails; } return reason; }, // Attempt to update the auth server with whatever device details are stored // in the account data. Returns a promise that always resolves, never rejects. // If the promise resolves to a value, that value is the device id. updateDeviceRegistration() { return this.device.updateDeviceRegistration(); }, /** * Delete all the persisted credentials we store for FxA. After calling * this, the user will be forced to re-authenticate to continue. * * @return Promise resolves when the user data has been persisted */ dropCredentials(state) { // Delete all fields except those required for the user to // reauthenticate. let updateData = {}; let clearField = field => { if (!FXA_PWDMGR_REAUTH_ALLOWLIST.has(field)) { updateData[field] = null; } }; FXA_PWDMGR_PLAINTEXT_FIELDS.forEach(clearField); FXA_PWDMGR_SECURE_FIELDS.forEach(clearField); return state.updateUserAccountData(updateData); }, async checkAccountStatus(state) { log.info("checking account status..."); let data = await state.getUserAccountData(["uid", "sessionToken"]); if (!data) { log.info("account status: no user"); return false; } // If we have a session token, then check if that remains valid - if this // works we know the account must also be OK. if (data.sessionToken) { if (await this.fxAccountsClient.sessionStatus(data.sessionToken)) { log.info("account status: ok"); return true; } } let exists = await this.fxAccountsClient.accountStatus(data.uid); if (!exists) { // Delete all local account data. Since the account no longer // exists, we can skip the remote calls. log.info("account status: deleted"); await this._handleAccountDestroyed(data.uid); } else { // Note that we may already have been in a "needs reauth" state (ie, if // this function was called when we already had no session token), but // that's OK - re-notifying etc should cause no harm. log.info("account status: needs reauthentication"); await this.dropCredentials(this.currentAccountState); // Notify the account state has changed so the UI updates. await this.notifyObservers(ON_ACCOUNT_STATE_CHANGE_NOTIFICATION); } return false; }, async _handleTokenError(err) { if (!err || err.code != 401 || err.errno != ERRNO_INVALID_AUTH_TOKEN) { throw err; } log.warn("handling invalid token error", err); // Note that we don't use `withCurrentAccountState` here as that will cause // an error to be thrown if we sign out due to the account not existing. let state = this.currentAccountState; let ok = await this.checkAccountStatus(state); if (ok) { log.warn("invalid token error, but account state appears ok?"); } // always re-throw the error. throw err; }, }; let fxAccountsSingleton = null; function getFxAccountsSingleton() { if (fxAccountsSingleton) { return fxAccountsSingleton; } fxAccountsSingleton = new FxAccounts(); // XXX Bug 947061 - We need a strategy for resuming email verification after // browser restart fxAccountsSingleton._internal.loadAndPoll(); return fxAccountsSingleton; } // `AccountState` is exported for tests. var EXPORTED_SYMBOLS = ["getFxAccountsSingleton", "FxAccounts", "AccountState"];