Skip to content

Refactor FxA authentication configuration and fake auth handling #23077

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Mar 6, 2025
Merged

Refactor FxA authentication configuration and fake auth handling #23077

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3acd4f3
Refactor FxA authentication configuration and fake auth handling
KevinMind Feb 14, 2025
e712525
Updates from code review
KevinMind Mar 3, 2025
d06bccd
Fix tests
KevinMind Mar 3, 2025
edd7d62
Remove redundant config argument from login_redirect_url function
KevinMind Mar 4, 2025
7e13d38
Remove invalid default values for fxa client id in test
KevinMind Mar 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Makefile-os
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ export DOCKER_VERSION ?=
export DATA_BACKUP_SKIP ?=
override DOCKER_MYSQLD_VOLUME = addons-server_data_mysqld

export FXA_CLIENT_ID ?=
export FXA_CLIENT_SECRET ?=

INITIALIZE_ARGS ?=
INIT_CLEAN ?=
INIT_LOAD ?=
Expand Down
2 changes: 2 additions & 0 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ x-env-mapping: &env
- ENV=local
- CIRCLECI
- DATA_BACKUP_SKIP
- FXA_CLIENT_ID
- FXA_CLIENT_SECRET

x-olympia: &olympia
<<: *env
Expand Down
42 changes: 42 additions & 0 deletions docs/topics/development/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Authentication

## Firefox Accounts

Firefox Accounts (FXA) is the authentication system used by addons-server.
In local development and in testing, we default to fake credentials which redirect
to a local fake auth page. If you define real credentials, you will be redirected
to fxa using the specified client id and secret.

### Local development

In local development, we default to fake credentials which redirect to a local
fake auth page. Fake credentials of '' are defined by default on the environment and read
into the FXA_CONFIG settings.

### Production environments

In production environments, we defined real FXA_CLIENT_ID and FXA_CLIENT_SECRET values
to be used on the corrresponding FXA servers.

### use_fake_fxa

A utility method is used to determine if we should use the fake or real fxa redirect.
This function only returns true if the environment is local/test and if the fake fxa client
id and secret are defined. This forces us to use real auth redirection in production environments.

### Getting real credentials for local development

You must contact the FxA team to get your own credentials for FxA stage.

To use these credentials, you can pass them to make up:

```bash
make up FXA_CLIENT_ID=<your-client-id> FXA_CLIENT_SECRET=<your-client-secret>
```

or set them in your environment (on the host machine, not inside the container):

```bash
export FXA_CLIENT_ID=<your-client-id>
export FXA_CLIENT_SECRET=<your-client-secret>

1 change: 1 addition & 0 deletions docs/topics/development/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,5 @@ docs
waffle
remote_settings
../../../README.rst
authentication
```
8 changes: 0 additions & 8 deletions settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,6 @@ def insert_debug_toolbar_middleware(middlewares):
FXA_OAUTH_HOST = 'https://oauth.stage.mozaws.net/v1'
FXA_PROFILE_HOST = 'https://profile.stage.mozaws.net/v1'

# When USE_FAKE_FXA_AUTH and settings.DEV_MODE are both True, we serve a fake
# authentication page, bypassing FxA. To disable this behavior, set
# USE_FAKE_FXA = False in your local settings.
# You will also need to specify `client_id` and `client_secret` in your
# local_settings.py or environment variables - you must contact the FxA team to get your
# own credentials for FxA stage.
USE_FAKE_FXA_AUTH = True

# CSP report endpoint which returns a 204 from addons-nginx in local dev.
CSP_REPORT_URI = '/csp-report'
RESTRICTED_DOWNLOAD_CSP['REPORT_URI'] = CSP_REPORT_URI
Expand Down
8 changes: 8 additions & 0 deletions settings_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,11 @@

# This is a testing environment
TESTING_ENV = True

FXA_CONFIG = {
# Default FxA config should simulate a real FxA config with redirection
'default': {
'client_id': 'amodefault',
'client_secret': 'amodefault',
},
}
80 changes: 25 additions & 55 deletions src/olympia/accounts/tests/test_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
from base64 import urlsafe_b64decode, urlsafe_b64encode
from urllib.parse import parse_qs, urlparse

from django.conf import settings
from django.test import RequestFactory
from django.test.utils import override_settings
from django.urls import reverse
Expand All @@ -10,24 +11,14 @@
from olympia.amo.tests import TestCase


FXA_CONFIG = {
'default': {
'client_id': 'foo',
'client_secret': 'bar',
},
'other': {'client_id': 'foo_other', 'client_secret': 'bar_other'},
}


@override_settings(FXA_CONFIG=FXA_CONFIG)
@override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
def test_fxa_login_url_without_requiring_two_factor_auth():
path = '/en-US/addons/abp/?source=ddg'
request = RequestFactory().get(path)
request.session = {'fxa_state': 'myfxastate'}

raw_url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=path,
enforce_2fa=False,
Expand All @@ -41,22 +32,21 @@ def test_fxa_login_url_without_requiring_two_factor_auth():
query = parse_qs(url.query)
next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
assert query == {
'client_id': ['foo'],
'client_id': ['amodefault'],
'scope': ['profile openid'],
'state': [f'myfxastate:{force_str(next_path)}'],
'access_type': ['offline'],
}


@override_settings(FXA_CONFIG=FXA_CONFIG)
@override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
def test_fxa_login_url_requiring_two_factor_auth():
path = '/en-US/addons/abp/?source=ddg'
request = RequestFactory().get(path)
request.session = {'fxa_state': 'myfxastate'}

raw_url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=path,
enforce_2fa=True,
Expand All @@ -71,22 +61,21 @@ def test_fxa_login_url_requiring_two_factor_auth():
next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
assert query == {
'acr_values': ['AAL2'],
'client_id': ['foo'],
'client_id': ['amodefault'],
'scope': ['profile openid'],
'state': [f'myfxastate:{force_str(next_path)}'],
'access_type': ['offline'],
}


@override_settings(FXA_CONFIG=FXA_CONFIG)
@override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
def test_fxa_login_url_requiring_two_factor_auth_passing_token():
path = '/en-US/addons/abp/?source=ddg'
request = RequestFactory().get(path)
request.session = {'fxa_state': 'myfxastate'}

raw_url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=path,
enforce_2fa=True,
Expand All @@ -102,7 +91,7 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_token():
next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
assert query == {
'acr_values': ['AAL2'],
'client_id': ['foo'],
'client_id': ['amodefault'],
'id_token_hint': ['YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo='],
'prompt': ['none'],
'scope': ['profile openid'],
Expand All @@ -111,15 +100,14 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_token():
}


@override_settings(FXA_CONFIG=FXA_CONFIG)
@override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
def test_fxa_login_url_requiring_two_factor_auth_passing_request():
path = '/en-US/addons/abp/?source=ddg'
request = RequestFactory().get(path)
request.session = {'fxa_state': 'myfxastate'}

raw_url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=path,
enforce_2fa=True,
Expand All @@ -135,22 +123,21 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_request():
next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
assert query == {
'acr_values': ['AAL2'],
'client_id': ['foo'],
'client_id': ['amodefault'],
'scope': ['profile openid'],
'state': [f'myfxastate:{force_str(next_path)}'],
'access_type': ['offline'],
}


@override_settings(FXA_CONFIG=FXA_CONFIG)
@override_settings(FXA_OAUTH_HOST='https://accounts.firefox.com/oauth')
def test_fxa_login_url_requiring_two_factor_auth_passing_login_hint():
path = '/en-US/addons/abp/?source=ddg'
request = RequestFactory().get(path)
request.session = {'fxa_state': 'myfxastate'}

raw_url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=path,
enforce_2fa=True,
Expand All @@ -167,7 +154,7 @@ def test_fxa_login_url_requiring_two_factor_auth_passing_login_hint():
next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
assert query == {
'acr_values': ['AAL2'],
'client_id': ['foo'],
'client_id': ['amodefault'],
'login_hint': ['[email protected]'],
'prompt': ['none'],
'scope': ['profile openid'],
Expand All @@ -181,7 +168,7 @@ def test_unicode_next_path():
request = RequestFactory().get(path)
request.session = {'fxa_state': 'fake-state'}
url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=utils.path_with_query(request),
)
Expand All @@ -190,68 +177,51 @@ def test_unicode_next_path():
assert next_path.decode('utf-8') == path


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login(request)
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path='/somewhere',
)
assert request.session['enforce_2fa'] is False


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login_with_next_path():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login(request, next_path='/over/the/rainbow')
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path='/over/the/rainbow',
)
assert request.session['enforce_2fa'] is False


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login_with_config():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login(request, config=FXA_CONFIG['other'])
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['other'],
state=request.session['fxa_state'],
next_path='/somewhere',
)
assert request.session['enforce_2fa'] is False


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login_with_2fa_enforced():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login_with_2fa_enforced(request)
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path='/somewhere',
enforce_2fa=True,
)
assert request.session['enforce_2fa'] is True


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login_with_2fa_enforced_id_token_hint():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login_with_2fa_enforced(
request, id_token_hint='some_token_hint'
)
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path='/somewhere',
enforce_2fa=True,
Expand All @@ -260,56 +230,56 @@ def test_redirect_for_login_with_2fa_enforced_id_token_hint():
assert request.session['enforce_2fa'] is True


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login_with_2fa_enforced_and_next_path():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login_with_2fa_enforced(
request, next_path='/over/the/rainbow'
)
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path='/over/the/rainbow',
enforce_2fa=True,
)
assert request.session['enforce_2fa'] is True


@override_settings(FXA_CONFIG=FXA_CONFIG)
def test_redirect_for_login_with_2fa_enforced_and_config():
request = RequestFactory().get('/somewhere')
request.session = {'fxa_state': 'fake-state'}
response = utils.redirect_for_login_with_2fa_enforced(
request, config=FXA_CONFIG['other']
request,
config={'client_id': 'foo_other', 'client_secret': 'bar_other'},
)
assert response['location'] == utils.fxa_login_url(
config=FXA_CONFIG['other'],
config={'client_id': 'foo_other', 'client_secret': 'bar_other'},
state=request.session['fxa_state'],
next_path='/somewhere',
enforce_2fa=True,
)
assert request.session['enforce_2fa'] is True


@override_settings(DEV_MODE=True, USE_FAKE_FXA_AUTH=True)
@override_settings(FXA_CONFIG={'default': {'client_id': ''}})
def test_fxa_login_url_when_faking_fxa_auth():
path = '/en-US/addons/abp/?source=ddg'
request = RequestFactory().get(path)
request.session = {'fxa_state': 'myfxastate'}
raw_url = utils.fxa_login_url(
config=FXA_CONFIG['default'],
config=settings.FXA_CONFIG['default'],
state=request.session['fxa_state'],
next_path=path,
)
url = urlparse(raw_url)
assert url.scheme == ''
assert url.netloc == ''
assert url.path == reverse('fake-fxa-authorization')
query = parse_qs(url.query)
# client_id has a blank value, so we should inspect blank values
query = parse_qs(url.query, keep_blank_values=True)
next_path = urlsafe_b64encode(path.encode('utf-8')).rstrip(b'=')
assert query == {
'client_id': ['foo'],
'client_id': [''],
'scope': ['profile openid'],
'state': [f'myfxastate:{force_str(next_path)}'],
'access_type': ['offline'],
Expand Down
Loading
Loading