Auth with allowUnverified can fail due to attempted duplicate insert into emails table

[callahad]

Related to Bugzilla Bug 1029014.

Marketplace is using Persona with allowUnverified and forceIssuer.

Guigs2 (a MoCo employee) attempted to sign into Marketplace on Fennec using her MoCo email address, only to see this screen after entering a new fallback password and hitting "next:"

The production logs show: unexpected database failure: Error: Duplicate entry '<redacted>@mozilla.com' for key 'address' -- at /opt/browserid/lib/db/mysql.js:733:13

That error is thrown at lib/db/mysql.js#L733, when db.createUnverifiedUser attempts to insert into the email table. The only call to db.createUnverifiedUser is in lib/wsapi/stage_user.js#L78, which either calls db.stageUser or db.createUnverifiedUser based on the value of allowUnverified.

In summary, we know:

• This can only happen when an RP is using allowUnverified.
• Marketplace is the only RP that uses allowUnverified.
• This problem exists on all platforms, including Desktop and FxOS.

Furthermore, after triggering the bug, the production database shows:

• An entry in the email table of type primary with verified 1
• An entry in the user table with a NULL password, no failedAuthTries, and a lastPasswordReset in November, 2013.
• An entry in the staged table with a timestamp of today, new_acct 1, and existing_user NULL

[callahad]

We apparently branched into stageUser when it wasn't appropriate, and improperly staged a new account, despite the user existing for several months.

[callahad]

As soon as Marketplace switches to Firefox Accounts (any day now), we can finally rip out the allowUnverified, forceIssuer, and forceAuthenticate hacks. On hold until then.