Identification via OAuth tokens

Identification via OAuth tokens.

BUG=164227
TEST=Make sure you run against the version of the server that doesn't accept cookies (check with the Server Person). Make sure the extension works successfully only if the user is signed into Chrome (so if you sign out of Chrome and sign into Gmail, you should not receive cards).
If the user is signed into Chrome, they can be signed out of Gmail or even signed into a different gmail account - you still should get cards from the signed-in Chrome user.
There were issues when first cards were received only in 5 mins if you access work email via internal short link. These issues should go away now.

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=207780

[rgustafson, 2013-06-19 00:56:51]

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
File chrome/browser/resources/google_now/background.js (right):

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
chrome/browser/resources/google_now/background.js:172:
console.log('setAuthorization: error=' + errorMessage + ', token=' + token);
Does adding the token onto this log really help? It seems a bit sketchy since
that is someone's authentication... "copy your log" now turned into "give me
your credentials" :/

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
chrome/browser/resources/google_now/background.js:183: if (request.status ==
HTTP_FORBIDDEN) {
Could we also handle 401 unauthorized here? It would make me feel much safer
against unexpected changes for the small amount of code it adds.

[vadimt, 2013-06-19 01:38:07]

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
File chrome/browser/resources/google_now/background.js (right):

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
chrome/browser/resources/google_now/background.js:172:
console.log('setAuthorization: error=' + errorMessage + ', token=' + token);
On 2013/06/19 00:56:51, rgustafson wrote:
> Does adding the token onto this log really help? It seems a bit sketchy since
> that is someone's authentication... "copy your log" now turned into "give me
> your credentials" :/

Done.

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
chrome/browser/resources/google_now/background.js:183: if (request.status ==
HTTP_FORBIDDEN) {
On 2013/06/19 00:56:51, rgustafson wrote:
> Could we also handle 401 unauthorized here? It would make me feel much safer
> against unexpected changes for the small amount of code it adds.

Done.

[skare_, 2013-06-19 05:21:22]

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
File chrome/browser/resources/google_now/background.js (right):

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
chrome/browser/resources/google_now/background.js:183: if (request.status ==
HTTP_FORBIDDEN) {
On 2013/06/19 01:38:07, vadimt wrote:
> On 2013/06/19 00:56:51, rgustafson wrote:
> > Could we also handle 401 unauthorized here? It would make me feel much safer
> > against unexpected changes for the small amount of code it adds.
> 
> Done.

half-curiosity -- have you seen "forbidden" in practice?
I'm not up to speed with the project-level oauth stuff but IIRC 401 unauthorized
is bad creds that could be fixed by refreshing them, whereas 403 can mean the
authentication itself was successful but the user isn't allowed to perform the
operation in question.

[vadimt, 2013-06-19 17:45:52]

On 2013/06/19 05:21:22, Travis Skare wrote:
>
https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
> File chrome/browser/resources/google_now/background.js (right):
> 
>
https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
> chrome/browser/resources/google_now/background.js:183: if (request.status ==
> HTTP_FORBIDDEN) {
> On 2013/06/19 01:38:07, vadimt wrote:
> > On 2013/06/19 00:56:51, rgustafson wrote:
> > > Could we also handle 401 unauthorized here? It would make me feel much
safer
> > > against unexpected changes for the small amount of code it adds.
> > 
> > Done.
> 
> half-curiosity -- have you seen "forbidden" in practice?
> I'm not up to speed with the project-level oauth stuff but IIRC 401
unauthorized
> is bad creds that could be fixed by refreshing them, whereas 403 can mean the
> authentication itself was successful but the user isn't allowed to perform the
> operation in question.

I've only seen forbidden (after I revoked access via
https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en). Never 401.
This is logical. You are authorized, but don't have a permission to do an
operation (revoked), hence 403.

[rgustafson, 2013-06-19 18:39:10]

lgtm

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
File chrome/browser/resources/google_now/background.js (right):

https://codereview.chromium.org/17412009/diff/1/chrome/browser/resources/goog...
chrome/browser/resources/google_now/background.js:183: if (request.status ==
HTTP_FORBIDDEN) {
On 2013/06/19 05:21:23, Travis Skare wrote:
> On 2013/06/19 01:38:07, vadimt wrote:
> > On 2013/06/19 00:56:51, rgustafson wrote:
> > > Could we also handle 401 unauthorized here? It would make me feel much
safer
> > > against unexpected changes for the small amount of code it adds.
> > 
> > Done.
> 
> half-curiosity -- have you seen "forbidden" in practice?
> I'm not up to speed with the project-level oauth stuff but IIRC 401
unauthorized
> is bad creds that could be fixed by refreshing them, whereas 403 can mean the
> authentication itself was successful but the user isn't allowed to perform the
> operation in question.

The server should only be involved in the revoked access cases. The actual 401
unauthorized cases (ie not signed into Chrome) should be covered by failures in
getAuthToken.

[skare_, 2013-06-20 19:27:17]

lgtm

[vadimt, 2013-06-20 19:28:42]

arv@, please provide OWNER's approval

[arv (Not doing code reviews), 2013-06-20 19:43:16]

LGTM

[commit-bot: I haz the power, 2013-06-21 01:26:44]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/vadimt@chromium.org/17412009/17001

[commit-bot: I haz the power, 2013-06-21 10:02:54]

Change committed as 207780