Made OAuth token verification and user seession cookie retrieval process robust on transient netw...

chrome/browser/chromeos/login/login_utils.cc

-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be

[xiyuan, 2011/11/17 22:34:58]

Restore the license?

[zel, 2011/11/18 03:53:39]

Done.

 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/login_utils.h"
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/file_path.h"
 #include "base/file_util.h"
@@ skipping 79 matching lines @@
 // The service scope of the OAuth v2 token that ChromeOS login will be
 // requesting.
 // TODO(zelidrag): Figure out if we need to add more services here.
 const char kServiceScopeChromeOS[] =
     "https://www.googleapis.com/auth/chromesync";
 
 const char kServiceScopeChromeOSDeviceManagement[] =
     "https://www.googleapis.com/auth/chromeosdevicemanagement";
 }  // namespace
 
-// Task for fetching tokens from UI thread.
-class StartSyncOnUIThreadTask : public Task {
- public:
-  explicit StartSyncOnUIThreadTask(
-      const GaiaAuthConsumer::ClientLoginResult& credentials)
-      : credentials_(credentials) {}
-  virtual ~StartSyncOnUIThreadTask() {}
-
-  // Task override.
-  virtual void Run() OVERRIDE {
-    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-    LoginUtils::Get()->FetchCookies(ProfileManager::GetDefaultProfile(),
-                                    credentials_);
-    LoginUtils::Get()->StartSync(ProfileManager::GetDefaultProfile(),
-                                 credentials_);
-  }
-
- private:
-  GaiaAuthConsumer::ClientLoginResult credentials_;
-
-  DISALLOW_COPY_AND_ASSIGN(StartSyncOnUIThreadTask);
-};
-
 // Transfers initial set of Profile cookies from the default profile.
 class TransferDefaultCookiesOnIOThreadTask : public Task {
  public:
   TransferDefaultCookiesOnIOThreadTask(
       net::URLRequestContextGetter* auth_context,
       net::URLRequestContextGetter* new_context)
           : auth_context_(auth_context),
             new_context_(new_context) {}
   virtual ~TransferDefaultCookiesOnIOThreadTask() {}
 
@@ skipping 47 matching lines @@
         http_transaction_factory()->GetSession()->http_auth_cache());
   }
 
  private:
   net::URLRequestContextGetter* auth_context_;
   net::URLRequestContextGetter* new_context_;
 
   DISALLOW_COPY_AND_ASSIGN(TransferDefaultAuthCacheOnIOThreadTask);
 };
 
-// Verifies OAuth1 access token by performing OAuthLogin.
-class OAuthLoginVerifier : public GaiaOAuthConsumer {
+const int kMaxOAuthTokenVerificationAttemptCount = 5;
+const int kOAuthVerificationRestartDelay = 5000;    // ms

[xiyuan, 2011/11/17 22:34:58]

nit: two-spaces before line end comment

[zel, 2011/11/18 03:53:39]

Done.

+
+// Verifies OAuth1 access token by performing OAuthLogin. Fetches user cookies
+// on successful OAuth authentication.
+class OAuthLoginVerifier : public base::SupportsWeakPtr<OAuthLoginVerifier>,
+                           public GaiaOAuthConsumer,
+                           public GaiaAuthConsumer {
  public:
-  OAuthLoginVerifier(Profile* user_profile,
+  class Delegate {
+   public:
+    virtual ~Delegate() {}
+    virtual void OnOAuthVerificationSucceeded(const std::string& user_name,
+                                              const std::string& sid,
+                                              const std::string& lsid,
+                                              const std::string& auth) {}
+    virtual void OnOAuthVerificationFailed(const std::string& user_name) {}
+    virtual void OnUserCookiesFetchSucceeded(const std::string& user_name) {}
+    virtual void OnUserCookiesFetchFailed(const std::string& user_name) {}
+  };
+
+  OAuthLoginVerifier(OAuthLoginVerifier::Delegate* delegate,
+                     Profile* user_profile,
                      const std::string& oauth1_token,
                      const std::string& oauth1_secret,
                      const std::string& username)
-      : oauth_fetcher_(this,
+      : delegate_(delegate),
+        oauth_fetcher_(this,
             user_profile->GetOffTheRecordProfile()->GetRequestContext(),
             user_profile->GetOffTheRecordProfile(),
             kServiceScopeChromeOS),
+        gaia_fetcher_(this,
+            std::string(GaiaConstants::kChromeOSSource),
+            user_profile->GetRequestContext()),
         oauth1_token_(oauth1_token),
         oauth1_secret_(oauth1_secret),
-        username_(username) {
+        username_(username),
+        user_profile_(user_profile),
+        verification_count_(0),
+        step_(VERIFICATION_STEP_UNVERIFIED) {
   }
   virtual ~OAuthLoginVerifier() {}
 
-  void Start() {
+  bool is_done() {
+    return step_ == VERIFICATION_STEP_FAILED ||
+           step_ == VERIFICATION_STEP_COOKIES_FETCHED;
+  }
+
+  void StartOAuthVerification() {
     if (oauth1_token_.empty() || oauth1_secret_.empty()) {
       // Empty OAuth1 access token or secret probably means that we are
       // dealing with a legacy ChromeOS account. This should be treated as
       // invalid/expired token.
       OnOAuthLoginFailure(GoogleServiceAuthError(
           GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS));
     } else {
       oauth_fetcher_.StartOAuthLogin(GaiaConstants::kChromeOSSource,
                                      GaiaConstants::kPicasaService,
                                      oauth1_token_,
                                      oauth1_secret_);
     }
   }
 
+  void ContinueVerification() {
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    // Check if we have finished with this one already.
+    if (is_done())
+      return;
+
+    if (user_profile_ != ProfileManager::GetDefaultProfile())
+      return;
+
+    if (CrosLibrary::Get()->EnsureLoaded()) {
+      // Delay the verification if the network is not connected or on a captive
+      // portal.
+      const Network* network =
+          CrosLibrary::Get()->GetNetworkLibrary()->active_network();
+      if (!network || !network->connected() || network->restricted_pool()) {
+        BrowserThread::PostDelayedTask(BrowserThread::UI, FROM_HERE,
+            base::Bind(&OAuthLoginVerifier::ContinueVerification, AsWeakPtr()),
+            kOAuthVerificationRestartDelay);
+        return;
+      }
+    }

[xiyuan, 2011/11/17 22:34:58]

Maybe we should check oauth_fetcher_->HasPendingFetch() and
gaia_fetcher_->HasPendingFetch() here so that we will not fire two requests at
the same time?

[zel, 2011/11/18 03:53:39]

Good point. Done.

+
+    verification_count_++;
+    if (step_ == VERIFICATION_STEP_UNVERIFIED) {
+      DVLOG(10) << "Retrying to verify OAuth1 access tokens.";
+      StartOAuthVerification();
+    } else {
+      DVLOG(10) << "Retrying to fetch user cookies.";
+      StartCookiesRetreival();
+    }
+  }
+
+ private:
+  typedef enum {
+    VERIFICATION_STEP_UNVERIFIED,
+    VERIFICATION_STEP_OAUTH_VERIFIED,
+    VERIFICATION_STEP_COOKIES_FETCHED,
+    VERIFICATION_STEP_FAILED,
+  } VerificationStep;
+
+  // Kicks off GAIA session cookie retreival process.
+  void StartCookiesRetreival() {
+    DCHECK(!sid_.empty());
+    DCHECK(!lsid_.empty());
+    gaia_fetcher_.StartIssueAuthToken(sid_, lsid_, GaiaConstants::kGaiaService);
+  }
+
+  // Decides how to proceed on GAIA response and other errors. It can schedule
+  // to rerun the verification process if detects transient network or service
+  // errors.
+  bool RetryOnError(const GoogleServiceAuthError& error) {
+    // If we can't connect to GAIA due to network or service related reasons,
+    // we should attempt OAuth token verification again.
+    if (error.state() == GoogleServiceAuthError::CONNECTION_FAILED ||
+        error.state() == GoogleServiceAuthError::SERVICE_UNAVAILABLE) {
+      if (verification_count_ < kMaxOAuthTokenVerificationAttemptCount) {
+        BrowserThread::PostDelayedTask(BrowserThread::UI, FROM_HERE,
+            base::Bind(&OAuthLoginVerifier::ContinueVerification, AsWeakPtr()),
+            kOAuthVerificationRestartDelay);
+        return true;
+      }
+    }
+    step_ = VERIFICATION_STEP_FAILED;
+    return false;
+  }
+
   // GaiaOAuthConsumer implementation:
   virtual void OnOAuthLoginSuccess(const std::string& sid,
                                    const std::string& lsid,
                                    const std::string& auth) OVERRIDE {
-    GaiaAuthConsumer::ClientLoginResult credentials(
-        sid, lsid, auth, std::string());
-    UserManager::Get()->set_offline_login(false);
-    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
-                            new StartSyncOnUIThreadTask(credentials));
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+//    OnOAuthLoginFailure(GoogleServiceAuthError::FromConnectionError(400));

[xiyuan, 2011/11/17 22:34:58]

nit: remove this?

[zel, 2011/11/18 03:53:39]

Done.

+
+    step_ = VERIFICATION_STEP_OAUTH_VERIFIED;
+    verification_count_ = 0;
+    sid_ = sid;
+    lsid_ = lsid;
+    delegate_->OnOAuthVerificationSucceeded(username_, sid, lsid, auth);
+    StartCookiesRetreival();
   }
 
   virtual void OnOAuthLoginFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed to verify OAuth1 access tokens, error: "
-                 << error.state();
-
-    // Mark this account's OAuth token state as invalid if the failure is not
-    // caused by network error.
-    if (error.state() != GoogleServiceAuthError::CONNECTION_FAILED) {
-      UserManager::Get()->SaveUserOAuthStatus(username_,
-                                              User::OAUTH_TOKEN_STATUS_INVALID);
-    } else {
-      UserManager::Get()->set_offline_login(true);
-    }
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    LOG(WARNING) << "Failed to verify OAuth1 access tokens,"
+                 << " error.state=" << error.state();
+    if (!RetryOnError(error))
+      delegate_->OnOAuthVerificationFailed(username_);
   }
 
- private:
-  GaiaOAuthFetcher oauth_fetcher_;
-  std::string oauth1_token_;
-  std::string oauth1_secret_;
-  std::string username_;
-
-  DISALLOW_COPY_AND_ASSIGN(OAuthLoginVerifier);
-};
-
-// Verifies OAuth1 access token by performing OAuthLogin.
-class UserSessionCookieFetcher : public GaiaAuthConsumer {
- public:
-  explicit UserSessionCookieFetcher(Profile* user_profile)
-      : gaia_fetcher_(this,
-                      std::string(GaiaConstants::kChromeOSSource),
-                      user_profile->GetRequestContext()) {
-  }
-  virtual ~UserSessionCookieFetcher() {}
-
-  void Start(const GaiaAuthConsumer::ClientLoginResult& credentials) {
-    gaia_fetcher_.StartIssueAuthToken(credentials.sid, credentials.lsid,
-                                      GaiaConstants::kGaiaService);
+  void OnCookueFetchFailed(const GoogleServiceAuthError& error) {
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    if (!RetryOnError(error))
+      delegate_->OnUserCookiesFetchFailed(username_);
   }
 
   // GaiaAuthConsumer overrides.
   virtual void OnIssueAuthTokenSuccess(const std::string& service,
                                        const std::string& auth_token) OVERRIDE {
     gaia_fetcher_.StartMergeSession(auth_token);
   }
 
   virtual void OnIssueAuthTokenFailure(const std::string& service,
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed IssueAuthToken request, error: " << error.state();
-    HandlerGaiaAuthError(error);
-    delete this;
+    DVLOG(10) << "Failed IssueAuthToken request,"
+             << " error.state=" << error.state();
+    OnCookueFetchFailed(error);
   }
 
   virtual void OnMergeSessionSuccess(const std::string& data) OVERRIDE {
-    VLOG(1) << "MergeSession successful.";
-    delete this;
+    DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
+    DVLOG(10) << "MergeSession successful.";
+    step_ = VERIFICATION_STEP_COOKIES_FETCHED;
+    delegate_->OnUserCookiesFetchSucceeded(username_);
   }
 
   virtual void OnMergeSessionFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
-    LOG(WARNING) << "Failed MergeSession request, error: " << error.state();
-    HandlerGaiaAuthError(error);
-    delete this;
+    DVLOG(10) << "Failed MergeSession request,"
+             << " error.state=" << error.state();
+    OnCookueFetchFailed(error);
   }
 
- private:
-  void HandlerGaiaAuthError(const GoogleServiceAuthError& error) {
-    // Mark this account's login state as offline if we encountered a network
-    // error. That will make us verify user OAuth token and try to fetch session
-    // cookies again once we detect that the machine comes online.
-    if (error.state() == GoogleServiceAuthError::CONNECTION_FAILED)
-      UserManager::Get()->set_offline_login(true);
-  }
+  OAuthLoginVerifier::Delegate* delegate_;
+  GaiaOAuthFetcher oauth_fetcher_;
+  GaiaAuthFetcher gaia_fetcher_;
+  std::string oauth1_token_;
+  std::string oauth1_secret_;
+  std::string sid_;
+  std::string lsid_;
+  std::string username_;
+  Profile* user_profile_;
+  int verification_count_;
+  VerificationStep step_;
 
-  GaiaAuthFetcher gaia_fetcher_;
-  DISALLOW_COPY_AND_ASSIGN(UserSessionCookieFetcher);
+  DISALLOW_COPY_AND_ASSIGN(OAuthLoginVerifier);
 };
 
 // Fetches the oauth token for the device management service. Since Profile
 // creation might be blocking on a user policy fetch, this fetcher must always
 // send a (possibly empty) token to the BrowserPolicyConnector, which will then
 // let the policy subsystem proceed and resume Profile creation.
 // Sending the token even when no Profile is pending is also OK.
 class PolicyOAuthFetcher : public GaiaOAuthConsumer {
  public:
   // Fetches the device management service's oauth token using |oauth1_token|
@@ skipping 34 matching lines @@
   }
 
   const std::string& oauth1_token() const { return oauth1_token_; }
   const std::string& oauth1_secret() const { return oauth1_secret_; }
   bool failed() const {
     return !oauth_fetcher_.HasPendingFetch() && policy_token_.empty();
   }
 
  private:
   virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE {
-    VLOG(1) << "Got OAuth request token";
+    VLOG(10) << "Got OAuth request token";
   }
 
   virtual void OnGetOAuthTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
     LOG(WARNING) << "Failed to get OAuth request token, error: "
                  << error.state();
     SetPolicyToken("");
   }
 
   virtual void OnOAuthGetAccessTokenSuccess(
       const std::string& token,
       const std::string& secret) OVERRIDE {
-    VLOG(1) << "Got OAuth access token";
+    VLOG(10) << "Got OAuth access token";
     oauth1_token_ = token;
     oauth1_secret_ = secret;
   }
 
   virtual void OnOAuthGetAccessTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE {
     LOG(WARNING) << "Failed to get OAuth access token, error: "
                  << error.state();
     SetPolicyToken("");
   }
 
   virtual void OnOAuthWrapBridgeSuccess(
       const std::string& service_name,
       const std::string& token,
       const std::string& expires_in) OVERRIDE {
-    VLOG(1) << "Got OAuth access token for " << service_name;
+    VLOG(10) << "Got OAuth access token for " << service_name;
     SetPolicyToken(token);
   }
 
   virtual void OnOAuthWrapBridgeFailure(
       const std::string& service_name,
       const GoogleServiceAuthError& error) OVERRIDE {
     LOG(WARNING) << "Failed to get OAuth access token for " << service_name
                  << ", error: " << error.state();
     SetPolicyToken("");
   }
@@ skipping 54 matching lines @@
 
   int pid_;
   std::string command_line_;
   PrefService* local_state_;
   base::OneShotTimer<JobRestartRequest> timer_;
 };
 
 class LoginUtilsImpl : public LoginUtils,
                        public ProfileManagerObserver,
                        public GaiaOAuthConsumer,
+                       public OAuthLoginVerifier::Delegate,
                        public net::NetworkChangeNotifier::OnlineStateObserver {
  public:
   LoginUtilsImpl()
       : background_view_(NULL),
         pending_requests_(false),
         using_oauth_(false),
         has_cookies_(false),
         delegate_(NULL),
         job_restart_request_(NULL) {
     net::NetworkChangeNotifier::AddOnlineStateObserver(this);
   }
 
   virtual ~LoginUtilsImpl() {
     net::NetworkChangeNotifier::RemoveOnlineStateObserver(this);
   }
 
   // LoginUtils implementation:
   virtual void PrepareProfile(
       const std::string& username,
       const std::string& password,
       const GaiaAuthConsumer::ClientLoginResult& credentials,
       bool pending_requests,
       bool using_oauth,
       bool has_cookies,
       LoginUtils::Delegate* delegate) OVERRIDE;
-  virtual void DelegateDeleted(Delegate* delegate) OVERRIDE;
+  virtual void DelegateDeleted(LoginUtils::Delegate* delegate) OVERRIDE;
   virtual void CompleteOffTheRecordLogin(const GURL& start_url) OVERRIDE;
   virtual void SetFirstLoginPrefs(PrefService* prefs) OVERRIDE;
   virtual scoped_refptr<Authenticator> CreateAuthenticator(
       LoginStatusConsumer* consumer) OVERRIDE;
   virtual void PrewarmAuthentication() OVERRIDE;
   virtual void RestoreAuthenticationSession(const std::string& user_name,
                                             Profile* profile) OVERRIDE;
-  virtual void FetchCookies(
-      Profile* profile,
-      const GaiaAuthConsumer::ClientLoginResult& credentials) OVERRIDE;
   virtual void StartTokenServices(Profile* user_profile) OVERRIDE;
   virtual void StartSync(
       Profile* profile,
       const GaiaAuthConsumer::ClientLoginResult& credentials) OVERRIDE;
   virtual void SetBackgroundView(
       chromeos::BackgroundView* background_view) OVERRIDE;
   virtual chromeos::BackgroundView* GetBackgroundView() OVERRIDE;
   virtual void TransferDefaultCookies(Profile* default_profile,
                                       Profile* new_profile) OVERRIDE;
   virtual void TransferDefaultAuthCache(Profile* default_profile,
                                         Profile* new_profile) OVERRIDE;
 
   // ProfileManagerObserver implementation:
   virtual void OnProfileCreated(Profile* profile, Status status) OVERRIDE;
 
   // GaiaOAuthConsumer overrides.
   virtual void OnGetOAuthTokenSuccess(const std::string& oauth_token) OVERRIDE;
   virtual void OnGetOAuthTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE;
   virtual void OnOAuthGetAccessTokenSuccess(const std::string& token,
                                             const std::string& secret) OVERRIDE;
   virtual void OnOAuthGetAccessTokenFailure(
       const GoogleServiceAuthError& error) OVERRIDE;
 
+  // OAuthLoginVerifier::Delegate overrides.
+  virtual void OnOAuthVerificationSucceeded(const std::string& user_name,
+                                            const std::string& sid,
+                                            const std::string& lsid,
+                                            const std::string& auth) OVERRIDE;
+  virtual void OnOAuthVerificationFailed(const std::string& user_name) OVERRIDE;
+
   // net::NetworkChangeNotifier::OnlineStateObserver overrides.
   virtual void OnOnlineStateChanged(bool online) OVERRIDE;
 
   // Given the authenticated credentials from the cookie jar, try to exchange
   // fetch OAuth request, v1 and v2 tokens.
   void FetchOAuth1AccessToken(Profile* auth_profile);
 
  protected:
   virtual std::string GetOffTheRecordCommandLine(
       const GURL& start_url,
@@ skipping 93 matching lines @@
 void LoginUtilsImpl::PrepareProfile(
     const std::string& username,
     const std::string& password,
     const GaiaAuthConsumer::ClientLoginResult& credentials,
     bool pending_requests,
     bool using_oauth,
     bool has_cookies,
     LoginUtils::Delegate* delegate) {
   BootTimesLoader* btl = BootTimesLoader::Get();
 
-  VLOG(1) << "Completing login for " << username;
+  VLOG(10) << "Completing login for " << username;
 
   if (CrosLibrary::Get()->EnsureLoaded()) {
     btl->AddLoginTimeMarker("StartSession-Start", false);
     DBusThreadManager::Get()->GetSessionManagerClient()->StartSession(
         username);
     btl->AddLoginTimeMarker("StartSession-End", false);
   }
 
   btl->AddLoginTimeMarker("UserLoggedIn-Start", false);
   UserManager::Get()->UserLoggedIn(username);
@@ skipping 26 matching lines @@
       (connector->GetUserAffiliation(username) ==
           policy::CloudPolicyDataStore::USER_AFFILIATION_MANAGED);
 
   // Initialize user policy before the profile is created so the profile
   // initialization code sees the cached policy settings.
   connector->InitializeUserPolicy(username, wait_for_policy_fetch);
 
   if (wait_for_policy_fetch) {
     // Profile creation will block until user policy is fetched, which
     // requires the DeviceManagement token. Try to fetch it now.
-    VLOG(1) << "Profile creation requires policy token, fetching now";
+    VLOG(10) << "Profile creation requires policy token, fetching now";
     policy_oauth_fetcher_.reset(
         new PolicyOAuthFetcher(authenticator_->authentication_profile()));
     policy_oauth_fetcher_->Start();
   }
 
   // The default profile will have been changed because the ProfileManager
   // will process the notification that the UserManager sends out.
   ProfileManager::CreateDefaultProfileAsync(this);
 }
 
-void LoginUtilsImpl::DelegateDeleted(Delegate* delegate) {
+void LoginUtilsImpl::DelegateDeleted(LoginUtils::Delegate* delegate) {
   if (delegate_ == delegate)
     delegate_ = NULL;
 }
 
 void LoginUtilsImpl::OnProfileCreated(Profile* user_profile, Status status) {
   CHECK(user_profile);
   switch (status) {
     case STATUS_INITIALIZED:
       break;
     case STATUS_CREATED:
       if (UserManager::Get()->current_user_is_new())
         SetFirstLoginPrefs(user_profile->GetPrefs());
       RespectLocalePreference(user_profile);
       return;
     case STATUS_FAIL:
     default:
       NOTREACHED();
       return;
   }
 
-  // Initialize the user-policy backend.
-  if (!using_oauth_) {
-    g_browser_process->browser_policy_connector()->
-        SetUserPolicyTokenService(user_profile->GetTokenService());
-  }
-
-  // We suck. This is a hack since we do not have the enterprise feature
-  // done yet to pull down policies from the domain admin. We'll take this
-  // out when we get that done properly.
-  // TODO(xiyuan): Remove this once enterprise feature is ready.
-  if (EndsWith(username_, "@google.com", true)) {
-    PrefService* pref_service = user_profile->GetPrefs();
-    pref_service->SetBoolean(prefs::kEnableScreenLock, true);
-  }
-
   BootTimesLoader* btl = BootTimesLoader::Get();
   btl->AddLoginTimeMarker("UserProfileGotten", false);
 
   if (using_oauth_) {
     // Reuse the access token fetched by the PolicyOAuthFetcher, if it was
     // used to fetch policies before Profile creation.
     if (policy_oauth_fetcher_.get() &&
         !policy_oauth_fetcher_->oauth1_token().empty()) {
-      VLOG(1) << "Resuming profile creation after fetching policy token";
+      VLOG(10) << "Resuming profile creation after fetching policy token";
       StoreOAuth1AccessToken(user_profile,
                              policy_oauth_fetcher_->oauth1_token(),
                              policy_oauth_fetcher_->oauth1_secret());
     }
 
     // Transfer cookies when user signs in using extension.
     if (has_cookies_) {
       // Transfer cookies from the profile that was used for authentication.
       // This profile contains cookies that auth extension should have already
       // put in place that will ensure that the newly created session is
@@ skipping 16 matching lines @@
       VerifyOAuth1AccessToken(user_profile, oauth1_token, oauth1_secret);
     } else {
       // If we don't have it, fetch OAuth1 access token.
       // Use off-the-record profile that was used for this step. It should
       // already contain all needed cookies that will let us skip GAIA's user
       // authentication UI.
       //
       // TODO(rickcam) We should use an isolated App here.
       FetchOAuth1AccessToken(authenticator_->authentication_profile());
     }
-  } else {
-    // Since we're doing parallel authentication, only new user sign in
-    // would perform online auth before calling PrepareProfile.
-    // For existing users there's usually a pending online auth request.
-    // Cookies will be fetched after it's is succeeded.
-    if (!pending_requests_) {
-      FetchCookies(user_profile, credentials_);
-    }
-  }
-
-  if (!using_oauth_) {
-    // We don't need authenticator instance anymore in LoginUtils.
-    // Release it so that ScreenLocker would create a separate instance.
-    // Note that for GAIA WebUI login authenticator instance is reset in
-    // OnOAuthGetAccessTokenSuccess(...).
-    authenticator_ = NULL;
-  }
-
-  // Supply credentials for sync and others to use. Load tokens from disk.
-  if (!using_oauth_) {
-    // For existing users there's usually a pending online auth request.
-    // Tokens will be fetched after it's is succeeded.
-    if (!pending_requests_)
-      StartSync(user_profile, credentials_);
   }
 
   // Own TPM device if, for any reason, it has not been done in EULA
   // wizard screen.
   if (CrosLibrary::Get()->EnsureLoaded()) {
     CryptohomeLibrary* cryptohome = CrosLibrary::Get()->GetCryptohomeLibrary();
     btl->AddLoginTimeMarker("TPMOwn-Start", false);
     if (cryptohome->TpmIsEnabled() && !cryptohome->TpmIsBeingOwned()) {
       if (cryptohome->TpmIsOwned()) {
         cryptohome->TpmClearStoredPassword();
@@ skipping 24 matching lines @@
                                             auth_profile->GetRequestContext(),
                                             auth_profile,
                                             kServiceScopeChromeOS));
   // Let's first get the Oauth request token and OAuth1 token+secret.
   // Once we get that, we will kick off individual requests for OAuth2 tokens
   // for all our services.
   oauth_fetcher_->SetAutoFetchLimit(GaiaOAuthFetcher::OAUTH1_ALL_ACCESS_TOKEN);
   oauth_fetcher_->StartGetOAuthTokenRequest();
 }
 
-void LoginUtilsImpl::FetchCookies(Profile* user_profile,
-    const GaiaAuthConsumer::ClientLoginResult& credentials) {
-  if (!using_oauth_) {
-    // Take the credentials passed in and try to exchange them for
-    // full-fledged Google authentication cookies.  This is
-    // best-effort; it's possible that we'll fail due to network
-    // troubles or some such.
-    // CookieFetcher will delete itself once done.
-    CookieFetcher* cf = new CookieFetcher(user_profile);
-    cf->AttemptFetch(credentials.data);
-  } else {
-    UserSessionCookieFetcher* cf =
-        new UserSessionCookieFetcher(user_profile);
-    cf->Start(credentials);
-  }
-}
-
 void LoginUtilsImpl::StartTokenServices(Profile* user_profile) {
   std::string oauth1_token;
   std::string oauth1_secret;
   if (!ReadOAuth1AccessToken(user_profile, &oauth1_token, &oauth1_secret))
     return;
 
   FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(), oauth1_token,
                        oauth1_secret);
 }
 
@@ skipping 37 matching lines @@
   // Here we don't enable keyboard layouts. Input methods are set up when
   // the user first logs in. Then the user may customize the input methods.
   // Hence changing input methods here, just because the user's UI language
   // is different from the login screen UI language, is not desirable. Note
   // that input method preferences are synced, so users can use their
   // farovite input methods as soon as the preferences are synced.
   LanguageSwitchMenu::SwitchLanguage(pref_locale);
 }
 
 void LoginUtilsImpl::CompleteOffTheRecordLogin(const GURL& start_url) {
-  VLOG(1) << "Completing incognito login";
+  VLOG(10) << "Completing incognito login";
 
   UserManager::Get()->GuestUserLoggedIn();
 
   if (CrosLibrary::Get()->EnsureLoaded()) {
     // Session Manager may kill the chrome anytime after this point.
     // Write exit_cleanly and other stuff to the disk here.
     g_browser_process->EndSession();
 
     // For guest session we ask session manager to restart Chrome with --bwsi
     // flag. We keep only some of the arguments of this process.
     const CommandLine& browser_command_line = *CommandLine::ForCurrentProcess();
     CommandLine command_line(browser_command_line.GetProgram());
     std::string cmd_line_str =
         GetOffTheRecordCommandLine(start_url,
                                    browser_command_line,
                                    &command_line);
 
     if (job_restart_request_) {
       NOTREACHED();
     }
-    VLOG(1) << "Requesting a restart with PID " << getpid()
+    VLOG(10) << "Requesting a restart with PID " << getpid()
             << " and command line: " << cmd_line_str;
     job_restart_request_ = new JobRestartRequest(getpid(), cmd_line_str);
   }
 }
 
 std::string LoginUtilsImpl::GetOffTheRecordCommandLine(
     const GURL& start_url,
     const CommandLine& base_command_line,
     CommandLine* command_line) {
   static const char* kForwardSwitches[] = {
@@ skipping 47 matching lines @@
         kSwitchFormatString,
         switches::kRegisterPepperPlugins,
         base_command_line.GetSwitchValueNative(
             switches::kRegisterPepperPlugins).c_str());
   }
 
   return cmd_line_str;
 }
 
 void LoginUtilsImpl::SetFirstLoginPrefs(PrefService* prefs) {
-  VLOG(1) << "Setting first login prefs";
+  VLOG(10) << "Setting first login prefs";
   BootTimesLoader* btl = BootTimesLoader::Get();
   std::string locale = g_browser_process->GetApplicationLocale();
 
   // First, we'll set kLanguagePreloadEngines.
   input_method::InputMethodManager* manager =
       input_method::InputMethodManager::GetInstance();
   std::vector<std::string> input_method_ids;
   manager->GetInputMethodUtil()->GetFirstLoginInputMethodIds(
       locale, manager->current_input_method(), &input_method_ids);
   // Save the input methods in the user's preferences.
@@ skipping 125 matching lines @@
 
 void LoginUtilsImpl::TransferDefaultAuthCache(Profile* default_profile,
                                               Profile* profile) {
   BrowserThread::PostTask(BrowserThread::IO, FROM_HERE,
                           new TransferDefaultAuthCacheOnIOThreadTask(
                               default_profile->GetRequestContext(),
                               profile->GetRequestContext()));
 }
 
 void LoginUtilsImpl::OnGetOAuthTokenSuccess(const std::string& oauth_token) {
-  VLOG(1) << "Got OAuth request token!";
+  VLOG(10) << "Got OAuth request token!";
 }
 
 void LoginUtilsImpl::OnGetOAuthTokenFailure(
     const GoogleServiceAuthError& error) {
   // TODO(zelidrag): Pop up sync setup UI here?
   LOG(WARNING) << "Failed fetching OAuth request token, error: "
                << error.state();
 }
 
 void LoginUtilsImpl::OnOAuthGetAccessTokenSuccess(const std::string& token,
                                                   const std::string& secret) {
-  VLOG(1) << "Got OAuth v1 token!";
+  VLOG(10) << "Got OAuth v1 token!";
   Profile* user_profile = ProfileManager::GetDefaultProfile();
   StoreOAuth1AccessToken(user_profile, token, secret);
 
   // Verify OAuth1 token by doing OAuthLogin and fetching credentials.
   VerifyOAuth1AccessToken(user_profile, token, secret);
 }
 
 void LoginUtilsImpl::OnOAuthGetAccessTokenFailure(
     const GoogleServiceAuthError& error) {
   // TODO(zelidrag): Pop up sync setup UI here?
@@ skipping 57 matching lines @@
   // Kick off verification of OAuth1 access token (via OAuthLogin), this should
   // let us fetch credentials that will be used to initialize sync engine.
   FetchCredentials(user_profile, token, secret);
 
   FetchSecondaryTokens(user_profile->GetOffTheRecordProfile(), token, secret);
 }
 
 void LoginUtilsImpl::FetchCredentials(Profile* user_profile,
                                       const std::string& token,
                                       const std::string& secret) {
-  oauth_login_verifier_.reset(new OAuthLoginVerifier(user_profile,
+  oauth_login_verifier_.reset(new OAuthLoginVerifier(this,
+                                                     user_profile,
                                                      token,
                                                      secret,
                                                      username_));
-  oauth_login_verifier_->Start();
+  oauth_login_verifier_->StartOAuthVerification();
 }
 
 
 void LoginUtilsImpl::FetchPolicyToken(Profile* offrecord_profile,
                                       const std::string& token,
                                       const std::string& secret) {
   // Fetch dm service token now, if it hasn't been fetched yet.
   if (!policy_oauth_fetcher_.get() || policy_oauth_fetcher_->failed()) {
     // Trigger oauth token fetch for user policy.
     policy_oauth_fetcher_.reset(new PolicyOAuthFetcher(offrecord_profile,
                                                        token,
                                                        secret));
     policy_oauth_fetcher_->Start();
   }
 
   // TODO(zelidrag): We should add initialization of other services somewhere
   // here as well. This could be handled with TokenService class once it is
   // ready to handle OAuth tokens.
 
   // We don't need authenticator instance any more, reset it so that
   // ScreenLocker would create a separate instance.
   // TODO(nkostylev): There's a potential race if SL would be created before
   // OAuth tokens are fetched. It would use incorrect Authenticator instance.
   authenticator_ = NULL;
 }
 
+void LoginUtilsImpl::OnOAuthVerificationFailed(const std::string& user_name) {
+  UserManager::Get()->SaveUserOAuthStatus(user_name,
+                                          User::OAUTH_TOKEN_STATUS_INVALID);
+}
+
+void LoginUtilsImpl::OnOAuthVerificationSucceeded(
+    const std::string& user_name, const std::string& sid,
+    const std::string& lsid, const std::string& auth) {
+  // Kick off sync engine.
+  GaiaAuthConsumer::ClientLoginResult credentials(sid, lsid, auth,
+                                                 std::string());

[xiyuan, 2011/11/17 22:34:58]

nit: align with args above

[zel, 2011/11/18 03:53:39]

Done.

+  StartSync(ProfileManager::GetDefaultProfile(), credentials);
+}
+
+
 void LoginUtilsImpl::OnOnlineStateChanged(bool online) {
   // If we come online for the first time after successful offline login,
   // we need to kick of OAuth token verification process again.
-  if (UserManager::Get()->user_is_logged_in() &&
-      UserManager::Get()->offline_login() && online) {
-    KickStartAuthentication(ProfileManager::GetDefaultProfile());
+  if (online && UserManager::Get()->user_is_logged_in() &&
+      oauth_login_verifier_.get() &&
+      !oauth_login_verifier_->is_done()) {
+    oauth_login_verifier_->ContinueVerification();

[xiyuan, 2011/11/17 22:34:58]

What if we already have a pending OAuthLogin request? See  comments in
ContinueVerification

[zel, 2011/11/18 03:53:39]

ContinueVerification will now check for pending requests.

   }
 }
 
 LoginUtils* LoginUtils::Get() {
   return LoginUtilsWrapper::GetInstance()->get();
 }
 
 void LoginUtils::Set(LoginUtils* mock) {
   LoginUtilsWrapper::GetInstance()->reset(mock);
 }
 
 void LoginUtils::DoBrowserLaunch(Profile* profile,
                                  LoginDisplayHost* login_host) {
   if (browser_shutdown::IsTryingToQuit())
     return;
 
   BootTimesLoader::Get()->AddLoginTimeMarker("BrowserLaunched", false);
 
-  VLOG(1) << "Launching browser...";
+  VLOG(10) << "Launching browser...";
   BrowserInit browser_init;
   int return_code;
   BrowserInit::IsFirstRun first_run = FirstRun::IsChromeFirstRun() ?
       BrowserInit::IS_FIRST_RUN: BrowserInit::IS_NOT_FIRST_RUN;
   browser_init.LaunchBrowser(*CommandLine::ForCurrentProcess(),
                              profile,
                              FilePath(),
                              BrowserInit::IS_PROCESS_STARTUP,
                              first_run,
                              &return_code);
 
   // Mark login host for deletion after browser starts.  This
   // guarantees that the message loop will be referenced by the
   // browser before it is dereferenced by the login host.
   if (login_host) {
     login_host->OnSessionStart();
     login_host = NULL;
   }
 }
 
 }  // namespace chromeos