Merge pull request #19647 from mozilla/FXA-12540

feat(login): Allow third party auth for OAuthNative non-sync services

Author: LZoog

packages/fxa-auth-client/lib/client.ts

@@ -1124,7 +1124,14 @@ export default class AuthClient {
     }
   }
 
-  async accountStatus(uid: hexstring, headers?: Headers) {
+  async accountStatus(
+    uid?: hexstring,
+    sessionToken?: hexstring,
+    headers?: Headers
+  ): Promise<{ exists: boolean; locale?: string; hasPassword?: boolean }> {
+    if (sessionToken) {
+      return this.sessionGet('/account/status', sessionToken, headers);
+    }
     return this.request('GET', `/account/status?uid=${uid}`, null, headers);
   }
 

packages/fxa-auth-server/lib/routes/account.ts

@@ -1454,7 +1454,16 @@ export class AccountHandler {
   async status(request: AuthRequest) {
     const sessionToken = request.auth.credentials;
     if (sessionToken) {
-      return { exists: true, locale: sessionToken.locale };
+      const account = await this.db.account(sessionToken.uid as string);
+      // Make sure the account still exists
+      if (!account) {
+        throw error.unknownAccount();
+      }
+      return {
+        exists: true,
+        locale: sessionToken.locale,
+        hasPassword: account.verifierSetAt > 0,
+      };
     } else if (request.query.uid) {
       const uid = request.query.uid;
       try {

packages/fxa-auth-server/test/remote/totp_tests.js

@@ -156,125 +156,6 @@ const {
         });
     });
 
-    it('should allow verified sessions before totp enabled to delete totp token', () => {
-      let client2, code;
-      email = server.uniqueEmail();
-      return Client.createAndVerify(
-        config.publicUrl,
-        email,
-        password,
-        server.mailbox,
-        testOptions
-      )
-        .then((x) => {
-          client = x;
-          return client.login({ keys: true });
-        })
-        .then((response) => {
-          assert.equal(
-            response.verificationMethod,
-            'email',
-            'challenge method set to email'
-          );
-          assert.equal(
-            response.verificationReason,
-            'login',
-            'challenge reason set to signin'
-          );
-          assert.equal(response.sessionVerified, false, 'session verified set to false');
-          return server.mailbox.waitForEmail(email);
-        })
-        .then((emailData) => {
-          code = emailData.headers['x-verify-code'];
-          return client.verifyEmail(code);
-        })
-        .then(() => {
-          // Login with a new client and enabled TOTP
-          return Client.loginAndVerify(
-            config.publicUrl,
-            email,
-            password,
-            server.mailbox,
-            {
-              ...testOptions,
-              keys: true,
-            }
-          );
-        })
-        .then((x) => {
-          client2 = x;
-          return verifyTOTP(client2);
-        })
-        .then((res) => {
-          // Delete totp from original client that only was email verified
-          return client.deleteTotpToken().then((result) => {
-            assert.ok(result, 'delete totp token successfully');
-            return server.mailbox.waitForEmail(email);
-          });
-        })
-        .then((emailData) => {
-          assert.equal(
-            emailData.headers['x-template-name'],
-            'postRemoveTwoStepAuthentication'
-          );
-
-          // Can create a new token
-          return client.checkTotpTokenExists().then((result) => {
-            assert.equal(result.exists, false, 'token does not exist');
-          });
-        });
-    });
-
-    it('should not allow unverified sessions before totp enabled to delete totp token', () => {
-      email = server.uniqueEmail();
-      return Client.createAndVerify(
-        config.publicUrl,
-        email,
-        password,
-        server.mailbox,
-        testOptions
-      )
-        .then((x) => {
-          client = x;
-          return client.login({ keys: true });
-        })
-        .then((response) => {
-          assert.equal(
-            response.verificationMethod,
-            'email',
-            'challenge method set to email'
-          );
-          assert.equal(
-            response.verificationReason,
-            'login',
-            'challenge reason set to signin'
-          );
-          assert.equal(response.sessionVerified, false, 'session verified set to false');
-
-          return server.mailbox.waitForEmail(email);
-        })
-        .then(() => {
-          // Login with a new client and enabled TOTP
-          return Client.loginAndVerify(
-            config.publicUrl,
-            email,
-            password,
-            server.mailbox,
-            {
-              ...testOptions,
-              keys: true,
-            }
-          );
-        })
-        .then((client2) => verifyTOTP(client2))
-        .then((res) => {
-          // Attempt to delete totp from original unverified session
-          return client.deleteTotpToken().then(assert.fail, (err) => {
-            assert.equal(err.errno, 138, 'correct unverified session errno');
-          });
-        });
-    });
-
     it('should request `totp-2fa` on login if user has verified totp token', () => {
       return Client.login(config.publicUrl, email, password, {
         ...testOptions,

packages/fxa-settings/src/components/App/index.test.tsx

@@ -32,8 +32,8 @@ import GleanMetrics from '../../lib/glean';
 import config from '../../lib/config';
 import { currentAccount } from '../../lib/cache';
 import { MozServices } from '../../lib/types';
-import mockUseSyncEngines from '../../lib/hooks/useSyncEngines/mocks';
-import useSyncEngines from '../../lib/hooks/useSyncEngines';
+import mockUseFxAStatus from '../../lib/hooks/useFxAStatus/mocks';
+import useFxAStatus from '../../lib/hooks/useFxAStatus';
 import sentryMetrics from 'fxa-shared/sentry/browser';
 import { OAuthError } from '../../lib/oauth';
 
@@ -44,7 +44,7 @@ jest.mock('@reach/router', () => {
   };
 });
 
-jest.mock('../../lib/hooks/useSyncEngines', () => ({
+jest.mock('../../lib/hooks/useFxAStatus', () => ({
   __esModule: true,
   default: jest.fn(),
 }));
@@ -180,12 +180,12 @@ describe('metrics', () => {
     };
 
     flowInit = jest.spyOn(Metrics, 'init');
-    (useSyncEngines as jest.Mock).mockReturnValue(mockUseSyncEngines());
+    (useFxAStatus as jest.Mock).mockReturnValue(mockUseFxAStatus());
   });
 
   afterEach(() => {
     flowInit.mockReset();
-    (useSyncEngines as jest.Mock).mockRestore();
+    (useFxAStatus as jest.Mock).mockRestore();
   });
 
   it('Initializes metrics flow data when present', async () => {
@@ -232,11 +232,11 @@ describe('metrics', () => {
 
 describe('glean', () => {
   beforeEach(() => {
-    (useSyncEngines as jest.Mock).mockReturnValue(mockUseSyncEngines());
+    (useFxAStatus as jest.Mock).mockReturnValue(mockUseFxAStatus());
   });
 
   afterEach(() => {
-    (useSyncEngines as jest.Mock).mockRestore();
+    (useFxAStatus as jest.Mock).mockRestore();
   });
   it('Initializes glean', async () => {
     (useInitialMetricsQueryState as jest.Mock).mockReturnValueOnce({
@@ -349,13 +349,13 @@ describe('loading spinner states', () => {
 
 describe('AuthAndAccountSetupRoutes', () => {
   beforeEach(() => {
-    (useSyncEngines as jest.Mock).mockReturnValue(mockUseSyncEngines());
+    (useFxAStatus as jest.Mock).mockReturnValue(mockUseFxAStatus());
   });
 
   afterEach(() => {
-    (useSyncEngines as jest.Mock).mockRestore();
+    (useFxAStatus as jest.Mock).mockRestore();
   });
-  it('calls useSyncEngines with integration', async () => {
+  it('calls useFxAStatus with integration', async () => {
     const mockIntegration = {
       getServiceName: () => MozServices.FirefoxSync,
       isSync: () => true,
@@ -385,8 +385,8 @@ describe('AuthAndAccountSetupRoutes', () => {
       );
     });
 
-    expect(useSyncEngines).toHaveBeenCalledTimes(1);
-    expect(useSyncEngines).toHaveBeenCalledWith(mockIntegration);
+    expect(useFxAStatus).toHaveBeenCalledTimes(1);
+    expect(useFxAStatus).toHaveBeenCalledWith(mockIntegration);
   });
 });
 
@@ -617,7 +617,7 @@ describe('SettingsRoutes', () => {
 
 describe('Integration serviceName error handling', () => {
   beforeEach(() => {
-    (useSyncEngines as jest.Mock).mockReturnValue(mockUseSyncEngines());
+    (useFxAStatus as jest.Mock).mockReturnValue(mockUseFxAStatus());
     (useInitialMetricsQueryState as jest.Mock).mockReturnValue({
       loading: false,
     });
@@ -634,7 +634,7 @@ describe('Integration serviceName error handling', () => {
   });
 
   afterEach(() => {
-    (useSyncEngines as jest.Mock).mockRestore();
+    (useFxAStatus as jest.Mock).mockRestore();
     (useInitialMetricsQueryState as jest.Mock).mockRestore();
     (useLocalSignedInQueryState as jest.Mock).mockRestore();
     (useSession as jest.Mock).mockRestore();

packages/fxa-settings/src/components/App/index.tsx

@@ -47,7 +47,7 @@ import sentryMetrics from 'fxa-shared/sentry/browser';
 import LoadingSpinner from 'fxa-react/components/LoadingSpinner';
 import { ScrollToTop } from '../Settings/ScrollToTop';
 import SignupConfirmedSync from '../../pages/Signup/SignupConfirmedSync';
-import useSyncEngines from '../../lib/hooks/useSyncEngines';
+import useFxAStatus from '../../lib/hooks/useFxAStatus';
 
 // Pages
 const IndexContainer = lazy(() => import('../../pages/Index/container'));
@@ -428,7 +428,7 @@ const AuthAndAccountSetupRoutes = ({
     gleanEnabled && GleanMetrics.pageLoad(location.pathname);
   }, [location.pathname, gleanEnabled]);
 
-  const useSyncEnginesResult = useSyncEngines(integration);
+  const useFxAStatusResult = useFxAStatus(integration);
   try {
     // Handle getServiceName() errors that occur when OAuth scope validation fails.
     // This can happen when scopes are missing, invalid, or filtered out during
@@ -453,11 +453,11 @@ const AuthAndAccountSetupRoutes = ({
         {/* Index */}
         <IndexContainer
           path="/"
-          {...{ integration, serviceName, flowQueryParams }}
+          {...{ integration, serviceName, flowQueryParams, useFxAStatusResult }}
         />
         <IndexContainer
           path="/oauth"
-          {...{ integration, serviceName, flowQueryParams }}
+          {...{ integration, serviceName, flowQueryParams, useFxAStatusResult }}
         />
 
         {/* Legal */}
@@ -479,7 +479,7 @@ const AuthAndAccountSetupRoutes = ({
         />
         <SetPasswordContainer
           path="/post_verify/third_party_auth/set_password/*"
-          {...{ flowQueryParams, integration, useSyncEnginesResult }}
+          {...{ flowQueryParams, integration, useFxAStatusResult }}
         />
 
         {/* Reset password */}
@@ -523,19 +523,19 @@ const AuthAndAccountSetupRoutes = ({
         <ReportSigninContainer path="/report_signin/*" />
         <SigninContainer
           path="/oauth/force_auth/*"
-          {...{ integration, serviceName, flowQueryParams }}
+          {...{ integration, serviceName, flowQueryParams, useFxAStatusResult }}
         />
         <SigninContainer
           path="/force_auth/*"
-          {...{ integration, serviceName, flowQueryParams }}
+          {...{ integration, serviceName, flowQueryParams, useFxAStatusResult }}
         />
         <SigninContainer
           path="/oauth/signin/*"
-          {...{ integration, serviceName, flowQueryParams }}
+          {...{ integration, serviceName, flowQueryParams, useFxAStatusResult }}
         />
         <SigninContainer
           path="/signin/*"
-          {...{ integration, serviceName, flowQueryParams }}
+          {...{ integration, serviceName, flowQueryParams, useFxAStatusResult }}
         />
         <SigninBounced email={localAccount?.email} path="/signin_bounced/*" />
         <CompleteSigninContainer path="/complete_signin/*" />
@@ -596,7 +596,7 @@ const AuthAndAccountSetupRoutes = ({
             integration,
             serviceName,
             flowQueryParams,
-            useSyncEnginesResult,
+            useFxAStatusResult,
           }}
         />
         <PrimaryEmailVerified
@@ -608,7 +608,7 @@ const AuthAndAccountSetupRoutes = ({
           {...{
             integration,
             flowQueryParams,
-            useSyncEnginesResult,
+            useFxAStatusResult,
           }}
         />
         <SignupConfirmed
@@ -617,7 +617,7 @@ const AuthAndAccountSetupRoutes = ({
         />
         <SignupConfirmedSync
           path="/signup_confirmed_sync/*"
-          offeredSyncEngines={useSyncEnginesResult.offeredSyncEngines}
+          offeredSyncEngines={useFxAStatusResult.offeredSyncEngines}
           {...{ integration }}
         />
         <SignupConfirmed

packages/fxa-settings/src/lib/channels/firefox.ts

@@ -71,6 +71,7 @@ export type FxAStatusResponse = {
     multiService: boolean;
     pairing: boolean;
     choose_what_to_sync?: boolean;
+    keys_optional?: boolean;
   };
   clientId?: string;
   signedInUser?: SignedInUser;