bug(auth): Add verifiedSessionToken strategy to applicable routes

Because:
- Some routes require a verified session state

This Commit:
- Uses the verifiedSessionToken auth strategy on these routes

Author: dschom

packages/fxa-auth-server/lib/routes/mfa.ts

@@ -253,7 +253,8 @@ export const mfaRoutes = (
       options: {
         pre: [{ method: featureEnabledCheck }],
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({
@@ -274,7 +275,8 @@ export const mfaRoutes = (
       path: '/mfa/otp/verify',
       options: {
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({

packages/fxa-auth-server/lib/routes/password.ts

@@ -82,8 +82,8 @@ module.exports = function (
       options: {
         ...PASSWORD_DOCS.PASSWORD_CHANGE_START_POST,
         auth: {
-          strategy: 'sessionToken',
-          payload: 'required',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({

packages/fxa-auth-server/lib/routes/recovery-codes.js

@@ -34,7 +34,8 @@ module.exports = (log, db, config, customs, mailer, glean, statsd) => {
       options: {
         ...RECOVERY_CODES_DOCS.RECOVERYCODES_GET,
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         response: {
           schema: recoveryCodesSchema,
@@ -88,7 +89,8 @@ module.exports = (log, db, config, customs, mailer, glean, statsd) => {
       options: {
         ...RECOVERY_CODES_DOCS.RECOVERY_CODES_POST,
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: recoveryCodesSchema,
@@ -108,13 +110,11 @@ module.exports = (log, db, config, customs, mailer, glean, statsd) => {
         // no previous backup codes should be in the database
         // the session should not yet have a higher assurance level
         const account = await db.account(uid);
-        const { hasBackupCodes } =
-          await backupCodeManager.getCountForUserId(uid);
         const hasTotpToken = await otpUtils.hasTotpToken({ uid });
         // for initial setup, only fail if totp is already enabled
         // if totp is not enabled/verified, it is safe to replace the recovery codes
-        if (hasBackupCodes && hasTotpToken) {
-          throw errors.recoveryCodesAlreadyExist();
+        if (hasTotpToken) {
+          throw errors.totpTokenAlreadyExists();
         }
 
         const { recoveryCodes } = request.payload;
@@ -143,7 +143,8 @@ module.exports = (log, db, config, customs, mailer, glean, statsd) => {
       options: {
         ...RECOVERY_CODES_DOCS.RECOVERY_CODES_PUT,
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: recoveryCodesSchema,

packages/fxa-auth-server/lib/routes/recovery-key.js

@@ -32,8 +32,8 @@ module.exports = (
       options: {
         ...RECOVERY_KEY_DOCS.RECOVERYKEY_POST,
         auth: {
-          strategy: 'sessionToken',
-          payload: 'required',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({
@@ -395,7 +395,8 @@ module.exports = (
       options: {
         ...RECOVERY_KEY_DOCS.RECOVERYKEY_DELETE,
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
       },
       async handler(request) {

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -1024,7 +1024,8 @@ export const recoveryPhoneRoutes = (
       options: {
         pre: [{ method: featureEnabledCheck }],
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({
@@ -1082,7 +1083,8 @@ export const recoveryPhoneRoutes = (
       options: {
         pre: [{ method: featureEnabledCheck }],
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({
@@ -1102,7 +1104,8 @@ export const recoveryPhoneRoutes = (
       options: {
         pre: [{ method: featureEnabledCheck }],
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({
@@ -1181,7 +1184,8 @@ export const recoveryPhoneRoutes = (
       path: '/recovery_phone',
       options: {
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
       },
       handler: function (request: AuthRequest) {

packages/fxa-auth-server/lib/routes/totp.js

@@ -269,8 +269,8 @@ module.exports = (
       options: {
         ...TOTP_DOCS.TOTP_CREATE_POST,
         auth: {
-          strategy: 'sessionToken',
-          payload: 'required',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         validate: {
           payload: isA.object({
@@ -615,7 +615,8 @@ module.exports = (
       options: {
         ...TOTP_DOCS.TOTP_DESTROY_POST,
         auth: {
-          strategy: 'sessionToken',
+          strategy: 'verifiedSessionToken',
+          payload: false,
         },
         response: {},
       },

packages/fxa-auth-server/test/local/routes/recovery-phone.js

@@ -481,9 +481,9 @@ describe('/recovery_phone', () => {
       );
     });
 
-    it('requires session authorization', () => {
+    it('requires verified session authorization', () => {
       const route = getRoute(routes, '/recovery_phone/create', 'POST');
-      assert.equal(route.options.auth.strategy, 'sessionToken');
+      assert.equal(route.options.auth.strategy, 'verifiedSessionToken');
     });
   });