Cannot create an account on Prod using a GMail address after address was removed from Persona

[shane-tomlinson]

STR)

1. open the manage page for a Persona account with a gmail address.
2. remove gmail address from current Persona account
3. visit 123done.org
4. If signed in, sign out
5. Open Persona dialog
6. If signed in, sign out
7. Enter gmail address which will create a new account
8. Enter password and verification password
9. Visit gmail and open the verification link
10. Watch the error message display

Expected:
Account is created

This error does NOT occur on stage.

Looking at the network console for https://login.persona.org/wsapi/email_for_token?token=aZOdhGIZjvHvsYAiZVHqURQz7Q5vNOfsDfThHMIBFrBcsI3C

Request Headers

GET /wsapi/email_for_token?token=aZOdhGIZjvHvsYAiZVHqURQz7Q5vNOfsDfThHMIBFrBcsI3C HTTP/1.1
Host: login.persona.org
Connection: keep-alive
Accept: application/json;text/plain
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.32 Safari/537.17
Content-type: application/x-www-form-urlencoded
Referer: https://login.persona.org/verify_email_address?token=aZOdhGIZjvHvsYAiZVHqURQz7Q5vNOfsDfThHMIBFrBcsI3C
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en,en-US;q=0.8,de;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: browserid_state=woYgw4Rdw6vDq0PDvsOawpDCrAjDkXPCkGQ.wpbDk8OyOQ1zU1nDi3PDgTTCrsKXwrXDhsKqwrRiSsOge2zCtlkJw4jDrsOhw7HDhsKQw6jCjMK9LMOhwq05JMOdHsODwq1AbAnDiw.1353950933486.2419200000.w5jCj8O_AAzDn27DhcORdsKOQ8OnXG8NQsOFw5vCrwTCgMKcwrPCl1xQcMKAbsKWOA

Response Headers

HTTP/1.1 200 OK
Cache-Control: no-cache, max-age=0
Content-Type: application/json; charset=utf-8
Strict-Transport-Security: max-age=2592000; includeSubdomains
Date: Wed, 05 Dec 2012 12:50:59 GMT
Connection: keep-alive
X-Frame-Options: DENY
Content-Length: 54

Response

{"success":false,"reason":"missing password for user"}

[jaredhirsch]

@shane-tomlinson I'm unable to reproduce this using an old gmail account that's new to persona.

How else can I help to track this down?

[benadida]

unable to reproduce here, too. Here's what I think is happening:

TLDR - email addresses we staged long ago, when passwords were collected after verification link, are ending up in limbo.

Details:

(a) the error "missing password for user" occurs when the staged-user row exists but has a null passwd field

https://github.com/mozilla/browserid/blob/dev/lib/wsapi/email_for_token.js#L71
https://github.com/mozilla/browserid/blob/dev/lib/db/mysql.js#L507

(b) the staged-user insert happens here:

https://github.com/mozilla/browserid/blob/dev/lib/db/mysql.js#L262

Note how ON DUPLICATE updates a bunch of values, but NOT the passwd field. If the passwd field was null, e.g. for an address we staged long ago, we're in limbo.

Looking for evidence that this is indeed the problem, what happens if we double-stage a user with two different passwords (ignoring the first confirmation email). If my theory is correct, then the second password will be ignored. Indeed, it looks like that's exactly what's happening: after clicking the confirmation link, instead of just being logged in, the dialog prompts me for a password, and the password that works is the one I entered in the first stage, not the second one like one would expect.

I suspect we need to update that ON DUPLICATE to also update the password hash.

[shane-tomlinson]

Extra info from the mailing list:

/wsapi/stage_user IS sending the password in the pass field.

[benadida]

@shane-tomlinson yep, I think this is all in the DB layer with the ON DUPLICATE.

[shane-tomlinson]

@benadida - fantastic, I'm glad that you were able to debug this. I was staring at code and nothing was jumping out at me.

[lloyd]

we might consider mitigating the immediate problem by deleting staged emails that are > 1 month old from the database, and then prepare a hotfix against our next train. in any case, I will prepare the fix and a test of it and we can decide how to proceed from there.

[benadida]

Agreed with mitigation. Safely delete staged users with no password is even
safer.
On Dec 5, 2012 8:09 AM, "Lloyd Hilaiel" notifications@github.com wrote:

we might consider mitigating the immediate problem by deleting staged
emails that are > 1 month old from the database, and then prepare a hotfix
against our next train. in any case, I will prepare the fix and a test of
it and we can decide how to proceed from there.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/2822#issuecomment-11047438.

[jrgm]

GH-2824 merged to dev. Closing.