Skip to content

Commit 810c5cc

Browse files
vbudhramvbudhram
authored
Merge pull request #19518 from mozilla/fxa-12437
chore(mfa): Remove redudant checks for mfa
2 parents bb9e3c1 + 767295d commit 810c5cc

File tree

7 files changed

+4
-100
lines changed

7 files changed

+4
-100
lines changed

packages/fxa-auth-server/lib/routes/password.ts

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -101,16 +101,6 @@ module.exports = function (
101101
// The subsequent call to 'getKeys' would fail, ultimately orphaning a passwordChangeToken...
102102
const sessionToken = request.auth.credentials;
103103

104-
if (!sessionToken.emailVerified) {
105-
statsd.increment('passwordChange.start.emailNotVerified');
106-
throw error.unverifiedAccount();
107-
}
108-
109-
if (sessionToken.tokenVerificationId) {
110-
statsd.increment('passwordChange.start.sessionNotVerified');
111-
throw error.unverifiedSession();
112-
}
113-
114104
await customs.checkAuthenticated(
115105
request,
116106
sessionToken.uid,

packages/fxa-auth-server/lib/routes/recovery-codes.js

Lines changed: 2 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -44,13 +44,7 @@ module.exports = (log, db, config, customs, mailer, glean, statsd) => {
4444
async handler(request) {
4545
log.begin('replaceRecoveryCodes', request);
4646

47-
const { authenticatorAssuranceLevel, uid } = request.auth.credentials;
48-
49-
// Since TOTP and backup authentication codes go hand in hand, you should only be
50-
// able to replace backup authentication codes in a TOTP verified session.
51-
if (!authenticatorAssuranceLevel || authenticatorAssuranceLevel <= 1) {
52-
throw errors.unverifiedSession();
53-
}
47+
const { uid } = request.auth.credentials;
5448

5549
const recoveryCodes = await db.replaceRecoveryCodes(
5650
uid,
@@ -187,13 +181,7 @@ module.exports = (log, db, config, customs, mailer, glean, statsd) => {
187181
async handler(request) {
188182
log.begin('updateRecoveryCodes', request);
189183

190-
const { authenticatorAssuranceLevel, uid } = request.auth.credentials;
191-
192-
// Since TOTP and backup authentication codes go hand in hand, you should only be
193-
// able to replace backup authentication codes in a TOTP verified session.
194-
if (!authenticatorAssuranceLevel || authenticatorAssuranceLevel <= 1) {
195-
throw errors.unverifiedSession();
196-
}
184+
const { uid } = request.auth.credentials;
197185

198186
const { recoveryCodes } = request.payload;
199187
await db.updateRecoveryCodes(uid, recoveryCodes);

packages/fxa-auth-server/lib/routes/recovery-key.js

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -53,10 +53,6 @@ module.exports = (
5353

5454
const sessionToken = request.auth.credentials;
5555

56-
if (sessionToken.tokenVerificationId) {
57-
throw errors.unverifiedSession();
58-
}
59-
6056
const { uid } = sessionToken;
6157
const { recoveryKeyId, recoveryData, enabled, replaceKey } =
6258
request.payload;
@@ -434,11 +430,7 @@ module.exports = (
434430
async handler(request) {
435431
log.begin('recoveryKeyDelete', request);
436432

437-
const { tokenVerificationId, uid } = request.auth.credentials;
438-
439-
if (tokenVerificationId) {
440-
throw errors.unverifiedSession();
441-
}
433+
const { uid } = request.auth.credentials;
442434

443435
await db.deleteRecoveryKey(uid);
444436
await recordSecurityEvent('account.recovery_key_removed', {

packages/fxa-auth-server/lib/routes/totp.js

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -98,17 +98,13 @@ module.exports = (
9898
handler: async function (request) {
9999
log.begin('totp.create', request);
100100

101-
const { email, uid, tokenVerificationId } = request.auth.credentials;
101+
const { email, uid } = request.auth.credentials;
102102

103103
const account = await db.account(uid);
104104
if (!account.emailVerified) {
105105
throw errors.unverifiedAccount();
106106
}
107107

108-
if (tokenVerificationId) {
109-
throw errors.unverifiedSession();
110-
}
111-
112108
await customs.checkAuthenticated(request, uid, email, 'totpCreate');
113109

114110
const hasEnabledToken = await otpUtils.hasTotpToken({ uid });

packages/fxa-auth-server/test/local/routes/recovery-codes.js

Lines changed: 0 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -117,16 +117,6 @@ describe('backup authentication codes', () => {
117117
);
118118
});
119119
});
120-
121-
it("should't replace codes in non-TOTP verified session", () => {
122-
requestOptions.credentials.authenticatorAssuranceLevel = 1;
123-
return runTest('/recoveryCodes', requestOptions, 'GET').then(
124-
assert.fail,
125-
(err) => {
126-
assert.equal(err.errno, error.ERRNO.SESSION_UNVERIFIED);
127-
}
128-
);
129-
});
130120
});
131121

132122
describe('PUT /recoveryCodes', () => {
@@ -168,17 +158,6 @@ describe('backup authentication codes', () => {
168158
);
169159
});
170160
});
171-
172-
it("should't overwrite codes for non-TOTP verified session", () => {
173-
requestOptions.credentials.authenticatorAssuranceLevel = 1;
174-
requestOptions.payload.recoveryCodes = ['123'];
175-
return runTest('/recoveryCodes', requestOptions, 'PUT').then(
176-
assert.fail,
177-
(err) => {
178-
assert.equal(err.errno, error.ERRNO.SESSION_UNVERIFIED);
179-
}
180-
);
181-
});
182161
});
183162

184163
describe('GET /recoveryCodes/exists', () => {

packages/fxa-auth-server/test/local/routes/recovery-keys.js

Lines changed: 0 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -784,35 +784,6 @@ describe('DELETE /recoveryKey', () => {
784784
);
785785
});
786786
});
787-
788-
describe('should fail for unverified session', () => {
789-
beforeEach(() => {
790-
mockAccountEventsManager = mocks.mockAccountEventsManager();
791-
const requestOptions = {
792-
method: 'DELETE',
793-
credentials: { uid, email, tokenVerificationId: 'unverified' },
794-
log,
795-
};
796-
return setup(
797-
{ db: { recoveryData } },
798-
{},
799-
'/recoveryKey',
800-
requestOptions
801-
).then(assert.fail, (err) => (response = err));
802-
});
803-
804-
after(() => {
805-
mocks.unMockAccountEventsManager();
806-
});
807-
808-
it('returned the correct response', () => {
809-
assert.equal(
810-
response.errno,
811-
errors.ERRNO.SESSION_UNVERIFIED,
812-
'unverified session'
813-
);
814-
});
815-
});
816787
});
817788

818789
describe('POST /recoveryKey/hint', () => {

packages/fxa-auth-server/test/local/routes/totp.js

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -110,18 +110,6 @@ describe('totp', () => {
110110
});
111111
});
112112

113-
it('should be disabled in unverified session', () => {
114-
requestOptions.credentials.tokenVerificationId = 'notverified';
115-
return setup(
116-
{ db: { email: TEST_EMAIL, emailVerified: true } },
117-
{},
118-
'/totp/create',
119-
requestOptions
120-
).then(assert.fail, (err) => {
121-
assert.deepEqual(err.errno, 138, 'unverified session error');
122-
});
123-
});
124-
125113
it('should be disabled for unverified email', () => {
126114
return setup(
127115
{ db: { email: TEST_EMAIL, emailVerified: false } },

0 commit comments

Comments
 (0)