Merge pull request #20331 from mozilla/FXA-13355

fix(auth): Provide sessionVerified on passwordChange handler

Author: nshirley

packages/functional-tests/tests/resetPassword/resetPassword.spec.ts

@@ -147,4 +147,52 @@ test.describe('severity-1 #smoke', () => {
 
     await expect(resetPassword.confirmResetPasswordHeading).toBeVisible();
   });
+
+  test('can reset password then add ARK', async ({
+    target,
+    pages: { resetPassword, settings, recoveryKey, page },
+    testAccountTracker,
+  }) => {
+    const credentials = await testAccountTracker.signUp();
+    const newPassword = testAccountTracker.generatePassword();
+
+    await resetPassword.goto();
+
+    await resetPassword.page.waitForURL(/reset_password/);
+
+    await resetPassword.fillOutEmailForm(credentials.email);
+
+    const code = await target.emailClient.getResetPasswordCode(
+      credentials.email
+    );
+
+    await resetPassword.fillOutResetPasswordCodeForm(code);
+
+    // Create and submit new password
+    await resetPassword.fillOutNewPasswordForm(newPassword);
+
+    await expect(settings.settingsHeading).toBeVisible();
+
+    // Cleanup requires setting this value to correct password
+    credentials.password = newPassword;
+
+    // now add an ARK to make sure the browser has the correct verified state
+    await expect(settings.recoveryKey.status).toHaveText('Not set');
+
+    await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(credentials.email);
+
+    await recoveryKey.createRecoveryKey(
+      credentials.password,
+      'secret key location'
+    );
+    await expect(page.getByRole('alert')).toHaveText(
+      'Account recovery key created'
+    );
+
+    await expect(settings.settingsHeading).toBeVisible();
+    await expect(settings.recoveryKey.status).toHaveText('Enabled');
+    await expect(settings.recoveryKey.deleteButton).toBeVisible();
+  });
 });

packages/fxa-auth-server/lib/routes/password.spec.ts

@@ -448,9 +448,7 @@ describe('/password', () => {
       mockRequest
     ).then((response: any) => {
       expect(Object.keys(response)).toEqual(['accountResetToken']);
-      expect(response.accountResetToken).toBe(
-        accountResetToken.data
-      );
+      expect(response.accountResetToken).toBe(accountResetToken.data);
 
       expect(mockCustoms.check.callCount).toBe(1);
 
@@ -1230,5 +1228,56 @@ describe('/password', () => {
       expect(response.sessionToken).toBeTruthy();
       expect(response.keyFetchToken).toBeFalsy();
     });
+
+    it('should include sessionVerified in the response reflecting token verification status', async () => {
+      const oldAuthPW = crypto.randomBytes(32).toString('hex');
+      const authPW = crypto.randomBytes(32).toString('hex');
+      const wrapKb = crypto.randomBytes(32).toString('hex');
+
+      const mockRequest = mocks.mockRequest({
+        log: mockLog,
+        auth: {
+          credentials: {
+            uid,
+            email: TEST_EMAIL,
+            emailVerified: true,
+            tokenVerified: true,
+            deviceId: crypto.randomBytes(16).toString('hex'),
+            authenticatorAssuranceLevel: 2,
+            lastAuthAt: () => Date.now(),
+            data: crypto.randomBytes(32).toString('hex'),
+          },
+        },
+        payload: {
+          email: TEST_EMAIL,
+          oldAuthPW,
+          authPW,
+          wrapKb,
+        },
+        query: {},
+      });
+
+      const passwordRoutes = makeRoutes({
+        db: mockDB,
+        mailer: mockMailer,
+        push: mockPush,
+        log: mockLog,
+        statsd: mockStatsd,
+        customs: mockCustoms,
+      });
+
+      const response = await runRoute(
+        passwordRoutes,
+        '/mfa/password/change',
+        mockRequest
+      );
+
+      // sessionVerified must be present so that client-side storage correctly
+      // reflects the verified session after a password change.
+      expect(response.sessionVerified).toBe(true);
+
+      // verified (deprecated compat field) should remain present and consistent
+      expect(response.verified).toBe(true);
+    });
   });
 });

packages/fxa-auth-server/lib/routes/password.ts

@@ -976,6 +976,7 @@ module.exports = function (
           const response: any = {
             uid: newSessionToken.uid,
             sessionToken: newSessionToken.data,
+            sessionVerified: newSessionToken.tokenVerified,
             verified:
               newSessionToken.emailVerified && newSessionToken.tokenVerified,
             authAt: newSessionToken.lastAuthAt(),