837201 - Deal with users logging in with a different account than their marketplace account

Status: RESOLVED FIXED

(Marketplace Graveyard :: Payments/Refunds, defect, P4)

Description

[krupa raj[:krupa]]

steps to reproduce:
1. Tester is logged in as user1
2. Click on the purchase button for private yacht
3. In the Enter your PIN screen, click on 'Forgot PIN?' button
4. When prompted to sign in, sign in as User2

expected behavior:
We catch whenever the sign in doesn't match and gracefully return the user to the app details page with an informative user message.

observed behavior:
We allow user to log in as User2 and reset their PIN while they are still logged in as User1

Comment 1

[Andy McKay]

For 1.1 I think we should just cancel the flow if the email is different. This means:

- add in a hashed version of a users email
- after any login compare the two
- if it changes cancel the entire flow and let them start again

Comment 2

[krupa raj[:krupa]]

(In reply to krupa raj 82[:krupa] from comment #0)
> steps to reproduce:
> 1. Tester is logged in as user1
> 2. Click on the purchase button for private yacht
> 3. In the Enter your PIN screen, click on 'Forgot PIN?' button
> 4. When prompted to sign in, sign in as User2
> 
> expected behavior:
> We catch whenever the sign in doesn't match and gracefully return the user
> to the app details page with an informative user message.
> 
> observed behavior:
> We allow user to log in as User2 and reset their PIN while they are still
> logged in as User1


After the user resets their PIN, we show them a "Page not Found!" error

Comment 3

[Wil Clouser [:clouserw]]

(In reply to Andy McKay [:andym] from comment #1)
> For 1.1 I think we should just cancel the flow if the email is different.
> This means:
> 
> - add in a hashed version of a users email
> - after any login compare the two
> - if it changes cancel the entire flow and let them start again

agreed

Comment 4

[Wraithan (Chris McDonald) [:wraithan]]

Renamed. Kumar and I agree this is a 1.2 thing and we will look into just preventing the user from using a different account than their marketplace account.

Comment 5

[krupa raj[:krupa]]

This now results in the following traceback: http://sentry.dmz.phx1.mozilla.com/marketplace-dev-webpay/group/11905/

ValueError: A user tried to reverify herself with a new email: krupa.mozbugs+78@gmail.com

Stacktrace (most recent call last):

  File "django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)
  File "django/views/decorators/http.py", line 41, in inner
    return func(request, *args, **kwargs)
  File "webpay/base/decorators.py", line 11, in wrapper
    response = func(*args, **kw)
  File "webpay/auth/views.py", line 48, in reverify
    'new email: %s' % email)

Comment 6

[Andy McKay]

Trying this now, after changing my account, I get the following:

Content JS LOG at https://marketplace-dev-cdn.allizom.org/mozpay/media/js/pay-min.js?build=9f05ceb-5249bd4e:5 in o: [reset] nav.id onlogin
Content JS LOG at https://marketplace-dev-cdn.allizom.org/mozpay/media/js/pay-min.js?build=9f05ceb-5249bd4e:5 in a: [reset] login error

And I'm stuck on the "connecting to persona" spinner.

Comment 7

[Andy McKay]

We can pass through an experimental_emailHint to persona now to pre-fill the Persona form.

https://github.com/mozilla/browserid/pull/3843

Comment 8

[Andy McKay]

Whilst yak shaving on this: https://github.com/mozilla/webpay/commit/c97f7f

Comment 10

[Andy McKay]

https://github.com/mozilla/webpay/commit/fc7f2a