Merge pull request #19535 from mozilla/FXA-12432

task(auth): Add verified session checks to mfa strategy

Author: dschom

packages/fxa-auth-server/lib/routes/auth-schemes/mfa.ts

@@ -6,6 +6,9 @@ import { Request, ResponseToolkit } from '@hapi/hapi';
 import * as AppError from '../../error';
 import { ConfigType } from '../../../config/index';
 import * as jwt from 'jsonwebtoken';
+import { Account } from 'fxa-shared/db/models/auth';
+import { StatsD } from 'hot-shots';
+import * as authMethods from '../../authMethods';
 
 export type Credentials = {
   data?: string | null;
@@ -40,19 +43,54 @@ export type Credentials = {
   locale?: string | null;
   mustVerify?: string | null;
   tokenVerificationId?: string | null;
-  tokenVerified?: string | null;
+  tokenVerified?: boolean | null;
   verificationMethod?: string | null;
   verificationMethodValue?: string | null;
   verifiedAt?: string | null;
   metricsOptOutAt?: string | null;
   providerId?: string | null;
   scope?: string[];
+  authenticatorAssuranceLevel: number;
 };
 
+export interface VerifiedSessionTokenStrategyDb {
+  account(uid: string): Promise<Account>;
+  totpToken(uid: string): Promise<{
+    verified?: boolean;
+    enabled?: boolean;
+  }>;
+}
+
 export const strategy = (
   config: ConfigType,
-  getCredentialsFunc: (sessionTokenId: string) => Credentials
+  getCredentialsFunc: (sessionTokenId: string) => Credentials,
+  db: VerifiedSessionTokenStrategyDb,
+  statsd: StatsD
 ) => {
+  // TODO: FXA-12494 - This was copied from verified-session-token.js. We should
+  // convert verified-session-token.js to typescript and make the following logic reusable.
+
+  // Extract regular expressions to allow for optional skipping of certain routes for certain checks.
+  // We reuse the verified session token configuration here, since it's a single point of config
+  // to control which routes deviate from the default set of checks.
+  const verifiedSessionTokenConfig =
+    config?.authStrategies?.verifiedSessionToken;
+
+  const skipEmailVerifiedCheckForRoutes =
+    verifiedSessionTokenConfig?.skipEmailVerifiedCheckForRoutes
+      ? new RegExp(verifiedSessionTokenConfig.skipEmailVerifiedCheckForRoutes)
+      : null;
+
+  const skipTokenVerifiedCheckForRoutes =
+    verifiedSessionTokenConfig?.skipTokenVerifiedCheckForRoutes
+      ? new RegExp(verifiedSessionTokenConfig.skipTokenVerifiedCheckForRoutes)
+      : null;
+
+  const skipAalCheckForRoutes =
+    verifiedSessionTokenConfig?.skipAalCheckForRoutes
+      ? new RegExp(verifiedSessionTokenConfig.skipAalCheckForRoutes)
+      : null;
+
   return () => ({
     async authenticate(req: Request, h: ResponseToolkit) {
       const auth = req.headers.authorization;
@@ -101,10 +139,69 @@ export const strategy = (
         throw AppError.unauthorized('Token not found');
       }
 
-      if (sessionToken.uid !== decoded.sub) {
+      if (sessionToken.uid == null || sessionToken.uid !== decoded.sub) {
         throw AppError.unauthorized('Token invalid');
       }
 
+      // TODO: FXA-12494 - This was copied from verified-session-token.js. We should
+      // convert verified-session-token.js to typescript and make the following logic reusable.
+      const account = await db.account(sessionToken.uid);
+
+      // 1) account email is verified
+      if (!account?.primaryEmail?.isVerified) {
+        if (skipEmailVerifiedCheckForRoutes?.test(req.route.path)) {
+          // Important! Using req.route.path which has much lower cardinality than req.path
+          statsd?.increment(
+            'verified_session_token.primary_email_not_verified.skipped',
+            [`path:${req.route.path}`]
+          );
+        } else {
+          statsd?.increment(
+            'verified_session_token.primary_email_not_verified.error',
+            [`path:${req.route.path}`]
+          );
+          throw AppError.unverifiedAccount();
+        }
+      }
+
+      // 2) session token is verified
+      if (
+        sessionToken.tokenVerificationId ||
+        sessionToken.tokenVerified === false
+      ) {
+        if (skipTokenVerifiedCheckForRoutes?.test(req.route.path)) {
+          statsd?.increment('verified_session_token.token_verified.skipped', [
+            `path:${req.route.path}`,
+          ]);
+        } else {
+          statsd?.increment('verified_session_token.token_verified.error', [
+            `path:${req.route.path}`,
+          ]);
+          throw AppError.unverifiedSession();
+        }
+      }
+
+      // 3) account AAL and session AAL match
+      const accountAmr = await authMethods.availableAuthenticationMethods(
+        db,
+        account
+      );
+      const accountAal = authMethods.maximumAssuranceLevel(accountAmr);
+      const sessionAal = sessionToken.authenticatorAssuranceLevel;
+
+      if (sessionAal < accountAal) {
+        if (skipAalCheckForRoutes?.test(req.route.path)) {
+          statsd?.increment('verified_session_token.aal.skipped', [
+            `path:${req.route.path}`,
+          ]);
+        } else {
+          statsd?.increment('verified_session_token.aal.error', [
+            `path:${req.route.path}`,
+          ]);
+          throw AppError.unauthorized('AAL mismatch');
+        }
+      }
+
       // Decorate session token with scope
       sessionToken.scope = decoded.scope;
 

packages/fxa-auth-server/lib/server.js

@@ -494,7 +494,7 @@ async function create(log, error, config, routes, db, statsd, glean, customs) {
 
   server.auth.scheme(
     'mfa',
-    mfa.strategy(config, makeCredentialFn(db.sessionToken.bind(db)))
+    mfa.strategy(config, makeCredentialFn(db.sessionToken.bind(db)), db, statsd)
   );
   server.auth.strategy('mfa', 'mfa');