fix(settings): redirect user on AAL mismatch in mfa guard

packages/fxa-settings/src/components/Settings/MfaGuard/index.test.tsx

@@ -24,9 +24,13 @@ const mockAuthClient = {
     }
     return Promise.reject(AuthUiErrors.INVALID_EXPIRED_OTP_CODE);
   }),
+  sessionStatus: jest.fn().mockResolvedValue({
+    details: { sessionVerificationMeetsMinimumAAL: true },
+  }),
 };
 const mockAlertBar = { error: jest.fn() };
 const mockNavigate = jest.fn();
+const mockNavigateWithQuery = jest.fn();
 
 jest.mock('../../../lib/cache', () => {
   const actual = jest.requireActual('../../../lib/cache');
@@ -43,14 +47,18 @@ jest.mock('../../../models', () => ({
   useAlertBar: () => mockAlertBar,
 }));
 
+jest.mock('../../../lib/hooks/useNavigateWithQuery', () => ({
+  useNavigateWithQuery: () => mockNavigateWithQuery,
+}));
+
 jest.mock('@reach/router', () => ({
   ...jest.requireActual('@reach/router'),
   useNavigate: () => mockNavigate,
 }));
 
 async function submitCode(otp: string = mockOtp) {
   await userEvent.type(
-    screen.getByRole('textbox', { name: 'Enter 6-digit code' }),
+    await screen.findByRole('textbox', { name: 'Enter 6-digit code' }),
     otp
   );
   await userEvent.click(screen.getByRole('button', { name: 'Confirm' }));
@@ -61,6 +69,10 @@ describe('MfaGuard', () => {
     JwtTokenCache.removeToken(mockSessionToken, mockScope);
     MfaOtpRequestCache.remove(mockSessionToken, mockScope);
     jest.clearAllMocks();
+
+    mockAuthClient.sessionStatus.mockResolvedValue({
+      details: { sessionVerificationMeetsMinimumAAL: true },
+    });
   });
 
   it('requests OTP and shows modal when JWT missing', async () => {
@@ -72,10 +84,12 @@ describe('MfaGuard', () => {
       </AppContext.Provider>
     );
 
-    expect(mockAuthClient.mfaRequestOtp).toHaveBeenCalledWith(
-      mockSessionToken,
-      mockScope
-    );
+    await waitFor(() => {
+      expect(mockAuthClient.mfaRequestOtp).toHaveBeenCalledWith(
+        mockSessionToken,
+        mockScope
+      );
+    });
 
     expect(
       await screen.findByText('Enter confirmation code')
@@ -110,7 +124,7 @@ describe('MfaGuard', () => {
     });
   });
 
-  it('renders children when JWT exists', () => {
+  it('renders children when JWT exists', async () => {
     JwtTokenCache.setToken(mockSessionToken, mockScope, 'jwt-present');
 
     renderWithRouter(
@@ -121,7 +135,7 @@ describe('MfaGuard', () => {
       </AppContext.Provider>
     );
 
-    expect(screen.getByText('secured')).toBeInTheDocument();
+    expect(await screen.findByText('secured')).toBeInTheDocument();
     expect(
       screen.queryByText('Enter confirmation code')
     ).not.toBeInTheDocument();
@@ -160,7 +174,9 @@ describe('MfaGuard', () => {
       </AppContext.Provider>
     );
 
-    expect(screen.queryByText('Enter confirmation code')).toBeInTheDocument();
+    expect(
+      await screen.findByText('Enter confirmation code')
+    ).toBeInTheDocument();
     await submitCode('654321');
 
     expect(
@@ -181,7 +197,9 @@ describe('MfaGuard', () => {
       </AppContext.Provider>
     );
 
-    expect(screen.getByText('Enter confirmation code')).toBeInTheDocument();
+    expect(
+      await screen.findByText('Enter confirmation code')
+    ).toBeInTheDocument();
     await submitCode('654321');
     expect(
       await screen.findByText('Invalid or expired confirmation code')
@@ -209,7 +227,7 @@ describe('MfaGuard', () => {
 
     // Trigger an error first
     await userEvent.type(
-      screen.getByRole('textbox', { name: 'Enter 6-digit code' }),
+      await screen.findByRole('textbox', { name: 'Enter 6-digit code' }),
       '654321'
     );
     await userEvent.click(screen.getByRole('button', { name: 'Confirm' }));
@@ -218,7 +236,7 @@ describe('MfaGuard', () => {
     ).toBeInTheDocument();
 
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
     expect(
       await screen.findByText('A new code was sent to your email.')
@@ -242,7 +260,7 @@ describe('MfaGuard', () => {
     );
 
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
     expect(
       await screen.findByText('A new code was sent to your email.')
@@ -253,11 +271,46 @@ describe('MfaGuard', () => {
     );
 
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
     expect(await screen.findByText('Unexpected error')).toBeInTheDocument();
   });
 
+  it('navigates to signin_totp_code when session does not meet minimum AAL', async () => {
+    // Mock sessionStatus to return false for AAL check
+    mockAuthClient.sessionStatus.mockResolvedValue({
+      details: { sessionVerificationMeetsMinimumAAL: false },
+    });
+
+    const context = mockAppContext();
+
+    renderWithRouter(
+      <AppContext.Provider value={context}>
+        <MfaGuard
+          requiredScope={mockScope}
+          debounceIntervalMs={0}
+          reason={MfaReason.test}
+        >
+          <div>secured</div>
+        </MfaGuard>
+      </AppContext.Provider>
+    );
+
+    await waitFor(() => {
+      expect(mockNavigateWithQuery).toHaveBeenCalledWith('/signin_totp_code', {
+        state: {
+          email: context.account!.email,
+          sessionToken: mockSessionToken,
+          uid: context.account!.uid,
+          verified: false,
+          isSessionAALUpgrade: true,
+        },
+      });
+    });
+
+    expect(mockAuthClient.mfaRequestOtp).not.toHaveBeenCalled();
+  });
+
   it('goes home and shows error alert bar if request for OTP fails', async () => {
     mockAuthClient.mfaRequestOtp.mockRejectedValueOnce(
       AuthUiErrors.UNEXPECTED_ERROR
@@ -297,7 +350,9 @@ describe('MfaGuard', () => {
       </AppContext.Provider>
     );
 
-    await userEvent.click(screen.getByRole('button', { name: 'Cancel' }));
+    await userEvent.click(
+      await screen.findByRole('button', { name: 'Cancel' })
+    );
 
     expect(mockOnDismiss).toHaveBeenCalledTimes(1);
   });
@@ -317,25 +372,25 @@ describe('MfaGuard', () => {
 
     // Should be debounced! The dialog just rendered and a code went out...
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
     await act(async () => {
       await new Promise((r) => setTimeout(r, 101));
     });
 
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
     // Should be debounced! The resend request above was just clicked...
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
 
     await act(async () => {
       await new Promise((r) => setTimeout(r, 101));
     });
     await userEvent.click(
-      screen.getByRole('button', { name: 'Email new code.' })
+      await screen.findByRole('button', { name: 'Email new code.' })
     );
 
     expect(mockAuthClient.mfaRequestOtp).toHaveBeenCalledTimes(3);

packages/fxa-settings/src/components/Settings/MfaGuard/index.tsx

@@ -30,6 +30,8 @@ import * as Sentry from '@sentry/react';
 import { MfaErrorBoundary } from './error-boundary';
 import { getLocalizedErrorMessage } from '../../../lib/error-utils';
 import GleanMetrics from '../../../lib/glean';
+import { useNavigateWithQuery } from '../../../lib/hooks/useNavigateWithQuery';
+import LoadingSpinner from 'fxa-react/components/LoadingSpinner';
 
 /**
  * This is a guard component designed to wrap around components that perform
@@ -58,9 +60,12 @@ export const MfaGuard = ({
   const [resendCodeLoading, setResendCodeLoading] = useState(false);
   const [showResendSuccessBanner, setShowResendSuccessBanner] = useState(false);
 
+  const [modalLoading, setModalLoading] = useState(true);
+
   const resetStates = useCallback(() => {
     setLocalizedErrorBannerMessage(undefined);
     setShowResendSuccessBanner(false);
+    setModalLoading(true);
   }, []);
 
   // Reactive state: if the store state changes, a re-render is triggered
@@ -71,6 +76,7 @@ export const MfaGuard = ({
   const account = useAccount();
   const authClient = useAuthClient();
   const navigate = useNavigate();
+  const navigateWithQuery = useNavigateWithQuery();
   const sessionToken = getSessionToken();
 
   const ftlMsgResolver = useFtlMsgResolver();
@@ -105,7 +111,25 @@ export const MfaGuard = ({
   // Modal Setup
   useEffect(() => {
     (async () => {
-      // To avoid requesting multiple OTPs on mount
+      // Ensure the session meets the minimum AAL required
+      const {
+        details: { sessionVerificationMeetsMinimumAAL },
+      } = await authClient.sessionStatus(sessionToken);
+      if (!sessionVerificationMeetsMinimumAAL) {
+        console.warn('2FA must be entered to access /settings!');
+        navigateWithQuery('/signin_totp_code', {
+          state: {
+            email: account.email,
+            sessionToken: sessionToken,
+            uid: account.uid,
+            verified: false,
+            isSessionAALUpgrade: true,
+          },
+        });
+        return;
+      }
+      setModalLoading(false);
+
       if (JwtTokenCache.hasToken(sessionToken, requiredScope)) {
         return;
       }
@@ -122,10 +146,6 @@ export const MfaGuard = ({
         await authClient.mfaRequestOtp(sessionToken, requiredScope);
       } catch (err) {
         MfaOtpRequestCache.remove(sessionToken, requiredScope);
-        if (err.code === 401) {
-          handleError(err);
-          return;
-        }
         if (err.code === 429) {
           setShowResendSuccessBanner(false);
           setLocalizedErrorBannerMessage(
@@ -150,6 +170,9 @@ export const MfaGuard = ({
     onDismiss,
     config.mfa.otp.expiresInMinutes,
     debounce,
+    navigateWithQuery,
+    account.email,
+    account.uid,
   ]);
 
   const onSubmitOtp = async (code: string) => {
@@ -191,11 +214,6 @@ export const MfaGuard = ({
     } catch (err) {
       MfaOtpRequestCache.remove(sessionToken, requiredScope);
       setShowResendSuccessBanner(false);
-      if (err.code === 401) {
-        handleError(err);
-        return;
-      }
-      setShowResendSuccessBanner(false);
       setLocalizedErrorBannerMessage(
         getLocalizedErrorMessage(ftlMsgResolver, err)
       );
@@ -207,24 +225,25 @@ export const MfaGuard = ({
   const email = account.email;
   const expirationTime = config.mfa.otp.expiresInMinutes;
 
-  const getModal = () => (
-    <Modal
-      {...{
-        email,
-        expirationTime,
-        onSubmit: onSubmitOtp,
-        onDismiss,
-        handleResendCode,
-        clearErrorMessage: () => setLocalizedErrorBannerMessage(undefined),
-        resendCodeLoading,
-        showResendSuccessBanner,
-        localizedErrorBannerMessage,
-        reason,
-      }}
-    >
-      <p>Re-verify Account!</p>
-    </Modal>
-  );
+  const getModal = () =>
+    modalLoading ? (
+      <LoadingSpinner fullScreen />
+    ) : (
+      <Modal
+        {...{
+          email,
+          expirationTime,
+          onSubmit: onSubmitOtp,
+          onDismiss,
+          handleResendCode,
+          clearErrorMessage: () => setLocalizedErrorBannerMessage(undefined),
+          resendCodeLoading,
+          showResendSuccessBanner,
+          localizedErrorBannerMessage,
+          reason,
+        }}
+      />
+    );
 
   // If we don't have a JWT, we need to open the modal to prompt for it.
   // Note: I'm torn on whether we should render the child components or not. It seems

packages/fxa-settings/src/components/Settings/PageChangePassword/index.test.tsx

@@ -59,11 +59,18 @@ const mockAuthClient = {
     kA: 'kA-key',
     kB: 'kB-key',
   }),
+  sessionStatus: jest.fn().mockResolvedValue({
+    details: {
+      sessionVerificationMeetsMinimumAAL: true,
+    },
+  }),
 } as any; // Use 'as any' to avoid TypeScript strict typing for mock
 
 // Mock the cache module to provide session token and JWT cache
 const mockSessionToken = 'mock-session-token';
-const mockJwtState: Record<string, string> = { [`${mockSessionToken}-password`]: 'mock-jwt-token' };
+const mockJwtState: Record<string, string> = {
+  [`${mockSessionToken}-password`]: 'mock-jwt-token',
+};
 jest.mock('../../../lib/cache', () => {
   const actual = jest.requireActual('../../../lib/cache');
   return {
@@ -102,7 +109,12 @@ const settingsContext = mockSettingsContext();
 
 const render = async (mockAccount = account) => {
   renderWithRouter(
-    <AppContext.Provider value={mockAppContext({ account: mockAccount, authClient: mockAuthClient })}>
+    <AppContext.Provider
+      value={mockAppContext({
+        account: mockAccount,
+        authClient: mockAuthClient,
+      })}
+    >
       <SettingsContext.Provider value={settingsContext}>
         <PageChangePassword />
       </SettingsContext.Provider>