path: root/services/fxaccounts/tests/xpcshell/test_client.js

/* Any copyright is dedicated to the Public Domain.
 * http://creativecommons.org/publicdomain/zero/1.0/ */

"use strict";

const { FxAccountsClient } = ChromeUtils.importESModule(
  "resource://gre/modules/FxAccountsClient.sys.mjs"
);

const FAKE_SESSION_TOKEN =
  "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf";

// https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol#.2Faccount.2Fkeys
var ACCOUNT_KEYS = {
  keyFetch: h(
    // eslint-disable-next-line no-useless-concat
    "8081828384858687 88898a8b8c8d8e8f" + "9091929394959697 98999a9b9c9d9e9f"
  ),

  response: h(
    "ee5c58845c7c9412 b11bbd20920c2fdd" +
      "d83c33c9cd2c2de2 d66b222613364636" +
      "c2c0f8cfbb7c6304 72c0bd88451342c6" +
      "c05b14ce342c5ad4 6ad89e84464c993c" +
      "3927d30230157d08 17a077eef4b20d97" +
      "6f7a97363faf3f06 4c003ada7d01aa70"
  ),

  kA: h(
    // eslint-disable-next-line no-useless-concat
    "2021222324252627 28292a2b2c2d2e2f" + "3031323334353637 38393a3b3c3d3e3f"
  ),

  wrapKB: h(
    // eslint-disable-next-line no-useless-concat
    "4041424344454647 48494a4b4c4d4e4f" + "5051525354555657 58595a5b5c5d5e5f"
  ),
};

add_task(async function test_authenticated_get_request() {
  let message = '{"msg": "Great Success!"}';
  let credentials = {
    id: "eyJleHBpcmVzIjogMTM2NTAxMDg5OC4x",
    key: "qTZf4ZFpAMpMoeSsX3zVRjiqmNs=",
    algorithm: "sha256",
  };
  let method = "GET";

  let server = httpd_setup({
    "/foo": function (request, response) {
      Assert.ok(request.hasHeader("Authorization"));

      response.setStatusLine(request.httpVersion, 200, "OK");
      response.bodyOutputStream.write(message, message.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  let result = await client._request("/foo", method, credentials);
  Assert.equal("Great Success!", result.msg);

  await promiseStopServer(server);
});

add_task(async function test_authenticated_post_request() {
  let credentials = {
    id: "eyJleHBpcmVzIjogMTM2NTAxMDg5OC4x",
    key: "qTZf4ZFpAMpMoeSsX3zVRjiqmNs=",
    algorithm: "sha256",
  };
  let method = "POST";

  let server = httpd_setup({
    "/foo": function (request, response) {
      Assert.ok(request.hasHeader("Authorization"));

      response.setStatusLine(request.httpVersion, 200, "OK");
      response.setHeader("Content-Type", "application/json");
      response.bodyOutputStream.writeFrom(
        request.bodyInputStream,
        request.bodyInputStream.available()
      );
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  let result = await client._request("/foo", method, credentials, {
    foo: "bar",
  });
  Assert.equal("bar", result.foo);

  await promiseStopServer(server);
});

add_task(async function test_500_error() {
  let message = "<h1>Ooops!</h1>";
  let method = "GET";

  let server = httpd_setup({
    "/foo": function (request, response) {
      response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
      response.bodyOutputStream.write(message, message.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  try {
    await client._request("/foo", method);
    do_throw("Expected to catch an exception");
  } catch (e) {
    Assert.equal(500, e.code);
    Assert.equal("Internal Server Error", e.message);
  }

  await promiseStopServer(server);
});

add_task(async function test_backoffError() {
  let method = "GET";
  let server = httpd_setup({
    "/retryDelay": function (request, response) {
      response.setHeader("Retry-After", "30");
      response.setStatusLine(
        request.httpVersion,
        429,
        "Client has sent too many requests"
      );
      let message = "<h1>Ooops!</h1>";
      response.bodyOutputStream.write(message, message.length);
    },
    "/duringDelayIShouldNotBeCalled": function (request, response) {
      response.setStatusLine(request.httpVersion, 200, "OK");
      let jsonMessage = '{"working": "yes"}';
      response.bodyOutputStream.write(jsonMessage, jsonMessage.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  // Retry-After header sets client.backoffError
  Assert.equal(client.backoffError, null);
  try {
    await client._request("/retryDelay", method);
  } catch (e) {
    Assert.equal(429, e.code);
    Assert.equal(30, e.retryAfter);
    Assert.notEqual(typeof client.fxaBackoffTimer, "undefined");
    Assert.notEqual(client.backoffError, null);
  }
  // While delay is in effect, client short-circuits any requests
  // and re-rejects with previous error.
  try {
    await client._request("/duringDelayIShouldNotBeCalled", method);
    throw new Error("I should not be reached");
  } catch (e) {
    Assert.equal(e.retryAfter, 30);
    Assert.equal(e.message, "Client has sent too many requests");
    Assert.notEqual(client.backoffError, null);
  }
  // Once timer fires, client nulls error out and HTTP calls work again.
  client._clearBackoff();
  let result = await client._request("/duringDelayIShouldNotBeCalled", method);
  Assert.equal(client.backoffError, null);
  Assert.equal(result.working, "yes");

  await promiseStopServer(server);
});

add_task(async function test_signUp() {
  let creationMessage_noKey = JSON.stringify({
    uid: "uid",
    sessionToken: "sessionToken",
  });
  let creationMessage_withKey = JSON.stringify({
    uid: "uid",
    sessionToken: "sessionToken",
    keyFetchToken: "keyFetchToken",
  });
  let errorMessage = JSON.stringify({
    code: 400,
    errno: 101,
    error: "account exists",
  });
  let created = false;

  // Note these strings must be unicode and not already utf-8 encoded.
  let unicodeUsername = "andr\xe9@example.org"; // 'andré@example.org'
  let unicodePassword = "p\xe4ssw\xf6rd"; // 'pässwörd'
  let server = httpd_setup({
    "/account/create": function (request, response) {
      let body = CommonUtils.readBytesFromInputStream(request.bodyInputStream);
      body = CommonUtils.decodeUTF8(body);
      let jsonBody = JSON.parse(body);

      // https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol#wiki-test-vectors

      if (created) {
        // Error trying to create same account a second time
        response.setStatusLine(request.httpVersion, 400, "Bad request");
        response.bodyOutputStream.write(errorMessage, errorMessage.length);
        return;
      }

      if (jsonBody.email == unicodeUsername) {
        Assert.equal("", request._queryString);
        Assert.equal(
          jsonBody.authPW,
          "247b675ffb4c46310bc87e26d712153abe5e1c90ef00a4784594f97ef54f2375"
        );

        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(
          creationMessage_noKey,
          creationMessage_noKey.length
        );
        return;
      }

      if (jsonBody.email == "you@example.org") {
        Assert.equal("keys=true", request._queryString);
        Assert.equal(
          jsonBody.authPW,
          "e5c1cdfdaa5fcee06142db865b212cc8ba8abee2a27d639d42c139f006cdb930"
        );
        created = true;

        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(
          creationMessage_withKey,
          creationMessage_withKey.length
        );
        return;
      }
      // just throwing here doesn't make any log noise, so have an assertion
      // fail instead.
      Assert.ok(false, "unexpected email: " + jsonBody.email);
    },
  });

  // Try to create an account without retrieving optional keys.
  let client = new FxAccountsClient(server.baseURI);
  let result = await client.signUp(unicodeUsername, unicodePassword);
  Assert.equal("uid", result.uid);
  Assert.equal("sessionToken", result.sessionToken);
  Assert.equal(undefined, result.keyFetchToken);
  Assert.equal(
    result.unwrapBKey,
    "de6a2648b78284fcb9ffa81ba95803309cfba7af583c01a8a1a63e567234dd28"
  );

  // Try to create an account retrieving optional keys.
  result = await client.signUp("you@example.org", "pässwörd", true);
  Assert.equal("uid", result.uid);
  Assert.equal("sessionToken", result.sessionToken);
  Assert.equal("keyFetchToken", result.keyFetchToken);
  Assert.equal(
    result.unwrapBKey,
    "f589225b609e56075d76eb74f771ff9ab18a4dc0e901e131ba8f984c7fb0ca8c"
  );

  // Try to create an existing account.  Triggers error path.
  try {
    result = await client.signUp(unicodeUsername, unicodePassword);
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(101, expectedError.errno);
  }

  await promiseStopServer(server);
});

add_task(async function test_signIn() {
  let sessionMessage_noKey = JSON.stringify({
    sessionToken: FAKE_SESSION_TOKEN,
  });
  let sessionMessage_withKey = JSON.stringify({
    sessionToken: FAKE_SESSION_TOKEN,
    keyFetchToken: "keyFetchToken",
  });
  let errorMessage_notExistent = JSON.stringify({
    code: 400,
    errno: 102,
    error: "doesn't exist",
  });
  let errorMessage_wrongCap = JSON.stringify({
    code: 400,
    errno: 120,
    error: "Incorrect email case",
    email: "you@example.com",
  });

  // Note this strings must be unicode and not already utf-8 encoded.
  let unicodeUsername = "m\xe9@example.com"; // 'mé@example.com'
  let server = httpd_setup({
    "/account/login": function (request, response) {
      let body = CommonUtils.readBytesFromInputStream(request.bodyInputStream);
      body = CommonUtils.decodeUTF8(body);
      let jsonBody = JSON.parse(body);

      if (jsonBody.email == unicodeUsername) {
        Assert.equal("", request._queryString);
        Assert.equal(
          jsonBody.authPW,
          "08b9d111196b8408e8ed92439da49206c8ecfbf343df0ae1ecefcd1e0174a8b6"
        );
        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(
          sessionMessage_noKey,
          sessionMessage_noKey.length
        );
      } else if (jsonBody.email == "you@example.com") {
        Assert.equal("keys=true", request._queryString);
        Assert.equal(
          jsonBody.authPW,
          "93d20ec50304d496d0707ec20d7e8c89459b6396ec5dd5b9e92809c5e42856c7"
        );
        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(
          sessionMessage_withKey,
          sessionMessage_withKey.length
        );
      } else if (jsonBody.email == "You@example.com") {
        // Error trying to sign in with a wrong capitalization
        response.setStatusLine(request.httpVersion, 400, "Bad request");
        response.bodyOutputStream.write(
          errorMessage_wrongCap,
          errorMessage_wrongCap.length
        );
      } else {
        // Error trying to sign in to nonexistent account
        response.setStatusLine(request.httpVersion, 400, "Bad request");
        response.bodyOutputStream.write(
          errorMessage_notExistent,
          errorMessage_notExistent.length
        );
      }
    },
  });

  // Login without retrieving optional keys
  let client = new FxAccountsClient(server.baseURI);
  let result = await client.signIn(unicodeUsername, "bigsecret");
  Assert.equal(FAKE_SESSION_TOKEN, result.sessionToken);
  Assert.equal(
    result.unwrapBKey,
    "c076ec3f4af123a615157154c6e1d0d6293e514fd7b0221e32d50517ecf002b8"
  );
  Assert.equal(undefined, result.keyFetchToken);

  // Login with retrieving optional keys
  result = await client.signIn("you@example.com", "bigsecret", true);
  Assert.equal(FAKE_SESSION_TOKEN, result.sessionToken);
  Assert.equal(
    result.unwrapBKey,
    "65970516211062112e955d6420bebe020269d6b6a91ebd288319fc8d0cb49624"
  );
  Assert.equal("keyFetchToken", result.keyFetchToken);

  // Retry due to wrong email capitalization
  result = await client.signIn("You@example.com", "bigsecret", true);
  Assert.equal(FAKE_SESSION_TOKEN, result.sessionToken);
  Assert.equal(
    result.unwrapBKey,
    "65970516211062112e955d6420bebe020269d6b6a91ebd288319fc8d0cb49624"
  );
  Assert.equal("keyFetchToken", result.keyFetchToken);

  // Trigger error path
  try {
    result = await client.signIn("yøü@bad.example.org", "nofear");
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(102, expectedError.errno);
  }

  await promiseStopServer(server);
});

add_task(async function test_signOut() {
  let signoutMessage = JSON.stringify({});
  let errorMessage = JSON.stringify({
    code: 400,
    errno: 102,
    error: "doesn't exist",
  });
  let signedOut = false;

  let server = httpd_setup({
    "/session/destroy": function (request, response) {
      if (!signedOut) {
        signedOut = true;
        Assert.ok(request.hasHeader("Authorization"));
        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(signoutMessage, signoutMessage.length);
        return;
      }

      // Error trying to sign out of nonexistent account
      response.setStatusLine(request.httpVersion, 400, "Bad request");
      response.bodyOutputStream.write(errorMessage, errorMessage.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);
  let result = await client.signOut("FakeSession");
  Assert.equal(typeof result, "object");

  // Trigger error path
  try {
    result = await client.signOut("FakeSession");
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(102, expectedError.errno);
  }

  await promiseStopServer(server);
});

add_task(async function test_recoveryEmailStatus() {
  let emailStatus = JSON.stringify({ verified: true });
  let errorMessage = JSON.stringify({
    code: 400,
    errno: 102,
    error: "doesn't exist",
  });
  let tries = 0;

  let server = httpd_setup({
    "/recovery_email/status": function (request, response) {
      Assert.ok(request.hasHeader("Authorization"));
      Assert.equal("", request._queryString);

      if (tries === 0) {
        tries += 1;
        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(emailStatus, emailStatus.length);
        return;
      }

      // Second call gets an error trying to query a nonexistent account
      response.setStatusLine(request.httpVersion, 400, "Bad request");
      response.bodyOutputStream.write(errorMessage, errorMessage.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);
  let result = await client.recoveryEmailStatus(FAKE_SESSION_TOKEN);
  Assert.equal(result.verified, true);

  // Trigger error path
  try {
    result = await client.recoveryEmailStatus("some bogus session");
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(102, expectedError.errno);
  }

  await promiseStopServer(server);
});

add_task(async function test_recoveryEmailStatusWithReason() {
  let emailStatus = JSON.stringify({ verified: true });
  let server = httpd_setup({
    "/recovery_email/status": function (request, response) {
      Assert.ok(request.hasHeader("Authorization"));
      // if there is a query string then it will have a reason
      Assert.equal("reason=push", request._queryString);

      response.setStatusLine(request.httpVersion, 200, "OK");
      response.bodyOutputStream.write(emailStatus, emailStatus.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);
  let result = await client.recoveryEmailStatus(FAKE_SESSION_TOKEN, {
    reason: "push",
  });
  Assert.equal(result.verified, true);
  await promiseStopServer(server);
});

add_task(async function test_resendVerificationEmail() {
  let emptyMessage = "{}";
  let errorMessage = JSON.stringify({
    code: 400,
    errno: 102,
    error: "doesn't exist",
  });
  let tries = 0;

  let server = httpd_setup({
    "/recovery_email/resend_code": function (request, response) {
      Assert.ok(request.hasHeader("Authorization"));
      if (tries === 0) {
        tries += 1;
        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write(emptyMessage, emptyMessage.length);
        return;
      }

      // Second call gets an error trying to query a nonexistent account
      response.setStatusLine(request.httpVersion, 400, "Bad request");
      response.bodyOutputStream.write(errorMessage, errorMessage.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);
  let result = await client.resendVerificationEmail(FAKE_SESSION_TOKEN);
  Assert.equal(JSON.stringify(result), emptyMessage);

  // Trigger error path
  try {
    result = await client.resendVerificationEmail("some bogus session");
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(102, expectedError.errno);
  }

  await promiseStopServer(server);
});

add_task(async function test_accountKeys() {
  // Four calls to accountKeys().  The first one should work correctly, and we
  // should get a valid bundle back, in exchange for our keyFetch token, from
  // which we correctly derive kA and wrapKB.  The subsequent three calls
  // should all trigger separate error paths.
  let responseMessage = JSON.stringify({ bundle: ACCOUNT_KEYS.response });
  let errorMessage = JSON.stringify({
    code: 400,
    errno: 102,
    error: "doesn't exist",
  });
  let emptyMessage = "{}";
  let attempt = 0;

  let server = httpd_setup({
    "/account/keys": function (request, response) {
      Assert.ok(request.hasHeader("Authorization"));
      attempt += 1;

      switch (attempt) {
        case 1:
          // First time succeeds
          response.setStatusLine(request.httpVersion, 200, "OK");
          response.bodyOutputStream.write(
            responseMessage,
            responseMessage.length
          );
          break;

        case 2:
          // Second time, return no bundle to trigger client error
          response.setStatusLine(request.httpVersion, 200, "OK");
          response.bodyOutputStream.write(emptyMessage, emptyMessage.length);
          break;

        case 3:
          // Return gibberish to trigger client MAC error
          // Tweak a byte
          let garbageResponse = JSON.stringify({
            bundle: ACCOUNT_KEYS.response.slice(0, -1) + "1",
          });
          response.setStatusLine(request.httpVersion, 200, "OK");
          response.bodyOutputStream.write(
            garbageResponse,
            garbageResponse.length
          );
          break;

        case 4:
          // Trigger error for nonexistent account
          response.setStatusLine(request.httpVersion, 400, "Bad request");
          response.bodyOutputStream.write(errorMessage, errorMessage.length);
          break;
      }
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  // First try, all should be good
  let result = await client.accountKeys(ACCOUNT_KEYS.keyFetch);
  Assert.equal(CommonUtils.hexToBytes(ACCOUNT_KEYS.kA), result.kA);
  Assert.equal(CommonUtils.hexToBytes(ACCOUNT_KEYS.wrapKB), result.wrapKB);

  // Second try, empty bundle should trigger error
  try {
    result = await client.accountKeys(ACCOUNT_KEYS.keyFetch);
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(expectedError.message, "failed to retrieve keys");
  }

  // Third try, bad bundle results in MAC error
  try {
    result = await client.accountKeys(ACCOUNT_KEYS.keyFetch);
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(expectedError.message, "error unbundling encryption keys");
  }

  // Fourth try, pretend account doesn't exist
  try {
    result = await client.accountKeys(ACCOUNT_KEYS.keyFetch);
    do_throw("Expected to catch an exception");
  } catch (expectedError) {
    Assert.equal(102, expectedError.errno);
  }

  await promiseStopServer(server);
});

add_task(async function test_accessTokenWithSessionToken() {
  let server = httpd_setup({
    "/oauth/token": function (request, response) {
      const responseMessage = JSON.stringify({
        access_token:
          "43793fdfffec22eb39fc3c44ed09193a6fde4c24e5d6a73f73178597b268af69",
        token_type: "bearer",
        scope: "https://identity.mozilla.com/apps/oldsync",
        expires_in: 21600,
        auth_at: 1589579900,
      });

      response.setStatusLine(request.httpVersion, 200, "OK");
      response.bodyOutputStream.write(responseMessage, responseMessage.length);
    },
  });

  let client = new FxAccountsClient(server.baseURI);
  let sessionTokenHex =
    "0599c36ebb5cad6feb9285b9547b65342b5434d55c07b33bffd4307ab8f82dc4";
  let clientId = "5882386c6d801776";
  let scope = "https://identity.mozilla.com/apps/oldsync";
  let ttl = 100;
  let result = await client.accessTokenWithSessionToken(
    sessionTokenHex,
    clientId,
    scope,
    ttl
  );
  Assert.ok(result);

  await promiseStopServer(server);
});

add_task(async function test_accountExists() {
  let existsMessage = JSON.stringify({
    error: "wrong password",
    code: 400,
    errno: 103,
  });
  let doesntExistMessage = JSON.stringify({
    error: "no such account",
    code: 400,
    errno: 102,
  });
  let emptyMessage = "{}";

  let server = httpd_setup({
    "/account/login": function (request, response) {
      let body = CommonUtils.readBytesFromInputStream(request.bodyInputStream);
      let jsonBody = JSON.parse(body);

      switch (jsonBody.email) {
        // We'll test that these users' accounts exist
        case "i.exist@example.com":
        case "i.also.exist@example.com":
          response.setStatusLine(request.httpVersion, 400, "Bad request");
          response.bodyOutputStream.write(existsMessage, existsMessage.length);
          break;

        // This user's account doesn't exist
        case "i.dont.exist@example.com":
          response.setStatusLine(request.httpVersion, 400, "Bad request");
          response.bodyOutputStream.write(
            doesntExistMessage,
            doesntExistMessage.length
          );
          break;

        // This user throws an unexpected response
        // This will reject the client signIn promise
        case "i.break.things@example.com":
          response.setStatusLine(request.httpVersion, 500, "Alas");
          response.bodyOutputStream.write(emptyMessage, emptyMessage.length);
          break;

        default:
          throw new Error("Unexpected login from " + jsonBody.email);
      }
    },
  });

  let client = new FxAccountsClient(server.baseURI);
  let result;

  result = await client.accountExists("i.exist@example.com");
  Assert.ok(result);

  result = await client.accountExists("i.also.exist@example.com");
  Assert.ok(result);

  result = await client.accountExists("i.dont.exist@example.com");
  Assert.ok(!result);

  try {
    result = await client.accountExists("i.break.things@example.com");
    do_throw("Expected to catch an exception");
  } catch (unexpectedError) {
    Assert.equal(unexpectedError.code, 500);
  }

  await promiseStopServer(server);
});

add_task(async function test_registerDevice() {
  const DEVICE_ID = "device id";
  const DEVICE_NAME = "device name";
  const DEVICE_TYPE = "device type";
  const ERROR_NAME = "test that the client promise rejects";

  const server = httpd_setup({
    "/account/device": function (request, response) {
      const body = JSON.parse(
        CommonUtils.readBytesFromInputStream(request.bodyInputStream)
      );

      if (
        body.id ||
        !body.name ||
        !body.type ||
        Object.keys(body).length !== 2
      ) {
        response.setStatusLine(request.httpVersion, 400, "Invalid request");
        response.bodyOutputStream.write("{}", 2);
        return;
      }

      if (body.name === ERROR_NAME) {
        response.setStatusLine(request.httpVersion, 500, "Alas");
        response.bodyOutputStream.write("{}", 2);
        return;
      }

      body.id = DEVICE_ID;
      body.createdAt = Date.now();

      const responseMessage = JSON.stringify(body);

      response.setStatusLine(request.httpVersion, 200, "OK");
      response.bodyOutputStream.write(responseMessage, responseMessage.length);
    },
  });

  const client = new FxAccountsClient(server.baseURI);
  const result = await client.registerDevice(
    FAKE_SESSION_TOKEN,
    DEVICE_NAME,
    DEVICE_TYPE
  );

  Assert.ok(result);
  Assert.equal(Object.keys(result).length, 4);
  Assert.equal(result.id, DEVICE_ID);
  Assert.equal(typeof result.createdAt, "number");
  Assert.ok(result.createdAt > 0);
  Assert.equal(result.name, DEVICE_NAME);
  Assert.equal(result.type, DEVICE_TYPE);

  try {
    await client.registerDevice(FAKE_SESSION_TOKEN, ERROR_NAME, DEVICE_TYPE);
    do_throw("Expected to catch an exception");
  } catch (unexpectedError) {
    Assert.equal(unexpectedError.code, 500);
  }

  await promiseStopServer(server);
});

add_task(async function test_updateDevice() {
  const DEVICE_ID = "some other id";
  const DEVICE_NAME = "some other name";
  const ERROR_ID = "test that the client promise rejects";

  const server = httpd_setup({
    "/account/device": function (request, response) {
      const body = JSON.parse(
        CommonUtils.readBytesFromInputStream(request.bodyInputStream)
      );

      if (
        !body.id ||
        !body.name ||
        body.type ||
        Object.keys(body).length !== 2
      ) {
        response.setStatusLine(request.httpVersion, 400, "Invalid request");
        response.bodyOutputStream.write("{}", 2);
        return;
      }

      if (body.id === ERROR_ID) {
        response.setStatusLine(request.httpVersion, 500, "Alas");
        response.bodyOutputStream.write("{}", 2);
        return;
      }

      const responseMessage = JSON.stringify(body);

      response.setStatusLine(request.httpVersion, 200, "OK");
      response.bodyOutputStream.write(responseMessage, responseMessage.length);
    },
  });

  const client = new FxAccountsClient(server.baseURI);
  const result = await client.updateDevice(
    FAKE_SESSION_TOKEN,
    DEVICE_ID,
    DEVICE_NAME
  );

  Assert.ok(result);
  Assert.equal(Object.keys(result).length, 2);
  Assert.equal(result.id, DEVICE_ID);
  Assert.equal(result.name, DEVICE_NAME);

  try {
    await client.updateDevice(FAKE_SESSION_TOKEN, ERROR_ID, DEVICE_NAME);
    do_throw("Expected to catch an exception");
  } catch (unexpectedError) {
    Assert.equal(unexpectedError.code, 500);
  }

  await promiseStopServer(server);
});

add_task(async function test_getDeviceList() {
  let canReturnDevices;

  const server = httpd_setup({
    "/account/devices": function (request, response) {
      if (canReturnDevices) {
        response.setStatusLine(request.httpVersion, 200, "OK");
        response.bodyOutputStream.write("[]", 2);
      } else {
        response.setStatusLine(request.httpVersion, 500, "Alas");
        response.bodyOutputStream.write("{}", 2);
      }
    },
  });

  const client = new FxAccountsClient(server.baseURI);

  canReturnDevices = true;
  const result = await client.getDeviceList(FAKE_SESSION_TOKEN);
  Assert.ok(Array.isArray(result));
  Assert.equal(result.length, 0);

  try {
    canReturnDevices = false;
    await client.getDeviceList(FAKE_SESSION_TOKEN);
    do_throw("Expected to catch an exception");
  } catch (unexpectedError) {
    Assert.equal(unexpectedError.code, 500);
  }

  await promiseStopServer(server);
});

add_task(async function test_client_metrics() {
  function writeResp(response, msg) {
    if (typeof msg === "object") {
      msg = JSON.stringify(msg);
    }
    response.bodyOutputStream.write(msg, msg.length);
  }

  let server = httpd_setup({
    "/session/destroy": function (request, response) {
      response.setHeader("Content-Type", "application/json; charset=utf-8");
      response.setStatusLine(request.httpVersion, 401, "Unauthorized");
      writeResp(response, {
        error: "invalid authentication timestamp",
        code: 401,
        errno: 111,
      });
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  await Assert.rejects(
    client.signOut(FAKE_SESSION_TOKEN, {
      service: "sync",
    }),
    function (err) {
      return err.errno == 111;
    }
  );

  await promiseStopServer(server);
});

add_task(async function test_email_case() {
  let canonicalEmail = "greta.garbo@gmail.com";
  let clientEmail = "Greta.Garbo@gmail.COM";
  let attempts = 0;

  function writeResp(response, msg) {
    if (typeof msg === "object") {
      msg = JSON.stringify(msg);
    }
    response.bodyOutputStream.write(msg, msg.length);
  }

  let server = httpd_setup({
    "/account/login": function (request, response) {
      response.setHeader("Content-Type", "application/json; charset=utf-8");
      attempts += 1;
      if (attempts > 2) {
        response.setStatusLine(
          request.httpVersion,
          429,
          "Sorry, you had your chance"
        );
        return writeResp(response, "");
      }

      let body = CommonUtils.readBytesFromInputStream(request.bodyInputStream);
      let jsonBody = JSON.parse(body);
      let email = jsonBody.email;

      // If the client has the wrong case on the email, we return a 400, with
      // the capitalization of the email as saved in the accounts database.
      if (email == canonicalEmail) {
        response.setStatusLine(request.httpVersion, 200, "Yay");
        return writeResp(response, { areWeHappy: "yes" });
      }

      response.setStatusLine(request.httpVersion, 400, "Incorrect email case");
      return writeResp(response, {
        code: 400,
        errno: 120,
        error: "Incorrect email case",
        email: canonicalEmail,
      });
    },
  });

  let client = new FxAccountsClient(server.baseURI);

  let result = await client.signIn(clientEmail, "123456");
  Assert.equal(result.areWeHappy, "yes");
  Assert.equal(attempts, 2);

  await promiseStopServer(server);
});

// turn formatted test vectors into normal hex strings
function h(hexStr) {
  return hexStr.replace(/\s+/g, "");
}