feat(accounts): require valid IA S3 keys on OTP service endpoints (#12841)

mekarpeles · web-flow · commit d779e2c9e6e2 · 2026-06-25T11:39:28.000-07:00
feat(accounts): require valid IA S3 keys on OTP service endpoints Add `Authorization: LOW <access>:<secret>` validation (via s3auth) to /account/otp/issue and /account/otp/redeem. Lenny already sends ol_auth_headers() on every OTP request; OL was ignoring them. Now only Lenny nodes with a linked IA/OL account can trigger OTP emails. - _parse_low_auth_header(): strip both parts, reject empty access/secret - _require_s3_auth(): shared helper distinguishing invalid credentials (unauthorized) from s3auth 5xx (auth_service_unavailable) - Use result.rawtext for delegate.RawText assertions - Add otp_seed placeholder to dev config (OTP.generate() crashed without it) - Tests: TestOtpServiceS3Auth, TestParseLowAuthHeader, redeem happy-path Closes #12840, #12841
diff --git a/conf/openlibrary.yml b/conf/openlibrary.yml
@@ -165,6 +165,7 @@ ia_ol_xauth_s3:
 ia_loan_api_url: http://web:8080/internal/fake/loans
 ia_xauth_api_url: http://web:8080/internal/fake/xauth
 ia_s3_auth_url: http://web:8080/internal/fake/s3auth
+otp_seed: dev-otp-seed-for-e2e-testing
 
 internal_tests_api_key: 8oPd1tx747YH374ohs48ZO5s2Nt1r9yD
 ia_availability_api_v2_url: https://archive.org/services/availability/
diff --git a/openlibrary/plugins/upstream/account.py b/openlibrary/plugins/upstream/account.py
@@ -436,11 +436,43 @@ def POST(self):
             infogami_login().POST()
 
 
+def _parse_low_auth_header():
+    """Parse 'Authorization: LOW access:secret' from the current request.
+    Returns (access, secret) tuple or raises ValueError if missing/malformed/empty."""
+    header = web.ctx.env.get("HTTP_AUTHORIZATION", "")
+    if not header.startswith("LOW "):
+        raise ValueError("Missing or invalid Authorization header")
+    _, keys = header.split("LOW ", 1)
+    if ":" not in keys:
+        raise ValueError("Malformed authorization keys")
+    access, secret = keys.split(":", 1)
+    access, secret = access.strip(), secret.strip()
+    if not access or not secret:
+        raise ValueError("Empty access or secret key")
+    return access, secret
+
+
+def _require_s3_auth():
+    """Validate the request's IA S3 credentials. Returns None on success or a RawText error response."""
+    try:
+        s3_access, s3_secret = _parse_low_auth_header()
+    except ValueError:
+        return delegate.RawText(json.dumps({"error": "missing_or_invalid_authorization"}))
+    if "error" in (result := InternetArchiveAccount.s3auth(s3_access, s3_secret)):
+        if result.get("code", 400) >= 500:
+            return delegate.RawText(json.dumps({"error": "auth_service_unavailable"}))
+        return delegate.RawText(json.dumps({"error": "unauthorized"}))
+    return None
+
+
 class otp_service_issue(delegate.page):
     path = "/account/otp/issue"
 
     def POST(self):
         web.header("Content-Type", "application/json")
+        if err := _require_s3_auth():
+            return err
+
         i = web.input(email="", ip="", challenge_url="", sendmail="true")
         required_keys = ("email", "ip", "service_ip")
         i.email = i.email.replace(" ", "+").lower()
@@ -470,6 +502,9 @@ class otp_service_redeem(delegate.page):
 
     def POST(self):
         web.header("Content-Type", "application/json")
+        if err := _require_s3_auth():
+            return err
+
         required_keys = ("email", "ip", "service_ip", "otp")
         i = web.input(email="", ip="", otp="")
         i.email = i.email.replace(" ", "+").lower()
diff --git a/openlibrary/plugins/upstream/tests/test_account.py b/openlibrary/plugins/upstream/tests/test_account.py
@@ -1,3 +1,4 @@
+import json
 import os
 import sys
 from unittest import mock
@@ -348,3 +349,149 @@ def test_login_deletes_preserve_intent_cookie_on_valid_redirect(self, mock_stats
         for call in mock_web.setcookie.call_args_list:
             assert call[0][0] != "pending_action"
         mock_web.seeother.assert_called_with("/account/books")
+
+
+class TestOtpServiceS3Auth:
+    """Tests for S3 key validation on /account/otp/issue and /account/otp/redeem."""
+
+    def _make_web_mock(self, auth_header=""):
+        m = mock.MagicMock()
+        m.ctx.env = {"HTTP_AUTHORIZATION": auth_header, "HTTP_X_FORWARDED_FOR": "1.2.3.4"}
+        m.input.return_value = web.storage(email="test@example.com", ip="1.2.3.4", challenge_url="", sendmail="false", otp="123456")
+        m.safestr.side_effect = lambda x: x
+        return m
+
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_issue_missing_auth_header(self, mock_web, mock_ia):
+        mock_web.ctx.env = {}
+        result = account.otp_service_issue().POST()
+        body = json.loads(result.rawtext)
+        assert body["error"] == "missing_or_invalid_authorization"
+        mock_ia.s3auth.assert_not_called()
+
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_issue_empty_secret_rejected(self, mock_web, mock_ia):
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW access:"}
+        result = account.otp_service_issue().POST()
+        body = json.loads(result.rawtext)
+        assert body["error"] == "missing_or_invalid_authorization"
+        mock_ia.s3auth.assert_not_called()
+
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_issue_invalid_keys_rejected(self, mock_web, mock_ia):
+        mock_ia.s3auth.return_value = {"error": "invalid_s3keys", "code": 401}
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW badaccess:badsecret"}
+        result = account.otp_service_issue().POST()
+        body = json.loads(result.rawtext)
+        assert body["error"] == "unauthorized"
+
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_issue_auth_service_5xx_returns_specific_error(self, mock_web, mock_ia):
+        mock_ia.s3auth.return_value = {"error": "service error", "code": 503}
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW access:secret"}
+        result = account.otp_service_issue().POST()
+        body = json.loads(result.rawtext)
+        assert body["error"] == "auth_service_unavailable"
+
+    @mock.patch("openlibrary.plugins.upstream.account.OTP")
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_issue_valid_keys_proceeds(self, mock_web, mock_ia, mock_otp):
+        mock_ia.s3auth.return_value = {"success": True, "itemname": "@testuser"}
+        mock_web.ctx.env = {
+            "HTTP_AUTHORIZATION": "LOW goodaccess:goodsecret",
+            "HTTP_X_FORWARDED_FOR": "1.2.3.4",
+        }
+        mock_web.input.return_value = web.storage(email="test@example.com", ip="1.2.3.4", challenge_url="", sendmail="false")
+        mock_otp.generate.return_value = "abc123"
+        mock_otp.is_ratelimited.return_value = None
+        mock_otp.verify_service.return_value = True
+        result = account.otp_service_issue().POST()
+        body = json.loads(result.rawtext)
+        assert body == {"success": "issued"}
+
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_redeem_missing_auth_header(self, mock_web, mock_ia):
+        mock_web.ctx.env = {}
+        result = account.otp_service_redeem().POST()
+        body = json.loads(result.rawtext)
+        assert body["error"] == "missing_or_invalid_authorization"
+        mock_ia.s3auth.assert_not_called()
+
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_redeem_invalid_keys_rejected(self, mock_web, mock_ia):
+        mock_ia.s3auth.return_value = {"error": "invalid_s3keys", "code": 401}
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW bad:creds"}
+        result = account.otp_service_redeem().POST()
+        body = json.loads(result.rawtext)
+        assert body["error"] == "unauthorized"
+
+    @mock.patch("openlibrary.plugins.upstream.account.OTP")
+    @mock.patch("openlibrary.plugins.upstream.account.InternetArchiveAccount")
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_redeem_valid_keys_proceeds(self, mock_web, mock_ia, mock_otp):
+        mock_ia.s3auth.return_value = {"success": True, "itemname": "@testuser"}
+        mock_web.ctx.env = {
+            "HTTP_AUTHORIZATION": "LOW goodaccess:goodsecret",
+            "HTTP_X_FORWARDED_FOR": "1.2.3.4",
+        }
+        mock_web.input.return_value = web.storage(email="test@example.com", ip="1.2.3.4", otp="abc123")
+        mock_otp.is_valid.return_value = True
+        result = account.otp_service_redeem().POST()
+        body = json.loads(result.rawtext)
+        assert body == {"success": "redeemed"}
+
+
+class TestParseLowAuthHeader:
+    """Unit tests for the _parse_low_auth_header() module-level helper."""
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_missing_header_raises(self, mock_web):
+        mock_web.ctx.env = {}
+        with pytest.raises(ValueError, match="Missing or invalid"):
+            account._parse_low_auth_header()
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_bearer_prefix_rejected(self, mock_web):
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "Bearer sometoken"}
+        with pytest.raises(ValueError, match="Missing or invalid"):
+            account._parse_low_auth_header()
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_no_colon_raises(self, mock_web):
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW accessonly"}
+        with pytest.raises(ValueError, match="Malformed"):
+            account._parse_low_auth_header()
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_empty_secret_raises(self, mock_web):
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW access:"}
+        with pytest.raises(ValueError, match="Empty"):
+            account._parse_low_auth_header()
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_empty_access_raises(self, mock_web):
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW :secret"}
+        with pytest.raises(ValueError, match="Empty"):
+            account._parse_low_auth_header()
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_valid_returns_stripped_tuple(self, mock_web):
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW  myaccess : mysecret "}
+        access, secret = account._parse_low_auth_header()
+        assert access == "myaccess"
+        assert secret == "mysecret"
+
+    @mock.patch("openlibrary.plugins.upstream.account.web")
+    def test_colon_in_secret_preserved(self, mock_web):
+        # S3 secrets can contain colons; only split on the first one
+        mock_web.ctx.env = {"HTTP_AUTHORIZATION": "LOW access:sec:ret"}
+        access, secret = account._parse_low_auth_header()
+        assert access == "access"
+        assert secret == "sec:ret"
