Merge pull request #18977 from mozilla/use-check-authenticated

task(auth): Use customs.checkAuthenticated where possible

Author: dschom

packages/fxa-auth-server/config/rate-limit-rules.txt

@@ -6,8 +6,7 @@
   accountCreate                         : email             : 100           : 15 minutes        : 15 minutes
   accountLogin                          : ip                : 100           : 15 minutes        : 15 minutes
   accountLogin                          : email             : 100           : 15 minutes        : 15 minutes
-  accountDestroy                        : ip                : 100           : 15 minutes        : 15 minutes
-  accountDestroy                        : email             : 100           : 15 minutes        : 15 minutes
+  accountDestroy                        : uid               : 100           : 15 minutes        : 15 minutes
   passwordChange                        : ip                : 100           : 15 minutes        : 15 minutes
   passwordChange                        : email             : 100           : 15 minutes        : 15 minutes
   passwordForgotSendCode                : ip                : 100           : 15 minutes        : 15 minutes
@@ -30,18 +29,15 @@
 # Email Send - These are limits on rate at which emails can be sent out. We limit both IP and email address
 # since many of these operations do not require authentication. Some operations, however, require sessions
 # and for these we should switch over to using UID. See FXA-11777 for more details.
-  createEmail                           : email             : 5             : 15 minutes        : 15 minutes
-  createEmail                           : ip                : 5             : 10 minutes        : 30 minutes
-  recoveryEmailResendCode               : email             : 5             : 15 minutes        : 15 minutes
-  recoveryEmailResendCode               : ip                : 5             : 10 minutes        : 30 minutes
+  createEmail                           : uid               : 5             : 15 minutes        : 15 minutes
+  recoveryEmailResendCode               : uid               : 5             : 15 minutes        : 15 minutes
   recoveryEmailSecondaryResendCode      : email             : 5             : 15 minutes        : 15 minutes
   recoveryEmailSecondaryResendCode      : ip                : 5             : 10 minutes        : 30 minutes
   passwordForgotSendCode                : email             : 5             : 15 minutes        : 15 minutes
   passwordForgotSendCode                : ip                : 5             : 10 minutes        : 30 minutes
   passwordForgotResendCode              : email             : 5             : 15 minutes        : 15 minutes
   passwordForgotResendCode              : ip                : 5             : 10 minutes        : 30 minutes
-  sendVerifyCode                        : email             : 5             : 15 minutes        : 15 minutes
-  sendVerifyCode                        : ip                : 5             : 10 minutes        : 30 minutes
+  sendVerifyCode                        : uid               : 5             : 15 minutes        : 15 minutes
   sendUnblockCode                       : email             : 5             : 15 minutes        : 15 minutes
   sendUnblockCode                       : ip                : 5             : 10 minutes        : 30 minutes
   unblockEmail                          : email             : 5             : 15 minutes        : 15 minutes

packages/fxa-auth-server/lib/customs.js

@@ -120,6 +120,7 @@ class CustomsClient {
   async checkAuthenticated(request, uid, email, action) {
     const checked = await this.checkV2(request, 'checkAuthenticated', action, {
       ip: request?.app?.clientAddress,
+      email,
       uid,
     });
     if (checked) {

packages/fxa-auth-server/lib/routes/account.ts

@@ -822,7 +822,7 @@ export class AccountHandler {
     const account = await this.db.account(uid as string);
     const email = account.primaryEmail?.email;
 
-    await this.customs.check(request, email, 'setPassword');
+    await this.customs.checkAuthenticated(request, uid, email, 'setPassword');
 
     const response: Record<string, any> = {};
     response.uid = uid;
@@ -1823,7 +1823,12 @@ export class AccountHandler {
       authenticatorAssuranceLevel?: number;
     }
 
-    await this.customs.check(request, emailAddress, 'accountDestroy');
+    await this.customs.checkAuthenticated(
+      request,
+      sessionToken.uid,
+      sessionToken.email,
+      'accountDestroy'
+    );
 
     let accountRecord: Account;
     try {

packages/fxa-auth-server/lib/routes/emails.js

@@ -273,8 +273,9 @@ module.exports = (
           return {};
         }
 
-        await customs.check(
+        await customs.checkAuthenticated(
           request,
+          sessionToken.uid,
           sessionToken.email,
           'recoveryEmailResendCode'
         );
@@ -577,7 +578,12 @@ module.exports = (
           uid: uid,
         };
 
-        await customs.check(request, primaryEmail, 'createEmail');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          primaryEmail,
+          'createEmail'
+        );
 
         const account = await db.account(uid);
         const secondaryEmails = account.emails.filter(
@@ -724,7 +730,12 @@ module.exports = (
         const primaryEmail = sessionToken.email;
         const email = request.payload.email;
 
-        await customs.check(request, primaryEmail, 'deleteEmail');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          primaryEmail,
+          'deleteEmail'
+        );
         const account = await db.account(uid);
 
         if (sessionToken.tokenVerificationId) {
@@ -789,7 +800,12 @@ module.exports = (
 
         log.begin('Account.RecoveryEmailSetPrimary', request);
 
-        await customs.check(request, currentEmail, 'setPrimaryEmail');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          currentEmail,
+          'setPrimaryEmail'
+        );
 
         if (sessionToken.tokenVerificationId) {
           throw error.unverifiedSession();
@@ -902,8 +918,9 @@ module.exports = (
         const geoData = request.app.geo;
         const { email } = request.payload;
 
-        await customs.check(
+        await customs.checkAuthenticated(
           request,
+          sessionToken.uid,
           sessionToken.email,
           'recoveryEmailSecondaryResendCode'
         );
@@ -988,8 +1005,9 @@ module.exports = (
         const sessionToken = request.auth.credentials;
         const { email, code } = request.payload;
 
-        await customs.check(
+        await customs.checkAuthenticated(
           request,
+          sessionToken.uid,
           sessionToken.email,
           'recoveryEmailSecondaryVerifyCode'
         );

packages/fxa-auth-server/lib/routes/recovery-codes.js

@@ -207,7 +207,12 @@ module.exports = (log, db, config, customs, mailer, glean) => {
           uid,
         } = request.auth.credentials;
 
-        await customs.check(request, email, 'verifyRecoveryCode');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          email,
+          'verifyRecoveryCode'
+        );
 
         const { code } = request.payload;
         const { remaining } = await db.consumeRecoveryCode(uid, code);

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -130,7 +130,12 @@ class RecoveryPhoneHandler {
       throw AppError.invalidToken();
     }
 
-    await this.customs.check(request, email, 'recoveryPhoneSendSigninCode');
+    await this.customs.checkAuthenticated(
+      request,
+      uid,
+      email,
+      'recoveryPhoneSendSigninCode'
+    );
 
     const getFormattedMessage = async (code: string) => {
       const localizedMessage = await this.getLocalizedMessage(

packages/fxa-auth-server/lib/routes/session.js

@@ -454,8 +454,9 @@ module.exports = function (
         const account = await db.account(sessionToken.uid);
         const secret = account.primaryEmail.emailCode;
 
-        await customs.check(
+        await customs.checkAuthenticated(
           request,
+          account.uid,
           account.primaryEmail.normalizedEmail,
           'sendVerifyCode'
         );

packages/fxa-auth-server/lib/routes/subscriptions/mozilla.ts

@@ -38,8 +38,9 @@ export class MozillaSubscriptionHandler {
     );
 
     const { uid, email } = await handleAuth(this.db, request.auth, true);
-    await this.customs.check(
+    await this.customs.checkAuthenticated(
       request,
+      uid,
       email,
       'mozillaSubscriptionsCustomerBillingAndSubscriptions'
     );
@@ -84,8 +85,9 @@ export class MozillaSubscriptionHandler {
     this.log.begin('mozillaSubscriptions.validatePlanEligibility', request);
 
     const { uid, email } = await handleAuth(this.db, request.auth, true);
-    await this.customs.check(
+    await this.customs.checkAuthenticated(
       request,
+      uid,
       email,
       'mozillaSubscriptionsValidatePlanEligibility'
     );

packages/fxa-auth-server/lib/routes/subscriptions/paypal.ts

@@ -59,8 +59,13 @@ export class PayPalHandler extends StripeWebhookHandler {
    */
   async getCheckoutToken(request: AuthRequest) {
     this.log.begin('subscriptions.getCheckoutToken', request);
-    const { email } = await handleAuth(this.db, request.auth, true);
-    await this.customs.check(request, email, 'getCheckoutToken');
+    const { uid, email } = await handleAuth(this.db, request.auth, true);
+    await this.customs.checkAuthenticated(
+      request,
+      uid,
+      email,
+      'getCheckoutToken'
+    );
 
     const { currencyCode } = request.payload as Record<string, string>;
     const token = await this.paypalHelper.getCheckoutToken({ currencyCode });
@@ -87,7 +92,12 @@ export class PayPalHandler extends StripeWebhookHandler {
     );
 
     try {
-      await this.customs.check(request, email, 'createSubscriptionWithPaypal');
+      await this.customs.checkAuthenticated(
+        request,
+        uid,
+        email,
+        'createSubscriptionWithPaypal'
+      );
 
       const taxAddress = buildTaxAddress(
         this.log,
@@ -370,7 +380,12 @@ export class PayPalHandler extends StripeWebhookHandler {
   async updatePaypalBillingAgreement(request: AuthRequest) {
     this.log.begin('subscriptions.updatePaypalBillingAgreement', request);
     const { uid, email } = await handleAuth(this.db, request.auth, true);
-    await this.customs.check(request, email, 'updatePaypalBillingAgreement');
+    await this.customs.checkAuthenticated(
+      request,
+      uid,
+      email,
+      'updatePaypalBillingAgreement'
+    );
 
     const customer = await this.stripeHelper.fetchCustomer(uid, [
       'subscriptions',