Skip to content

fix(settings): redirect user on AAL mismatch in mfa guard #19599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(settings): redirect user on AAL mismatch in mfa guard #19599

wants to merge 1 commit into from
+227 −77

Conversation

@MagentaManifold
Copy link
Contributor

Because

  • General Application Error when interacting with site after 2FA enabled

This pull request

  • redirects user on AAL mismatch in MFA guard

Issue that this pull request solves

Closes: FXA-12576

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

@MagentaManifold MagentaManifold marked this pull request as ready for review October 24, 2025 23:16
@MagentaManifold MagentaManifold requested a review from a team as a code owner October 24, 2025 23:16
@dschom dschom self-requested a review October 27, 2025 17:22
dschom
dschom reviewed Oct 27, 2025
View reviewed changes
packages/fxa-settings/src/components/Settings/MfaGuard/index.tsx
MfaOtpRequestCache.set(sessionToken, requiredScope);
await authClient.mfaRequestOtp(sessionToken, requiredScope);
} catch (err) {
MfaOtpRequestCache.remove(sessionToken, requiredScope);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the reason for removing the call to the error boundary? Assuming there's a good reason, we probably want to also clear the MfaOtpRequestCache request cache too so it's consistent with the error-boundaries logic.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't make sense to call the error boundary here, since the MFA error boundary handles invalid jwt and does not handle other authorization errors. (In this case it is not even possible for MfaErrorBoundary to differentiate invalid jwt and AAL mismatch, since they use the same errno INVALID_TOKEN)

dschom
dschom reviewed Oct 27, 2025
View reviewed changes
packages/fxa-settings/src/components/Settings/MfaGuard/index.tsx
setLocalizedErrorBannerMessage(undefined);
setShowResendSuccessBanner(true);
} catch (err) {
MfaOtpRequestCache.remove(sessionToken, requiredScope);
Copy link
Contributor

@dschom dschom Oct 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment above about removing call to error boundary.

vpomerleau
vpomerleau reviewed Oct 27, 2025
View reviewed changes
packages/fxa-settings/src/components/Settings/MfaGuard/index.tsx
} = await authClient.sessionStatus(sessionToken);
if (!sessionVerificationMeetsMinimumAAL) {
console.warn('2FA must be entered to access /settings!');
navigateWithQuery('/signin_totp_code', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When testing locally, I see a flash of the child component before navigation - we should render a LoadingSpinner until we've resolved AAL/JWT checks

dschom
dschom reviewed Oct 27, 2025
View reviewed changes
packages/fxa-settings/src/components/Settings/MfaGuard/index.tsx
const {
details: { sessionVerificationMeetsMinimumAAL },
} = await authClient.sessionStatus(sessionToken);
if (!sessionVerificationMeetsMinimumAAL) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like this logic really belogns in an error boundary. If we inline it in this component, I feel like we will inevtiably start copying this logic into any component that could potentially hit that states. That's alot of extra checks and code to copy around!

I think the better approach is making sure the error response from the server for an insuffecient AAL is consistent (it should be since this is check is now down the auth-schemes), and then respond to it at the error boundary.

@MagentaManifold
fix(settings): redirect user on AAL mismatch in mfa guard
9e1aac9 
Because:

* General Application Error when interacting with site after 2FA enabled

This commit:

* redirects user on AAL mismatch in mfa guard

Closes #FXA-12576
@MagentaManifold MagentaManifold marked this pull request as draft October 28, 2025 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vpomerleau vpomerleau vpomerleau left review comments

@dschom dschom dschom left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MagentaManifold @vpomerleau @dschom