feat(recovery): fetch recovery key status with passwordForgotToken #17636
Conversation
|
@vpomerleau I believe this is relevant to your interests. |
| @@ -297,7 +297,7 @@ module.exports = ( | |||
| ...RECOVERY_KEY_DOCS.RECOVERYKEY_EXISTS_POST, | |||
| auth: { | |||
| mode: 'optional', | |||
There was a problem hiding this comment.
Since this now returns the recovery key hint which could contain sensitive data, we'd want to make sure this request always uses either a session token or a passwordForgotToken (= not optional)
There was a problem hiding this comment.
Good catch. I think I'll keep it optional for backwards compat but only return a hint if the request's authenticated.
chenba
force-pushed
the
FXA-9398-forgot-token-auth
branch
from
9f54acc
to
550b0cb
Compare
| @@ -296,8 +296,10 @@ module.exports = ( | |||
| options: { | |||
| ...RECOVERY_KEY_DOCS.RECOVERYKEY_EXISTS_POST, | |||
| auth: { | |||
| mode: 'optional', | |||
There was a problem hiding this comment.
auth is no longer optional for this endpoint.
There was a problem hiding this comment.
Should also update the swagger docs to reflect the change?
chenba
force-pushed
the
FXA-9398-forgot-token-auth
branch
2 times, most recently
from
b2bfdf0
to
b4916b7
Compare
| token = await getCredentialsFunc(parsedHeader.id); | ||
| } catch (_) { | ||
| // we'll handle the empty token case below | ||
| } |
There was a problem hiding this comment.
Previously if getCredentialsFunc throws an error, that's the resulting error of the auth. This makes the error a bit more consistent, but it is a change in the API.
| strategies: [ | ||
| 'multiStrategySessionToken', | ||
| 'multiStrategyPasswordForgotToken', | ||
| ], | ||
| }, | ||
| validate: { | ||
| payload: isA.object({ |
There was a problem hiding this comment.
We could remove this email here since we're no longer allowing unauthenticated use of this endpoint?
There was a problem hiding this comment.
We could, yes. I don't know how much clean up it would require. So, I could either file a follow-up jira or I can clean it up as part of this patch. Since this PR is blocking you, what do you think?
There was a problem hiding this comment.
Maybe it is scope creep since it doesn't technically cause problems to keep email as an optional payload... Could perhaps be noted in the backbone reset password cleanup ticket (FXA-8267) since that's the only remaining place (that I can see) that attempts to check for recovery key with an email.
There was a problem hiding this comment.
Follow up is probably fine. I don't see any risks with removing the email value since we should be the only ones using it on our frontends. I don't believe others are using the email value in the api, or this api at all lol.
There was a problem hiding this comment.
I don't see any risks with removing the email value ...
Oh yeah, I'm not worried about breaking anything. It's just a matter of how much delay we want to tolerate to get the code as clean as we'd like.
There was a problem hiding this comment.
Could perhaps be noted in the backbone reset password cleanup ticket (FXA-8267) since that's the only remaining place ...
I was more concerned with the auth-client still accepting a payload for the email (and whatever might be using it). I assume the Backbone stuff will be deleted wholesale at some point anyway.
| } | ||
| const exists = await db.recoveryKeyExists(uid); | ||
| const uid = request.auth.credentials.uid; | ||
| const recoveryKeyRecordWithHint = await db.getRecoveryKeyHint(uid); |
There was a problem hiding this comment.
nit: The variable name is pretty clear, but database function name is a little confusing. Maybe they could be named similar.
| @@ -401,6 +401,19 @@ async function create(log, error, config, routes, db, statsd, glean) { | |||
| hawkFxAToken.strategy(makeCredentialFn(db.passwordChangeToken.bind(db))) | |||
| ); | |||
|
|
|||
| server.auth.scheme( | |||
There was a problem hiding this comment.
Cool, I like this. I think a comment above might be helpful to explain how these are used.
| strategies: [ | ||
| 'multiStrategySessionToken', | ||
| 'multiStrategyPasswordForgotToken', | ||
| ], | ||
| }, | ||
| validate: { | ||
| payload: isA.object({ |
There was a problem hiding this comment.
Follow up is probably fine. I don't see any risks with removing the email value since we should be the only ones using it on our frontends. I don't believe others are using the email value in the api, or this api at all lol.
| @@ -296,8 +296,10 @@ module.exports = ( | |||
| options: { | |||
| ...RECOVERY_KEY_DOCS.RECOVERYKEY_EXISTS_POST, | |||
| auth: { | |||
| mode: 'optional', | |||
There was a problem hiding this comment.
Should also update the swagger docs to reflect the change?
| strategies: [ | ||
| 'multiStrategySessionToken', | ||
| 'multiStrategyPasswordForgotToken', | ||
| ], | ||
| }, | ||
| validate: { | ||
| payload: isA.object({ |
There was a problem hiding this comment.
Maybe it is scope creep since it doesn't technically cause problems to keep email as an optional payload... Could perhaps be noted in the backbone reset password cleanup ticket (FXA-8267) since that's the only remaining place (that I can see) that attempts to check for recovery key with an email.
| const result: RecoveryKeyCheckResult = | ||
| await authClient.passwordForgotRecoveryKeyStatus( | ||
| passwordForgotToken, | ||
There was a problem hiding this comment.
I don't think we need to pass in the email since it's optional and won't be used by the endpoint
chenba
force-pushed
the
FXA-9398-forgot-token-auth
branch
from
b4916b7
to
78963c1
Compare
chenba
force-pushed
the
FXA-9398-forgot-token-auth
branch
from
78963c1
to
85e5b49
Compare
Because:
- we want to allow the user to get their recovery key status with the
'passwordForgotToken' they received during the reset password flow
This commit:
- adds passwordForgotToken to the allowed auth strategies for the
/recoveryKey/exists auth-server endpoint
- removes the optional auth config on the endpoint
- updates the auth client to use the passwordForgotToken to access
that endpoint
- returns the recovery key hint along with the exists status
- passes the hint in Setting when navigating post-reset
chenba
force-pushed
the
FXA-9398-forgot-token-auth
branch
from
85e5b49
to
4958413
Compare
|
Filed FXA-10441 as a follow-up. |
Because:
This commit:
Fixes FXA-9398, FXA-7400