Skip to content

fix(fxa-settings): Prevent duplicate passwordless OTP sends on page reload#20158

Merged
vbudhram merged 1 commit intomainfrom
fxa-13230
Mar 9, 2026
Merged

fix(fxa-settings): Prevent duplicate passwordless OTP sends on page reload#20158
vbudhram merged 1 commit intomainfrom
fxa-13230

Conversation

@vbudhram
Copy link
Contributor

@vbudhram vbudhram commented Mar 9, 2026
edited
Loading

Because

  • Refreshing the passwordless code page re-triggered passwordlessSendCode, burning through the per-email rate limit (2 sends / 15 min) and causing "too many requests" errors
  • Users navigating back and re-entering the flow could hit rate limits during normal usage patterns

This pull request

  • Adds codeSent flag to PasswordlessLocationState and persists it via history.replaceState after the initial OTP send in container.tsx
  • Initializes codeSent state from location state so page refreshes skip re-sending
  • Relaxes per-email rate limits in rate-limit-rules.txt from 2/15min to 5/15min and 5/24hr to 15/24hr
  • Registers signin_passwordless_code and oauth/signin_passwordless_code routes in content-server route configs
  • Adds functional test verifying repeated sign-in attempts don't trigger rate limit errors
  • Adds unit test for the codeSent location state behavior on page refresh

Issue

Closes: https://mozilla-hub.atlassian.net/browse/FXA-13230
Closes: https://mozilla-hub.atlassian.net/browse/FXA-13229

Checklist

  • My commit is GPG signed
  • Tests pass locally (if applicable)
  • Documentation updated (if applicable)
  • RTL rendering verified (if UI changed)

Other Information

How to test:

  1. Go to the 123done RP with force_passwordless=true
  2. Enter an email to start the passwordless flow
  3. On the code entry page, refresh the page (F5)
  4. Should remain on the code page without errors — no duplicate OTP sent
  5. Navigate back to the RP, re-enter the same email — should reach code page without rate limit error

@vbudhram vbudhram self-assigned this Mar 9, 2026
@vbudhram vbudhram requested a review from a team as a code owner March 9, 2026 14:55
@vbudhram vbudhram requested a review from StaberindeZA March 9, 2026 14:57
StaberindeZA
StaberindeZA approved these changes Mar 9, 2026
View reviewed changes
Copy link
Contributor

@StaberindeZA StaberindeZA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+

vbudhram
vbudhram commented Mar 9, 2026
View reviewed changes
packages/fxa-content-server/server/lib/routes/react-app/index.js
'inline_recovery_key_setup',
'signin_push_code',
'signin_push_code_confirm',
'signin_passwordless_code',
Copy link
Contributor Author

@vbudhram vbudhram Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes https://mozilla-hub.atlassian.net/browse/FXA-13229

@vbudhram vbudhram merged commit 82aa181 into main Mar 9, 2026
23 checks passed
@vbudhram vbudhram deleted the fxa-13230 branch March 9, 2026 18:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@StaberindeZA StaberindeZA StaberindeZA approved these changes

Assignees

@vbudhram vbudhram

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vbudhram @StaberindeZA