Merge pull request #18848 from mozilla/FXA-11497

feat(recovery phone): add backend routes for sms code in password reset

Author: chenba

libs/accounts/recovery-phone/src/lib/recovery-phone.service.spec.ts

@@ -462,7 +462,7 @@ describe('RecoveryPhoneService', () => {
     it('can confirm valid sms code', async () => {
       mockRecoveryPhoneManager.getUnconfirmed.mockReturnValue({});
 
-      const result = await service.confirmSigninCode(uid, code);
+      const result = await service.confirmCode(uid, code);
 
       expect(result).toBeTruthy();
       expect(mockRecoveryPhoneManager.getUnconfirmed).toBeCalledWith(uid, code);
@@ -473,15 +473,15 @@ describe('RecoveryPhoneService', () => {
         isSetup: true,
       });
 
-      const result = await service.confirmSigninCode(uid, code);
+      const result = await service.confirmCode(uid, code);
 
       expect(result).toBeFalsy();
     });
 
     it('will not confirm unknown sms code used', async () => {
       mockRecoveryPhoneManager.getUnconfirmed.mockReturnValue(null);
 
-      const result = await service.confirmSigninCode(uid, code);
+      const result = await service.confirmCode(uid, code);
 
       expect(result).toBeFalsy();
     });
@@ -692,7 +692,7 @@ describe('RecoveryPhoneService', () => {
       expect(service.confirmSetupCode(uid, '000000')).rejects.toEqual(
         new RecoveryPhoneNotEnabled()
       );
-      expect(service.confirmSigninCode(uid, '000000')).rejects.toEqual(
+      expect(service.confirmCode(uid, '000000')).rejects.toEqual(
         new RecoveryPhoneNotEnabled()
       );
       expect(service.sendCode(uid, mockGetFormattedMessage)).rejects.toEqual(

libs/accounts/recovery-phone/src/lib/recovery-phone.service.ts

@@ -224,9 +224,8 @@ export class RecoveryPhoneService {
     // OTP confirm page before then. "Basic lookups" from Twilio are free, so don't
     // bother persisting in redis.
     // https://www.twilio.com/en-us/user-authentication-identity/pricing/lookup
-    const { nationalFormat } = await this.smsManager.phoneNumberLookup(
-      phoneNumber
-    );
+    const { nationalFormat } =
+      await this.smsManager.phoneNumberLookup(phoneNumber);
     return nationalFormat;
   }
 
@@ -322,7 +321,7 @@ export class RecoveryPhoneService {
    * @param code A otp code
    * @returns True if successful
    */
-  public async confirmSigninCode(uid: string, code: string) {
+  public async confirmCode(uid: string, code: string) {
     if (!this.config.enabled) {
       throw new RecoveryPhoneNotEnabled();
     }
@@ -353,9 +352,8 @@ export class RecoveryPhoneService {
    * @returns True if successful
    */
   public async removePhoneNumber(uid: string) {
-    const hasRecoveryCodes = await this.recoveryPhoneManager.hasRecoveryCodes(
-      uid
-    );
+    const hasRecoveryCodes =
+      await this.recoveryPhoneManager.hasRecoveryCodes(uid);
 
     // TBD: Random, obs. why do we do this? It seems like a potential edge case, what if the user
     // consumes all the recovery codes? This could then return false...

packages/db-migrations/databases/fxa/patches/patch-168-169.sql

@@ -0,0 +1,7 @@
+SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+
+CALL assertPatchLevel('168');
+
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_phone_reset_password_complete'), ('account.recovery_phone_reset_password_failed');
+
+UPDATE dbMetadata SET value = '169' WHERE name = 'schema-patch-level';

packages/db-migrations/databases/fxa/patches/patch-169-168.sql

@@ -0,0 +1,6 @@
+-- SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+--
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_reset_password_complete';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_reset_password_failed';
+--
+-- UPDATE dbMetadata SET value = '168' WHERE name = 'schema-patch-level';

packages/db-migrations/databases/fxa/target-patch.json

@@ -1,3 +1,3 @@
 {
-  "level": 168
+  "level": 169
 }

packages/fxa-auth-client/lib/client.ts

@@ -2227,6 +2227,51 @@ export default class AuthClient {
     );
   }
 
+  /**
+   * Sends a code to the users phone during password reset.
+   *
+   * @param passwordForgotToken
+   * @param headers
+   */
+  async recoveryPhonePasswordResetSendCode(
+    passwordForgotToken: string,
+    headers?: Headers
+  ) {
+    return this.hawkRequest(
+      'POST',
+      '/recovery_phone/reset_password/send_code',
+      passwordForgotToken,
+      tokenType.passwordForgotToken,
+      {},
+      headers
+    );
+  }
+
+  /**
+   * Confirms the code sent to the recovery phone during a password reset.
+   *
+   *
+   * @param passwordForgotToken
+   * @param code The otp code sent to the user's phone
+   * @param headers
+   */
+  async recoveryPhoneResetPasswordConfirm(
+    passwordForgotToken: string,
+    code: string,
+    headers?: Headers
+  ) {
+    return this.hawkRequest(
+      'POST',
+      '/recovery_phone/reset_password/confirm',
+      passwordForgotToken,
+      tokenType.passwordForgotToken,
+      {
+        code,
+      },
+      headers
+    );
+  }
+
   /**
    * Removes a recovery phone from the user's account
    *

packages/fxa-auth-server/lib/l10n/server.ftl

@@ -25,4 +25,16 @@ recovery-phone-signin-sms-body = { $code } is your { -brand-mozilla } recovery c
 # https://twiliodeved.github.io/message-segment-calculator/
 # Messages should be limited to one segment
 # $code  - 6 digit code used to sign in with a recovery phone as backup for two-step authentication
-recovery-phone-signin-sms-short-body = { -brand-mozilla } code: { $code }
+recovery-phone-signin-sms-short-body = { -brand-mozilla } code: { $code }
+
+# Message sent by SMS with limited character length, please test translation with the messaging segment calculator
+# https://twiliodeved.github.io/message-segment-calculator/
+# Messages should be limited to one segment
+# $code  - 6 digit code used to sign in with a recovery phone as backup for account password reset
+recovery-phone-reset-password-sms-body = { $code } is your { -brand-mozilla } recovery code. Expires in 5 minutes.
+
+# Shorter message sent by SMS with limited character length, please test translation with the messaging segment calculator
+# https://twiliodeved.github.io/message-segment-calculator/
+# Messages should be limited to one segment
+# $code  - 6 digit code used to sign in with a recovery phone as backup for account password reset
+recovery-phone-reset-password-short-body = { -brand-mozilla } code: { $code }

packages/fxa-auth-server/lib/metrics/glean/index.ts

@@ -254,6 +254,16 @@ export function gleanMetrics(config: ConfigType) {
       recoveryKeyCreatePasswordSuccess: createEventFn(
         'password_reset_recovery_key_create_success'
       ),
+
+      recoveryPhoneCodeSent: createEventFn(
+        'password_reset_recovery_phone_code_sent'
+      ),
+      recoveryPhoneCodeSendError: createEventFn(
+        'password_reset_recovery_phone_code_send_error'
+      ),
+      recoveryPhoneCodeComplete: createEventFn(
+        'password_reset_recovery_phone_code_complete'
+      ),
     },
 
     oauth: {