fix(codes): drop all codes when one is consumed (#326) r=@rfk

Fixes https://github.com/mozilla/fxa-bugzilla-mirror/issues/440

Author: vladikoff

db-server/test/backend/db_tests.js

@@ -1334,12 +1334,16 @@ module.exports = function (config, DB) {
     })
 
     describe('unblockCodes', () => {
-      let uid1, code1
+      let uid1, code1, code2
       beforeEach(() => {
         uid1 = newUuid()
         code1 = unblockCode()
 
-        return db.createUnblockCode(uid1, code1)
+        code2 = unblockCode()
+        return P.all([
+          db.createUnblockCode(uid1, code1),
+          db.createUnblockCode(uid1, code2)
+        ])
       })
 
       it('should fail to consume unknown code', () => {
@@ -1350,6 +1354,18 @@ module.exports = function (config, DB) {
           })
       })
 
+      it('should fail to consume old unblock code', () => {
+        return db.consumeUnblockCode(uid1, code1)
+          .then((code) => {
+            assert.ok(code)
+            return db.consumeUnblockCode(uid1, code2)
+              .then(assert.fail, (err) => {
+                assert.equal(err.code, 404, 'err.code')
+                assert.equal(err.errno, 116, 'err.errno')
+              })
+          })
+      })
+
       it('should consume unblock code', () => {
         return db.consumeUnblockCode(uid1, code1)
           .then((code) => {

lib/db/mem.js

@@ -1050,7 +1050,8 @@ module.exports = function (log, error) {
       return P.reject(error.notFound())
     }
     var timestamp = row[code]
-    delete row[code]
+    // Delete all codes for that uid
+    unblockCodes[uid.toString('hex')] = null
 
     return P.resolve({ createdAt: timestamp })
   }

lib/db/mysql.js

@@ -848,7 +848,7 @@ module.exports = function (log, error) {
     )
   }
 
-  var CONSUME_UNBLOCK_CODE = 'CALL consumeUnblockCode_1(?, ?)'
+  var CONSUME_UNBLOCK_CODE = 'CALL consumeUnblockCode_2(?, ?)'
 
   MySql.prototype.consumeUnblockCode = function (uid, code) {
     // hash the code since it's like a password

lib/db/patch.js

@@ -4,4 +4,4 @@
 
 // The expected patch level of the database. Update if you add a new
 // patch in the ./schema/ directory.
-module.exports.level = 76
+module.exports.level = 77

lib/db/schema/patch-076-077.sql

@@ -0,0 +1,24 @@
+SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+
+CREATE PROCEDURE `consumeUnblockCode_2` (
+    inUid BINARY(16),
+    inCodeHash BINARY(32)
+)
+BEGIN
+    DECLARE timestamp BIGINT;
+    SET @timestamp = (
+        SELECT createdAt FROM unblockCodes
+        WHERE
+            uid = inUid
+        AND
+            unblockCodeHash = inCodeHash
+    );
+
+    DELETE FROM unblockCodes
+    WHERE
+        uid = inUid;
+
+    SELECT @timestamp AS createdAt;
+END;
+
+UPDATE dbMetadata SET value = '77' WHERE name = 'schema-patch-level';

lib/db/schema/patch-077-076.sql

@@ -0,0 +1,6 @@
+-- SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+
+-- DROP PROCEDURE `consumeUnblockCode_2`;
+
+-- UPDATE dbMetadata SET value = '76' WHERE name = 'schema-patch-level';
+