Bug 1023463 - [FxA] Leave user logged in after failed RP refresh authentication. r=jedp, a=lmandel
authorSam Penrose <spenrose@mozilla.com>
Tue, 10 Jun 2014 16:38:55 -0700
changeset 207310 f4c13377f1fe98e4feea1e95f6b85baf085d068c
parent 207309 8afd9789d02c049c09cbccc6fff89fe3c92931da
child 207311 5e4c58fb6a40a9181cc35ba5c567ced155fc189f
push id3741
push userasasaki@mozilla.com
push dateMon, 21 Jul 2014 20:25:18 +0000
treeherdermozilla-beta@4d6f46f5af68 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjedp, lmandel
bugs1023463
milestone32.0a2
Bug 1023463 - [FxA] Leave user logged in after failed RP refresh authentication. r=jedp, a=lmandel
services/fxaccounts/FxAccountsManager.jsm
--- a/services/fxaccounts/FxAccountsManager.jsm
+++ b/services/fxaccounts/FxAccountsManager.jsm
@@ -172,17 +172,17 @@ this.FxAccountsManager = {
     if (errno == ERRNO_INVALID_AUTH_TOKEN) {
       return this._fxAccounts.accountStatus().then(
         (exists) => {
           // ... if the email still maps to an account, the password
           // must have changed, so ask the user to enter the new one ...
           if (exists) {
             return this.getAccount().then(
               (user) => {
-                return this._refreshAuthentication(aAudience, user.email);
+                return this._refreshAuthentication(aAudience, user.email, true);
               }
             );
           // ... otherwise, the account was deleted, so ask for Sign In/Up
           } else {
             return this._localSignOut().then(
               () => {
                 return this._uiRequest(UI_REQUEST_SIGN_IN_FLOW, aAudience);
               },
@@ -204,31 +204,44 @@ this.FxAccountsManager = {
         return result;
       },
       (reason) => {
         return this._handleGetAssertionError(reason, aAudience);
       }
     );
   },
 
-  _refreshAuthentication: function(aAudience, aEmail) {
+  /**
+   * "Refresh authentication" means:
+   *   Interactively demonstrate knowledge of the FxA password
+   *   for the currently logged-in account.
+   * There are two very different scenarios:
+   *   1) The password has changed on the server. Failure should log
+   *      the current account OUT.
+   *   2) The person typing can't prove knowledge of the password used
+   *      to log in. Failure should do nothing.
+   */
+  _refreshAuthentication: function(aAudience, aEmail, logoutOnFailure=false) {
     this._refreshing = true;
     return this._uiRequest(UI_REQUEST_REFRESH_AUTH,
                            aAudience, aEmail).then(
       (assertion) => {
         this._refreshing = false;
         return assertion;
       },
       (reason) => {
         this._refreshing = false;
-        return this._signOut().then(
-          () => {
-            return this._error(reason);
-          }
-        );
+        if (logoutOnFailure) {
+          return this._signOut().then(
+            () => {
+              return this._error(reason);
+            }
+          );
+        }
+        return this._error(reason);
       }
     );
   },
 
   _localSignOut: function() {
     return this._fxAccounts.signOut(true);
   },