feat(third-party-auth): Conditionally render login buttons on signin

Because:
* Users that have an account via third-party auth and have not yet set a password should be shown a login screen that shows the login button(s) relevant to them instead of the 'enter a password' view

This commit:
* Adds necessary conditional logic to sign_in_password
* Updates the accoun/status endpoint to return third party auth status data when requested

closes FXA-4776

Author: LZoog

packages/functional-tests/tests/oauth/signinTokenCode.spec.ts

@@ -62,9 +62,9 @@ test.describe('OAuth signin token code', () => {
     // This will cause the token become 'invalid' and ultimately cause an
     // INVALID_TOKEN error to be thrown.
     await login.destroySession(email);
-    await page.waitForNavigation({ waitUntil: 'networkidle' }),
-      // Destroying the session should direct user back to sign in page
-      expect(await login.passwordHeader.isVisible()).toBeTruthy();
+    await page.waitForURL(/oauth\/signin/);
+    // Destroying the session should direct user back to sign in page
+    await login.passwordHeader.waitFor({ state: 'visible' });
   });
 
   test('verified - valid code', async ({

packages/fxa-auth-client/lib/client.ts

@@ -710,8 +710,11 @@ export default class AuthClient {
     return this.request('GET', `/account/status?uid=${uid}`);
   }
 
-  async accountStatusByEmail(email: string) {
-    return this.request('POST', '/account/status', { email });
+  async accountStatusByEmail(
+    email: string,
+    options: { thirdPartyAuthStatus?: boolean } = {}
+  ) {
+    return this.request('POST', '/account/status', { email, ...options });
   }
 
   async accountProfile(sessionToken: hexstring) {

packages/fxa-auth-server/lib/db/index.js

@@ -265,9 +265,9 @@ module.exports = (config, log, Token, UnblockCode = null) => {
     return PasswordChangeToken.fromHex(data.tokenData, data);
   };
 
-  DB.prototype.accountRecord = async function (email) {
+  DB.prototype.accountRecord = async function (email, options) {
     log.trace('DB.accountRecord', { email });
-    const account = await Account.findByPrimaryEmail(email);
+    const account = await Account.findByPrimaryEmail(email, options);
     if (!account) {
       throw error.unknownAccount(email);
     }

packages/fxa-auth-server/lib/routes/account.ts

@@ -1148,6 +1148,8 @@ export class AccountHandler {
   async accountStatusCheck(request: AuthRequest) {
     const email = (request.payload as any).email;
     const checkDomain = !!(request.payload as any).checkDomain;
+    const thirdPartyAuthStatus = !!(request.payload as any)
+      .thirdPartyAuthStatus;
     let invalidDomain = false;
 
     if (checkDomain) {
@@ -1156,14 +1158,31 @@ export class AccountHandler {
 
     await this.customs.check(request, email, 'accountStatusCheck');
 
-    const result: { exists: boolean; invalidDomain?: boolean } = {
+    const result: {
+      exists: boolean;
+      invalidDomain?: boolean;
+      hasLinkedAccount?: boolean;
+      hasPassword?: boolean;
+    } = {
       exists: false,
       invalidDomain: undefined,
+      hasLinkedAccount: undefined,
+      hasPassword: undefined,
     };
 
     try {
-      const exist = await this.db.accountExists(email);
-      result.exists = exist;
+      if (thirdPartyAuthStatus) {
+        const account = await this.db.accountRecord(email, {
+          linkedAccounts: true,
+        });
+        // account must exist or unknown account error is thrown
+        result.exists = true;
+        result.hasLinkedAccount = account.linkedAccounts.length > 0;
+        result.hasPassword = account.verifierSetAt > 0;
+      } else {
+        const exist = await this.db.accountExists(email);
+        result.exists = exist;
+      }
 
       if (checkDomain) {
         result.invalidDomain = invalidDomain;
@@ -1895,12 +1914,15 @@ export const accountRoutes = (
         validate: {
           payload: isA.object({
             email: validators.email().required(),
+            thirdPartyAuthStatus: isA.boolean().optional().default(false),
             checkDomain: isA.optional(),
           }),
         },
         response: {
           schema: isA.object({
             exists: isA.boolean().required(),
+            hasLinkedAccount: isA.boolean().optional(),
+            hasPassword: isA.boolean().optional(),
             invalidDomain: isA.boolean().optional(),
           }),
         },

packages/fxa-auth-server/test/local/routes/account.js

@@ -1348,7 +1348,11 @@ describe('/account/stub', () => {
 });
 
 describe('/account/status', () => {
-  function setup(extraConfig) {
+  function setup({
+    extraConfig = {},
+    dbOptions = {},
+    shouldError = true,
+  } = {}) {
     const config = {
       securityHistory: {
         enabled: true,
@@ -1397,15 +1401,14 @@ describe('/account/status', () => {
         uaOSVersion: '10.10',
         uid,
         wrapWrapKb: 'wibble',
+        ...dbOptions,
       },
       {
-        emailRecord: new error.unknownAccount(),
+        ...(shouldError && {
+          emailRecord: new error.unknownAccount(),
+        }),
       }
     );
-    mockDB.accountExists = (arg) => {
-      return false;
-    };
-
     const mockMailer = mocks.mockMailer();
     const mockPush = mocks.mockPush();
     const verificationReminders = mocks.mockVerificationReminders();
@@ -1473,6 +1476,41 @@ describe('/account/status', () => {
       assert.equal(response.invalidDomain, undefined);
     });
   });
+
+  it('calls accountRecord and returns expected values when thirdPartyAuthStatus is requested', async () => {
+    const { route, mockRequest, mockDB } = setup({
+      dbOptions: {
+        linkedAccounts: [{}],
+        verifierSetAt: 0,
+      },
+      shouldError: false,
+    });
+    mockRequest.payload.thirdPartyAuthStatus = true;
+
+    return runTest(route, mockRequest, (response) => {
+      assert.equal(mockDB.accountRecord.callCount, 1);
+      assert.equal(mockDB.accountExists.callCount, 0);
+
+      assert.equal(response.exists, true);
+      assert.equal(response.hasLinkedAccount, true);
+      assert.equal(response.hasPassword, false);
+    });
+  });
+
+  it('calls accountExists when thirdPartyAuthStatus is not requested', async () => {
+    const { route, mockRequest, mockDB } = setup({
+      dbOptions: { exists: false },
+    });
+
+    return runTest(route, mockRequest, (response) => {
+      assert.equal(mockDB.accountRecord.callCount, 0);
+      assert.equal(mockDB.accountExists.callCount, 1);
+
+      assert.equal(response.exists, false);
+      assert.equal(response.linkedAccounts, undefined);
+      assert.equal(response.hasPassword, undefined);
+    });
+  });
 });
 
 describe('/account/finish_setup', () => {

packages/fxa-auth-server/test/mocks.js

@@ -111,6 +111,7 @@ const DB_METHOD_NAMES = [
   'getLinkedAccount',
   'createLinkedAccount',
   'deleteLinkedAccount',
+  'accountExists',
 ];
 
 const LOG_METHOD_NAMES = [
@@ -308,6 +309,9 @@ function mockDB(data, errors) {
         },
       ]);
     }),
+    accountExists: sinon.spy(() => {
+      return Promise.resolve(data.exists ?? true);
+    }),
     accountRecord: sinon.spy(() => {
       if (errors.emailRecord) {
         return Promise.reject(errors.emailRecord);
@@ -339,6 +343,7 @@ function mockDB(data, errors) {
         uid: data.uid,
         wrapWrapKb: crypto.randomBytes(32),
         verifierSetAt: data.verifierSetAt ?? Date.now(),
+        linkedAccounts: data.linkedAccounts,
       });
     }),
     consumeSigninCode: sinon.spy(() => {

packages/fxa-auth-server/test/remote/db_tests.js

@@ -1571,6 +1571,39 @@ describe('#integration - remote db', function () {
       });
     });
 
+    it('can retrieve linked account', async () => {
+      const linkedAccount = await db.createLinkedAccount(
+        account.uid,
+        'googleid',
+        'google'
+      );
+      // linkedAccount UID comes back as a buffer but we want a hex string
+      // comparison to see what accountRecord retrieves
+      if (linkedAccount.uid instanceof Buffer) {
+        linkedAccount.uid = linkedAccount.uid.toString('hex');
+      }
+
+      const accountRecord = await db.accountRecord(account.email, {
+        linkedAccounts: true,
+      });
+
+      assert.deepEqual(
+        linkedAccount,
+        accountRecord.linkedAccounts[0],
+        'should contain an array of linked accounts'
+      );
+    });
+
+    it('does not retrieve linked account without option specified', async () => {
+      await db.createLinkedAccount(account.uid, 'googleid', 'google');
+      const accountRecord = await db.accountRecord(account.email);
+      assert.strictEqual(
+        accountRecord.linkedAccounts,
+        undefined,
+        'linkedAccounts should be undefined'
+      );
+    });
+
     it('returns unknown account', () => {
       return db
         .accountRecord('[email protected]')

packages/fxa-content-server/app/scripts/lib/fxa-client.js

@@ -207,6 +207,27 @@ FxaClientWrapper.prototype = {
     });
   }),
 
+  /**
+   * Check if the account's email is registered and retrieve third-party auth related values.
+   * @param {String} email
+   * @returns {Promise<{
+   *  exists: boolean,
+   *  hasLinkedAccount: boolean,
+   *  hasPassword: boolean
+   * }>}
+   */
+  checkAccountStatus: withClient((client, email) => {
+    return client
+      .accountStatusByEmail(email, { thirdPartyAuthStatus: true })
+      .then(function ({ exists, hasLinkedAccount, hasPassword }) {
+        return {
+          exists,
+          hasLinkedAccount,
+          hasPassword,
+        };
+      });
+  }),
+
   /**
    * Authenticate a user.
    *

packages/fxa-content-server/app/scripts/models/account.js

@@ -74,6 +74,8 @@ const DEFAULTS = _.extend(
     verificationReason: undefined,
     totpVerified: undefined,
     providerUid: undefined,
+    hasLinkedAccount: undefined,
+    hasPassword: undefined,
   },
   PERSISTENT
 );
@@ -818,6 +820,27 @@ const Account = Backbone.Model.extend(
       return this._fxaClient.checkAccountExistsByEmail(this.get('email'));
     },
 
+    /**
+     * Check if the account's email is registered and retrieve third-party auth related values.
+     * Sets the third-party auth values onto the model.
+     * @returns {Promise<{
+     *  exists: boolean,
+     *  hasLinkedAccount: boolean,
+     *  hasPassword: boolean
+     * }>}
+     */
+    async checkAccountStatus() {
+      const { hasLinkedAccount, hasPassword, exists } =
+        await this._fxaClient.checkAccountStatus(this.get('email'));
+      this.set('hasLinkedAccount', hasLinkedAccount);
+      this.set('hasPassword', hasPassword);
+      return {
+        hasLinkedAccount,
+        hasPassword,
+        exists,
+      };
+    },
+
     /**
      * Check whether the account's UID is registered.
      *

packages/fxa-content-server/app/scripts/models/user.js

@@ -713,6 +713,26 @@ var User = Backbone.Model.extend({
     });
   },
 
+  /**
+   * Check whether an Account's `email` is registered. Removes the account
+   * from storage if account no longer exists on the server.
+   * Additionally, retrieves third-party auth related values.
+   * @param {Object} account - account to check
+   * @returns {Promise<{
+   *  exists: boolean,
+   *  hasLinkedAccount: boolean,
+   *  hasPassword: boolean
+   * }>}
+   */
+  checkAccountStatus(account) {
+    return account.checkAccountStatus().then((result) => {
+      if (!result.exists) {
+        this.removeAccount(account);
+      }
+      return result;
+    });
+  },
+
   /**
    * Reject the unblockCode for the given account. This invalidates
    * the unblock code and logs the signin attempt as suspicious.