Merge pull request #19412 from mozilla/FXA-12224

feat(mfa): Wrap secondary email pages in MfaGuard

Author: nshirley

packages/functional-tests/tests/settings/changeEmail.spec.ts

@@ -23,7 +23,7 @@ test.describe('severity-1 #smoke', () => {
 
       await settings.goto();
 
-      await changePrimaryEmail(target, settings, secondaryEmail, newEmail);
+      await changePrimaryEmail(target, settings, secondaryEmail, newEmail, credentials.email);
 
       await settings.signOut();
 
@@ -59,7 +59,7 @@ test.describe('severity-1 #smoke', () => {
 
       await settings.goto();
 
-      await changePrimaryEmail(target, settings, secondaryEmail, newEmail);
+      await changePrimaryEmail(target, settings, secondaryEmail, newEmail, credentials.email);
 
       await setNewPassword(
         settings,
@@ -101,7 +101,7 @@ test.describe('severity-1 #smoke', () => {
 
       await settings.goto();
 
-      await changePrimaryEmail(target, settings, secondaryEmail, secondEmail);
+      await changePrimaryEmail(target, settings, secondaryEmail, secondEmail, credentials.email);
 
       await setNewPassword(
         settings,
@@ -150,7 +150,7 @@ test.describe('severity-1 #smoke', () => {
 
       await settings.goto();
 
-      await changePrimaryEmail(target, settings, secondaryEmail, newEmail);
+      await changePrimaryEmail(target, settings, secondaryEmail, newEmail, credentials.email);
       await expect(settings.primaryEmail.status).toHaveText(newEmail);
 
       // Click delete account
@@ -185,6 +185,7 @@ test.describe('severity-1 #smoke', () => {
 
       await settings.goto();
       await settings.secondaryEmail.addButton.click();
+      await settings.confirmMfaGuard(credentials.email);
       await secondaryEmail.fillOutEmail(newEmail);
       const code: string =
         await target.emailClient.getVerifySecondaryCode(newEmail);
@@ -234,9 +235,11 @@ async function changePrimaryEmail(
   target: BaseTarget,
   settings: SettingsPage,
   secondaryEmail: SecondaryEmailPage,
-  email: string
+  email: string,
+  primaryEmail: string,
 ): Promise<void> {
   await settings.secondaryEmail.addButton.click();
+  await settings.confirmMfaGuard(primaryEmail);
   await secondaryEmail.fillOutEmail(email);
   const code: string = await target.emailClient.getVerifySecondaryCode(email);
   await secondaryEmail.fillOutVerificationCode(code);

packages/functional-tests/tests/settings/changeEmailBlocked.spec.ts

@@ -28,7 +28,7 @@ test.describe('severity-1 #smoke', () => {
       const invalidPassword = testAccountTracker.generatePassword();
 
       await settings.goto();
-      await changePrimaryEmail(target, settings, secondaryEmail, blockedEmail);
+      await changePrimaryEmail(target, settings, secondaryEmail, blockedEmail, credentials.email);
       await settings.signOut();
       await signin.fillOutEmailFirstForm(blockedEmail);
       await signin.fillOutPasswordForm(invalidPassword);
@@ -67,7 +67,7 @@ test.describe('severity-1 #smoke', () => {
       const blockedEmail = testAccountTracker.generateBlockedEmail();
 
       await settings.goto();
-      await changePrimaryEmail(target, settings, secondaryEmail, blockedEmail);
+      await changePrimaryEmail(target, settings, secondaryEmail, blockedEmail, credentials.email);
       await settings.signOut();
 
       await signin.fillOutEmailFirstForm(blockedEmail);
@@ -110,9 +110,11 @@ async function changePrimaryEmail(
   target: BaseTarget,
   settings: SettingsPage,
   secondaryEmail: SecondaryEmailPage,
-  email: string
+  email: string,
+  primaryEmail: string,
 ): Promise<void> {
   await settings.secondaryEmail.addButton.click();
+  await settings.confirmMfaGuard(primaryEmail);
   await secondaryEmail.fillOutEmail(email);
   const code: string = await target.emailClient.getVerifySecondaryCode(email);
   await secondaryEmail.fillOutVerificationCode(code);

packages/functional-tests/tests/signin/signinBlocked.spec.ts

@@ -166,6 +166,7 @@ test.describe('severity-2 #smoke', () => {
 
       await settings.goto();
       await settings.secondaryEmail.addButton.click();
+      await settings.confirmMfaGuard(credentials.email);
       await secondaryEmail.fillOutEmail(blockedEmail);
       const verifyCode: string =
         await target.emailClient.getVerifySecondaryCode(blockedEmail);

packages/functional-tests/tests/syncV3/fxDesktopV3ForceAuth.spec.ts

@@ -128,7 +128,7 @@ test.describe('severity-1 #smoke', () => {
         uid,
       });
       await signin.fillOutPasswordForm(credentials.password);
-      // fails on this chck for react (message not sent)
+      // fails on this check for react (message not sent)
       await fxDesktopV3ForceAuth.checkWebChannelMessage(
         FirefoxCommand.LinkAccount
       );
@@ -146,7 +146,8 @@ test.describe('severity-1 #smoke', () => {
         target,
         settings,
         secondaryEmail,
-        nonBlockedEmail
+        nonBlockedEmail,
+        credentials.email
       );
       await settings.deleteAccountButton.click();
       await deleteAccount.deleteAccount(credentials.password);
@@ -162,9 +163,11 @@ async function changePrimaryEmail(
   target: BaseTarget,
   settings: SettingsPage,
   secondaryEmail: SecondaryEmailPage,
-  email: string
+  email: string,
+  primaryEmail: string
 ): Promise<void> {
   await settings.secondaryEmail.addButton.click();
+  await settings.confirmMfaGuard(primaryEmail);
   await secondaryEmail.fillOutEmail(email);
   const code: string = await target.emailClient.getVerifySecondaryCode(email);
   await secondaryEmail.fillOutVerificationCode(code);

packages/fxa-auth-client/lib/client.ts

@@ -1666,23 +1666,15 @@ export default class AuthClient {
     return this.sessionGet('/recovery_emails', sessionToken, headers);
   }
 
-  async recoveryEmailCreate(
-    sessionToken: hexstring,
-    email: string,
-    options: {
-      verificationMethod?: string;
-    } = {},
-    headers?: Headers
-  ) {
-    return this.sessionPost(
-      '/recovery_email',
-      sessionToken,
-      {
-        email,
-        ...options,
-      },
-      headers
-    );
+  /**
+   * Creates a new recovery email for the account.
+   * @param jwt Required scope 'mfa:email'
+   * @param email Recovery email to add to account
+   * @param headers
+   * @returns Response
+   */
+  async recoveryEmailCreate(jwt: string, email: string, headers?: Headers) {
+    return this.jwtPost('/mfa/recovery_email', jwt, { email }, headers);
   }
 
   async recoveryEmailDestroy(
@@ -1713,15 +1705,23 @@ export default class AuthClient {
     );
   }
 
+  /**
+   * Verifies a recovery email by confirming the code sent to that email address.
+   * @param jwt Required scope 'mfa:email'
+   * @param email Recovery email verify
+   * @param code Verification code sent to recovery email
+   * @param headers
+   * @returns Response
+   */
   async recoveryEmailSecondaryVerifyCode(
-    sessionToken: hexstring,
+    jwt: string,
     email: string,
     code: string,
     headers?: Headers
   ): Promise<{}> {
-    return this.sessionPost(
-      '/recovery_email/secondary/verify_code',
-      sessionToken,
+    return this.jwtPost(
+      '/mfa/recovery_email/secondary/verify_code',
+      jwt,
       { email, code },
       headers
     );

packages/fxa-auth-server/config/index.ts

@@ -2476,7 +2476,7 @@ const convictConf = convict({
       env: 'MFA__ENABLED',
     },
     actions: {
-      default: ['test', '2fa'],
+      default: ['test', '2fa', 'email'],
       doc: 'Actions protected by MFA',
       format: Array,
       env: 'MFA__ACTIONS',

packages/fxa-auth-server/docs/swagger/emails-api.ts

@@ -110,7 +110,7 @@ const RECOVERY_EMAIL_POST = {
   description: '/recovery_email',
   notes: [
     dedent`
-      🔒 Authenticated with session token
+      🔒 Authenticated with MFA JWT (scope: mfa:email)
       Add a secondary email address to the logged-in account. The created address will be unverified and will not replace the primary email address.
     `,
   ],
@@ -212,7 +212,7 @@ const RECOVERY_EMAIL_SECONDARY_VERIFY_CODE_POST = {
   description: '/recovery_email/secondary/verify_code',
   notes: [
     dedent`
-      🔒 Authenticated with session token
+      🔒 Authenticated with session MFA JWT (scope: mfa:email)
 
       This endpoint verifies a secondary email using a time based (otp) code.
     `,