Merge pull request #20001 from mozilla/FXA-13009

fix(webchannel): Send 'can_link_account' during signin_unblock

Author: LZoog

packages/fxa-settings/src/components/App/index.tsx

@@ -638,7 +638,12 @@ const AuthAndAccountSetupRoutes = ({
       />
       <SigninUnblockContainer
         path="/signin_unblock/*"
-        {...{ integration, flowQueryParams, setCurrentSplitLayout }}
+        {...{
+          integration,
+          flowQueryParams,
+          setCurrentSplitLayout,
+          useFxAStatusResult,
+        }}
       />
       <InlineRecoveryKeySetupContainer
         path="/inline_recovery_key_setup/*"

packages/fxa-settings/src/pages/Signin/SigninUnblock/container.test.tsx

@@ -24,7 +24,10 @@ import {
   MOCK_UNBLOCK_CODE,
   MOCK_UNWRAP_BKEY,
   MOCK_UNWRAP_BKEY_V2,
+  MOCK_CLIENT_ID,
+  MOCK_REDIRECT_URI,
   mockLoadingSpinnerModule,
+  MOCK_SERVICE,
 } from '../../mocks';
 import {
   mockGqlBeginSigninMutation,
@@ -45,6 +48,11 @@ import {
 } from './mocks';
 import { BeginSigninResult, SigninUnblockIntegration } from '../interfaces';
 import { tryFinalizeUpgrade } from '../../../lib/gql-key-stretch-upgrade';
+import { mockUseFxAStatus } from '../../../lib/hooks/useFxAStatus/mocks';
+import { ensureCanLinkAcountOrRedirect } from '../utils';
+import { IntegrationType, OAuthIntegrationData } from '../../../models';
+import { GenericData } from '../../../lib/model-data';
+import { Constants } from '../../../lib/constants';
 
 let integration: SigninUnblockIntegration;
 function mockWebIntegration() {
@@ -55,6 +63,28 @@ function mockWebIntegration() {
   };
 }
 
+function mockOAuthNativeIntegration() {
+  integration = {
+    ...createMockSigninWebSyncIntegration(),
+    type: IntegrationType.OAuthNative,
+    data: new OAuthIntegrationData(
+      new GenericData({
+        context: Constants.OAUTH_WEBCHANNEL_CONTEXT,
+        client_id: MOCK_CLIENT_ID,
+        state: 'mock_state',
+      })
+    ),
+    clientInfo: {
+      clientId: MOCK_CLIENT_ID,
+      redirectUri: MOCK_REDIRECT_URI,
+      imageUri: undefined,
+      serviceName: MOCK_SERVICE,
+      trusted: true,
+    },
+    isFirefoxMobileClient: () => false,
+  } as SigninUnblockIntegration;
+}
+
 let flowQueryParams: QueryParams;
 function mockQueryFlowParameters() {
   flowQueryParams = {
@@ -78,6 +108,11 @@ jest.mock('../../../lib/gql-key-stretch-upgrade', () => {
   };
 });
 
+jest.mock('../utils', () => ({
+  ...jest.requireActual('../utils'),
+  ensureCanLinkAcountOrRedirect: jest.fn(),
+}));
+
 jest.mock('../../../models', () => {
   return {
     ...jest.requireActual('../../../models'),
@@ -139,7 +174,13 @@ describe('signin unblock container', () => {
   });
 
   /** Renders the container with a fake page component */
-  async function render(mocks: Array<MockedResponse>) {
+  async function render(
+    mocks: Array<MockedResponse>,
+    options?: { useFxAStatusResult?: ReturnType<typeof mockUseFxAStatus> }
+  ) {
+    const useFxAStatusResult =
+      options?.useFxAStatusResult || mockUseFxAStatus();
+
     renderWithLocalizationProvider(
       <MockedProvider mocks={mocks} addTypename={false}>
         <LocationProvider>
@@ -148,6 +189,7 @@ describe('signin unblock container', () => {
               integration,
               serviceName: MozServices.Default,
               flowQueryParams,
+              useFxAStatusResult,
             }}
           />
         </LocationProvider>
@@ -185,6 +227,8 @@ describe('signin unblock container', () => {
     expect(result?.data?.signIn?.emailVerified).toBeDefined();
     expect(result?.data?.signIn?.sessionVerified).toBeDefined();
     expect(result?.data?.signIn?.metricsEnabled).toBeDefined();
+    // Should NOT call ensureCanLinkAcountOrRedirect for non-OAuthNative integration
+    expect(ensureCanLinkAcountOrRedirect).not.toHaveBeenCalled();
   });
 
   it('handles signin with with key stretching upgrade', async () => {
@@ -295,4 +339,53 @@ describe('signin unblock container', () => {
     expect(result?.error).toBeDefined();
     expect(result?.error?.errno).toEqual(127);
   });
+
+  describe('with supportsCanLinkAccountUid capability and OAuthNative integration', () => {
+    beforeEach(() => {
+      mockOAuthNativeIntegration();
+      (ensureCanLinkAcountOrRedirect as jest.Mock).mockResolvedValue(true);
+    });
+
+    afterEach(() => {
+      (ensureCanLinkAcountOrRedirect as jest.Mock).mockRestore();
+    });
+
+    it('calls ensureCanLinkAcountOrRedirect with UID after successful signin', async () => {
+      const useFxAStatusResult = mockUseFxAStatus({
+        supportsCanLinkAccountUid: true,
+      });
+
+      await render(
+        [
+          mockGqlCredentialStatusMutation(),
+          mockGqlBeginSigninMutation(
+            {
+              unblockCode: MOCK_UNBLOCK_CODE,
+              keys: true,
+            },
+            {
+              authPW: MOCK_AUTH_PW_V2,
+            }
+          ),
+        ],
+        { useFxAStatusResult }
+      );
+
+      let result: BeginSigninResult | undefined;
+      await act(async () => {
+        result =
+          await currentPageProps?.signinWithUnblockCode(MOCK_UNBLOCK_CODE);
+      });
+
+      expect(result).toBeDefined();
+      expect(result?.data).toBeDefined();
+      expect(ensureCanLinkAcountOrRedirect).toHaveBeenCalledTimes(1);
+      expect(ensureCanLinkAcountOrRedirect).toHaveBeenCalledWith(
+        expect.objectContaining({
+          email: MOCK_EMAIL,
+          uid: expect.any(String),
+        })
+      );
+    });
+  });
 });

packages/fxa-settings/src/pages/Signin/SigninUnblock/container.tsx

@@ -7,10 +7,12 @@ import { RouteComponentProps, useLocation } from '@reach/router';
 
 import VerificationMethods from '../../../constants/verification-methods';
 import {
+  isOAuthNativeIntegration,
   useAuthClient,
   useFtlMsgResolver,
   useSensitiveDataClient,
 } from '../../../models';
+import { UseFxAStatusResult } from '../../../lib/hooks/useFxAStatus';
 
 // using default signin handlers
 import {
@@ -51,15 +53,18 @@ import { isFirefoxService } from '../../../models/integrations/utils';
 import { tryFinalizeUpgrade } from '../../../lib/gql-key-stretch-upgrade';
 import { useNavigateWithQuery } from '../../../lib/hooks/useNavigateWithQuery';
 import AppLayout from '../../../components/AppLayout';
+import { ensureCanLinkAcountOrRedirect } from '../utils';
 
 export const SigninUnblockContainer = ({
   integration,
   flowQueryParams,
   setCurrentSplitLayout,
+  useFxAStatusResult,
 }: {
   integration: SigninUnblockIntegration;
   flowQueryParams: QueryParams;
   setCurrentSplitLayout?: (value: boolean) => void;
+  useFxAStatusResult: UseFxAStatusResult;
 } & RouteComponentProps) => {
   const authClient = useAuthClient();
   const ftlMsgResolver = useFtlMsgResolver();
@@ -165,22 +170,37 @@ export const SigninUnblockContainer = ({
           unwrapBKey: credentials.unwrapBKey,
           keyFetchToken: response.data.signIn.keyFetchToken,
         });
-      }
 
-      const emailVerified = response.data?.signIn.emailVerified;
-      const sessionVerified = response.data?.signIn.sessionVerified;
-      const sessionToken = response.data?.signIn.sessionToken;
-      // Attempt to finish key stretching upgrade now that session has been verified.
-      if (emailVerified && sessionVerified && sessionToken) {
-        await tryFinalizeUpgrade(
-          sessionToken,
-          sensitiveDataClient,
-          'signin-unblock',
-          credentialStatus,
-          getWrappedKeys,
-          passwordChangeStart,
-          passwordChangeFinish
-        );
+        const emailVerified = response.data.signIn.emailVerified;
+        const sessionVerified = response.data.signIn.sessionVerified;
+        const sessionToken = response.data.signIn.sessionToken;
+        // Attempt to finish key stretching upgrade now that session has been verified.
+        if (emailVerified && sessionVerified && sessionToken) {
+          await tryFinalizeUpgrade(
+            sessionToken,
+            sensitiveDataClient,
+            'signin-unblock',
+            credentialStatus,
+            getWrappedKeys,
+            passwordChangeStart,
+            passwordChangeFinish
+          );
+        }
+
+        if (
+          isOAuthNativeIntegration(integration) &&
+          useFxAStatusResult.supportsCanLinkAccountUid
+        ) {
+          const ok = await ensureCanLinkAcountOrRedirect({
+            email,
+            uid: response.data.signIn.uid,
+            ftlMsgResolver,
+            navigateWithQuery,
+          });
+          if (!ok) {
+            return { data: undefined };
+          }
+        }
       }
 
       return response;

packages/fxa-settings/src/pages/Signin/container.tsx

@@ -312,7 +312,7 @@ const SigninContainer = ({
   const beginSigninHandler: BeginSigninHandler = useCallback(
     async (email: string, password: string) => {
       // - If the user came from email-first WITHOUT a linked third‑party account, Index already showed
-      //   the merge prompt.
+      //   the merge prompt for old firefox versions (supportsCanLinkAccountUid=false).
       // - If the user HAS a linked third‑party account, Index deferred the prompt to avoid duplicates,
       //   so we must prompt here instead.
       // Note: the browser will repond {ok} if the email matches stored data or the user accepts the merge.