Merge pull request #19454 from mozilla/FXA-12400

bug(auth): Fix bad config for otp code expiration

Author: dschom

packages/fxa-auth-server/config/index.ts

@@ -2515,13 +2515,16 @@ const convictConf = convict({
         env: 'MFA__OTP__EPOCH',
       },
       step: {
+        // The time interval to use. In this case 1 second
         default: 1,
         doc: 'Overrides step otp options',
         format: Number,
         env: 'MFA__OTP__STEP',
       },
       window: {
-        default: 60 * 5,
+        // Number of steps contained in the window. In this case
+        // 5 minutes worth of steps
+        default: 5 * 60,
         doc: 'Overrides window otp options',
         format: Number,
         env: 'MFA__OTP__WINDOW',

packages/fxa-auth-server/lib/routes/mfa.ts

@@ -75,13 +75,20 @@ class MfaHandler {
       const options = this.config.mfa.otp;
       const code = await this.otpUtils.generateOtpCode(secret, options);
 
+      // Convert seconds to minutes. The step is a time interval in seconds, and
+      // the window is the the number of intervals the code is valid for.
+      // For example if the step is 1 second, and the interval is 30, the code
+      // is valid for 30s.
+      // For specifics see: https://www.npmjs.com/package/otplib
+      const expirationTime = (options.step * options.window) / 60;
+
       await this.mailer.sendVerifyAccountChangeEmail(
         account.emails?.map((x) => x.email) || [account.email],
         account,
         {
           code,
           uid,
-          expirationTime: this.config.mfa.otp.window || 5,
+          expirationTime,
         }
       );
 

packages/fxa-auth-server/test/local/routes/mfa.js

@@ -37,6 +37,9 @@ describe('mfa', () => {
       actions: ['test'],
       otp: {
         digits: 6,
+        // Code would be valid for 30 seconds
+        step: 1,
+        window: 30,
       },
       jwt: {
         secretKey: 'foxes',