Merge pull request #17636 from mozilla/FXA-9398-forgot-token-auth

feat(recovery): fetch recovery key status with passwordForgotToken

packages/fxa-auth-client/lib/client.ts

@@ -775,6 +775,20 @@ export default class AuthClient {
     );
   }
 
+  async passwordForgotRecoveryKeyStatus(
+    passwordForgotToken: hexstring,
+    headers?: Headers
+  ) {
+    return this.hawkRequest(
+      'POST',
+      '/recoveryKey/exists',
+      passwordForgotToken,
+      tokenType.passwordForgotToken,
+      null,
+      headers
+    );
+  }
+
   // TODO: Once password reset react is 100% and stable in production
   // we can remove this.
   async accountReset(
@@ -1904,17 +1918,6 @@ export default class AuthClient {
     );
   }
 
-  // TODO: Review in FXA-7400 - possibly convert to POST to pass payload instead of using param, and enforce rate limiting
-  // async getRecoveryKeyHint(
-  //   sessionToken: hexstring | undefined,
-  //   email?: string
-  // ): Promise<{ hint: string | null }> {
-  //   if (sessionToken) {
-  //     return this.sessionGet('/recoveryKey/hint', sessionToken);
-  //   }
-  //   return this.request('GET', `/recoveryKey/hint?email=${email}`);
-  // }
-
   async updateRecoveryKeyHint(
     sessionToken: hexstring,
     hint: string,

packages/fxa-auth-server/docs/swagger/recovery-key-api.ts

@@ -34,8 +34,8 @@ const RECOVERYKEY_EXISTS_POST = {
   ...TAGS_RECOVERY_KEY,
   description: '/recoveryKey/exists',
   notes: [
-    '🔒🔓 Optionally authenticated with session token',
-    'This route checks to see if given user has setup an account recovery key. When used during the password reset flow, an email can be provided (instead of a sessionToken) to check for the status. However, when using an email, the request is rate limited.',
+    '🔒🔓 Authenticated with session token or password-forgot token',
+    'This route checks to see if given user has setup an account recovery key. When used during the password reset flow, a password-forgot token to check for the status.',
   ],
 };
 

packages/fxa-auth-server/lib/db/index.js

@@ -1087,13 +1087,9 @@ module.exports = (config, log, Token, UnblockCode = null) => {
     return RecoveryKey.update({ uid, recoveryKeyId, enabled });
   };
 
-  DB.prototype.getRecoveryKeyHint = async function (uid) {
-    log.trace('DB.getRecoveryKeyHint', { uid });
-    const data = await RecoveryKey.findByUid(uid);
-    if (!data) {
-      throw error.recoveryKeyNotFound();
-    }
-    return { hint: await RecoveryKey.findHintByUid(uid) };
+  DB.prototype.getRecoveryKeyRecordWithHint = async function (uid) {
+    log.trace('DB.getRecoveryKeyRecordWithHint', { uid });
+    return await RecoveryKey.findRecordWithHintByUid(uid);
   };
 
   DB.prototype.updateRecoveryKeyHint = async function (uid, hint) {

packages/fxa-auth-server/lib/routes/auth-schemes/hawk-fxa-token.js

@@ -78,7 +78,16 @@ function parseAuthorizationHeader(header, keys) {
  * @param {Function} getCredentialsFunc - The function to get the credentials.
  * @returns {Function}
  */
-function strategy(getCredentialsFunc) {
+function strategy(
+  getCredentialsFunc,
+  authStrategyOptions = { throwOnFailure: true }
+) {
+  const tokenNotFoundError = () => {
+    const error = AppError.unauthorized('Token not found');
+    error.isMissing = true;
+    return error;
+  };
+
   return function (server, options) {
     return {
       authenticate: async function (req, h) {
@@ -89,22 +98,28 @@ function strategy(getCredentialsFunc) {
             return h.continue;
           }
 
-          const error = AppError.unauthorized('Token not found');
-          error.isMissing = true;
-          throw error;
+          throw tokenNotFoundError();
         }
 
         if (auth.toLowerCase().indexOf('hawk') > -1) {
           // If a Hawk token is found, lets parse it and get the token's id
           const parsedHeader = parseAuthorizationHeader(auth);
-          const token = await getCredentialsFunc(parsedHeader.id);
+          let token;
+
+          try {
+            token = await getCredentialsFunc(parsedHeader.id);
+          } catch (_) {
+            // we'll handle the empty token case below
+          }
 
           // If a token isn't found, this means it doesn't exist or expired and
           // was removed from database
           if (!token) {
-            const error = AppError.unauthorized('Token not found');
-            error.isMissing = true;
-            throw error;
+            if (authStrategyOptions.throwOnFailure) {
+              throw tokenNotFoundError();
+            } else {
+              return Boom.unauthorized(null, 'hawkFxaToken');
+            }
           }
 
           return h.authenticated({
@@ -125,9 +140,11 @@ function strategy(getCredentialsFunc) {
         //   } catch (err) {}
         // }
 
-        const error = AppError.unauthorized('Token not found');
-        error.isMissing = true;
-        throw error;
+        if (authStrategyOptions.throwOnFailure) {
+          throw tokenNotFoundError();
+        }
+
+        return Boom.unauthorized(null, 'hawkFxaToken');
       },
       payload: async function (req, h) {
         // Since we skip Hawk header validation, we don't need to perform payload validation either...

packages/fxa-auth-server/lib/routes/recovery-key.js

@@ -296,44 +296,34 @@ module.exports = (
       options: {
         ...RECOVERY_KEY_DOCS.RECOVERYKEY_EXISTS_POST,
         auth: {
-          mode: 'optional',
-          strategy: 'sessionToken',
+          strategies: [
+            'multiStrategySessionToken',
+            'multiStrategyPasswordForgotToken',
+          ],
         },
         validate: {
-          payload: isA.object({
-            email: validators.email().optional(),
-          }),
+          payload: isA
+            .object({
+              email: validators.email().optional(),
+            })
+            .optional()
+            .allow(null),
         },
         response: {
           schema: isA.object({
             exists: isA.boolean().required(),
+            hint: isA.string().optional().allow(null),
             estimatedSyncDeviceCount: isA.number().optional(),
           }),
         },
       },
       async handler(request) {
         log.begin('recoveryKeyExists', request);
 
-        const { email } = request.payload;
-
-        let uid;
-        if (request.auth.credentials) {
-          uid = request.auth.credentials.uid;
-        }
-
-        if (!uid) {
-          // If not using a sessionToken, an email is required to check
-          // for an account recovery key. This occurs when checking from the
-          // password reset page and allows us to redirect the user to either
-          // the regular password reset or account recovery password reset.
-          if (!email) {
-            throw errors.missingRequestParameter('email');
-          }
-
-          await customs.check(request, email, 'recoveryKeyExists');
-          ({ uid } = await db.accountRecord(email));
-        }
-        const exists = await db.recoveryKeyExists(uid);
+        const uid = request.auth.credentials.uid;
+        const recoveryKeyRecordWithHint = await db.getRecoveryKeyRecordWithHint(
+          uid
+        );
 
         // We try our best to estimate the number of Sync devices that could be impacted by using a recovery key.
         // It is an estimate because we currently can't query the Sync service to get the actual number of items
@@ -347,70 +337,12 @@ module.exports = (
         );
 
         return {
-          exists: exists.exists,
+          exists: !!recoveryKeyRecordWithHint,
+          hint: recoveryKeyRecordWithHint?.hint,
           estimatedSyncDeviceCount,
         };
       },
     },
-    // This method is not yet in use
-    // Disabled until we are ready to enable as part of FXA-6670
-    // GET request for authenticated user should use the sessionToken to display the hint in /settings
-    // To display the hint during password reset, this method will need to be usable without authenticating,
-    // but unauthenticated requests should be rate limited by IP and email to prevent checking multiple emails for hints
-    // TODO : Review in FXA-7400 - possibly convert to POST to pass payload instead of using param, and enforce rate limiting
-    // {
-    //   method: 'GET',
-    //   path: '/recoveryKey/hint',
-    //   options: {
-    //     ...RECOVERY_KEY_DOCS.RECOVERYKEY_HINT_GET,
-    //     auth: {
-    //       mode: 'optional',
-    //       strategy: 'sessionToken',
-    //     },
-    //     validate: {
-    //       query: {
-    //         email: validators.email().optional(),
-    //       },
-    //     },
-    //   },
-    //   handler: async function (request) {
-    //     log.begin('getRecoveryKeyHint', request);
-
-    //     const { email } = request.query;
-
-    //     let uid;
-    //     if (request.auth.credentials) {
-    //       uid = request.auth.credentials.uid;
-    //     }
-
-    //     if (!uid) {
-    //       // If not using a sessionToken, an email is required to check
-    //       // for an account recovery key.
-    //       if (!email) {
-    //         throw errors.missingRequestParameter('email');
-    //       }
-
-    //       // When this request is unauthenticated, we must rate-limit by IP and email
-    //       // to review in FXA-7400, rate limiting does not seem to be working as expected
-    //       await customs.check(request, email, 'recoveryKeyExists');
-    //       try {
-    //         const result = await db.accountRecord(email);
-    //         uid = result.uid;
-    //       } catch (err) {
-    //         throw errors.unknownAccount();
-    //       }
-    //     }
-
-    //     const result = await db.recoveryKeyExists(uid);
-    //     if (!result.exists) {
-    //       throw errors.recoveryKeyNotFound();
-    //     }
-
-    //     const hint = await db.getRecoveryKeyHint(uid);
-
-    //     return hint;
-    //   },
-    // },
     {
       method: 'POST',
       path: '/recoveryKey/hint',

packages/fxa-auth-server/lib/server.js

@@ -401,6 +401,24 @@ async function create(log, error, config, routes, db, statsd, glean) {
     hawkFxAToken.strategy(makeCredentialFn(db.passwordChangeToken.bind(db)))
   );
 
+  // the recoveryKey/exists route accepts a session token or a password-forgot
+  // token.  in order for Hapi to try all the strategies (until auth succeeds),
+  // the strategy's authenticate function _must not_ throw on failed
+  // authentication. otherwise, Hapi will stop at the first strategy that
+  // throws.
+  server.auth.scheme(
+    'multi-strategy-fxa-hawk-session-token',
+    hawkFxAToken.strategy(makeCredentialFn(db.sessionToken.bind(db)), {
+      throwOnFailure: false,
+    })
+  );
+  server.auth.scheme(
+    'multi-strategy-fxa-hawk-passwordForgot-token',
+    hawkFxAToken.strategy(makeCredentialFn(db.passwordForgotToken.bind(db)), {
+      throwOnFailure: false,
+    })
+  );
+
   server.auth.strategy('sessionToken', 'fxa-hawk-session-token');
   server.auth.strategy('keyFetchToken', 'fxa-hawk-keyFetch-token');
   server.auth.strategy(
@@ -413,6 +431,15 @@ async function create(log, error, config, routes, db, statsd, glean) {
   server.auth.strategy('passwordForgotToken', 'fxa-hawk-passwordForgot-token');
   server.auth.strategy('passwordChangeToken', 'fxa-hawk-passwordChange-token');
 
+  server.auth.strategy(
+    'multiStrategySessionToken',
+    'multi-strategy-fxa-hawk-session-token'
+  );
+  server.auth.strategy(
+    'multiStrategyPasswordForgotToken',
+    'multi-strategy-fxa-hawk-passwordForgot-token'
+  );
+
   server.auth.scheme(authOauth.AUTH_SCHEME, authOauth.strategy);
   server.auth.strategy('oauthToken', authOauth.AUTH_SCHEME, config.oauth);
 

packages/fxa-auth-server/test/client/index.js

@@ -846,12 +846,8 @@ module.exports = (config) => {
     return this.api.getRecoveryKey(this.accountResetToken, recoveryKeyId);
   };
 
-  Client.prototype.getRecoveryKeyExists = function (email) {
-    if (!email) {
-      return this.api.getRecoveryKeyExistsWithSession(this.sessionToken);
-    } else {
-      return this.api.getRecoveryKeyExistsWithEmail(email);
-    }
+  Client.prototype.getRecoveryKeyExists = function () {
+    return this.api.getRecoveryKeyExistsWithSession(this.sessionToken);
   };
 
   Client.prototype.deleteRecoveryKey = function () {