Merge pull request #19825 from mozilla/uplift-patches

uplift patches to main

Author: vbudhram

packages/fxa-auth-server/config/index.ts

@@ -2317,6 +2317,12 @@ const convictConf = convict({
       env: 'RATE_LIMIT__SKIP_ENDPOINTS',
       format: Array,
     },
+    emailAliasNormalization: {
+      default: '',
+      doc: 'List of email domain configurations for alias normalization. Each entry should have domain, regex, and replace properties. Example: [{domain: "mozilla.com", regex: "\\+[^@]+", replace: ""}]',
+      env: 'RATE_LIMIT__EMAIL_ALIAS_NORMALIZATION',
+      format: String,
+    },
   },
   recoveryPhone: {
     enabled: {

packages/fxa-auth-server/lib/customs.js

@@ -17,13 +17,39 @@ const localizeTimestamp =
   });
 const serviceName = 'customs';
 
+// Load alias config map once at module startup
+function loadAliasConfigsMap() {
+  const aliasConfigsStr = config.get('rateLimit.emailAliasNormalization') || '';
+  let aliasConfigs = [];
+  if (aliasConfigsStr) {
+    try {
+      aliasConfigs = JSON.parse(aliasConfigsStr);
+    } catch (err) {
+      // If parsing fails, use empty array
+      aliasConfigs = [];
+    }
+  }
+  return new Map(
+    aliasConfigs.map((cfg) => [cfg.domain, cfg])
+  );
+}
+
+let aliasConfigsMap = loadAliasConfigsMap();
+
+/**
+ * Reload alias configs map from configuration (useful for testing).
+ */
+function reloadAliasConfigsMap() {
+  aliasConfigsMap = loadAliasConfigsMap();
+}
+
 function toOpts(ip, email, uid) {
   const opts = {};
   if (ip) {
     opts.ip = ip;
   }
   if (email) {
-    opts.email = email;
+    opts.email = normalizeEmailForRateLimiting(email);
   }
   if (uid) {
     opts.uid = uid;
@@ -120,7 +146,7 @@ class CustomsClient {
     const result = await this.makeRequest('/check', {
       ...this.sanitizePayload({
         ip: request.app.clientAddress,
-        email,
+        email: normalizeEmailForRateLimiting(email),
         action,
 
         // Payload in this case is additional user related data (ie phone number)
@@ -190,7 +216,7 @@ class CustomsClient {
     await this.makeRequest('/passwordReset', {
       ...this.sanitizePayload({
         ip: request.app.clientAddress,
-        email,
+        email: normalizeEmailForRateLimiting(email),
       }),
     });
   }
@@ -436,4 +462,52 @@ class CustomsClient {
   // #endregion
 }
 
+/**
+ * Normalize email for rate limiting.
+ * Applies domain-specific regex normalization rules from configuration
+ * (e.g., removes plus aliases: [email protected] -> [email protected])
+ * and lowercases the email to ensure consistent rate limiting across
+ * different representations of the same email address.
+ *
+ * @param {string} email - The email address to normalize
+ * @returns {string} The normalized email address
+ */
+function normalizeEmailForRateLimiting(email) {
+  if (!email) {
+    return email;
+  }
+
+  const lowercaseEmail = email.toLowerCase();
+  const atIndex = lowercaseEmail.lastIndexOf('@');
+  if (atIndex === -1) {
+    // This shouldn't happen... but just in case.
+    return lowercaseEmail;
+  }
+
+  const localPart = lowercaseEmail.substring(0, atIndex);
+  const domainPart = lowercaseEmail.substring(atIndex);
+  const domain = domainPart.substring(1);
+
+  const domainConfig = aliasConfigsMap.get(domain);
+
+  let normalizedLocal = localPart;
+  if (domainConfig && domainConfig.regex) {
+    try {
+      const regex = new RegExp(domainConfig.regex);
+      normalizedLocal = localPart.replace(
+        regex,
+        domainConfig.replace || ''
+      );
+    } catch (err) {
+      // If regex is invalid, fall back to original local part
+      normalizedLocal = localPart;
+    }
+  }
+
+  return normalizedLocal + domainPart;
+}
+
+// Export reload function for testing
+CustomsClient._reloadAliasConfigsMap = reloadAliasConfigsMap;
+
 module.exports = CustomsClient;

packages/fxa-auth-server/test/local/customs.js

@@ -17,6 +17,7 @@ const customsServer = nock(CUSTOMS_URL_REAL).defaultReplyHeaders({
   'Content-Type': 'application/json',
 });
 const Customs = require(`../../lib/customs.js`);
+const configModule = require('../../config');
 
 describe('Customs', () => {
   let customsNoUrl;
@@ -724,6 +725,18 @@ describe('Customs', () => {
       mockRateLimit.check = sinon.spy();
       mockRateLimit.skip = sinon.spy(() => false);
       mockRateLimit.supportsAction = sinon.spy(() => true);
+      // Stub config.get to return email alias domain configurations for tests
+      const configGetStub = sandbox.stub(configModule.config, 'get');
+      configGetStub
+        .withArgs('rateLimit.emailAliasNormalization')
+        .returns(
+          JSON.stringify([
+            { domain: 'mozilla.com', regex: '\\+[^@]+', replace: '' },
+          ])
+        );
+      configGetStub.callThrough();
+      // Reload the config map with the stubbed config
+      Customs._reloadAliasConfigsMap();
     });
 
     it('can allow checkAccountStatus with rate-limit lib', async () => {
@@ -821,6 +834,94 @@ describe('Customs', () => {
       });
       assert.callCount(mockRateLimit.check, 0);
     });
+
+    it('normalizes emails with plus aliases for configured domains', async () => {
+      mockRateLimit.check = sandbox.spy(async () => {
+        return await Promise.resolve(null);
+      });
+
+      const emailWithAlias = '[email protected]';
+      const normalizedEmail = '[email protected]';
+      const normalizedIpEmail = `${ip}_${normalizedEmail}`;
+
+      await customs.check(request, emailWithAlias, 'accountStatusCheck');
+
+      assert.calledWith(
+        mockRateLimit.check,
+        'accountStatusCheck',
+        sinon.match({
+          ip,
+          email: normalizedEmail,
+          ip_email: normalizedIpEmail,
+        })
+      );
+    });
+
+    it('normalizes emails with different cases', async () => {
+      mockRateLimit.check = sandbox.spy(async () => {
+        return await Promise.resolve(null);
+      });
+
+      const mixedCaseEmail = '[email protected]';
+      const normalizedEmail = '[email protected]';
+      const normalizedIpEmail = `${ip}_${normalizedEmail}`;
+
+      await customs.check(request, mixedCaseEmail, 'accountStatusCheck');
+
+      assert.calledWith(
+        mockRateLimit.check,
+        'accountStatusCheck',
+        sinon.match({
+          ip,
+          email: normalizedEmail,
+          ip_email: normalizedIpEmail,
+        })
+      );
+    });
+
+    it('does not remove aliases for non-configured domains', async () => {
+      mockRateLimit.check = sandbox.spy(async () => {
+        return await Promise.resolve(null);
+      });
+
+      const emailWithAlias = '[email protected]';
+      const normalizedEmail = '[email protected]'; // Alias should remain
+      const normalizedIpEmail = `${ip}_${normalizedEmail}`;
+
+      await customs.check(request, emailWithAlias, 'accountStatusCheck');
+
+      assert.calledWith(
+        mockRateLimit.check,
+        'accountStatusCheck',
+        sinon.match({
+          ip,
+          email: normalizedEmail,
+          ip_email: normalizedIpEmail,
+        })
+      );
+    });
+
+    it('lowercases emails for all domains', async () => {
+      mockRateLimit.check = sandbox.spy(async () => {
+        return await Promise.resolve(null);
+      });
+
+      const mixedCaseEmail = '[email protected]';
+      const normalizedEmail = '[email protected]';
+      const normalizedIpEmail = `${ip}_${normalizedEmail}`;
+
+      await customs.check(request, mixedCaseEmail, 'accountStatusCheck');
+
+      assert.calledWith(
+        mockRateLimit.check,
+        'accountStatusCheck',
+        sinon.match({
+          ip,
+          email: normalizedEmail,
+          ip_email: normalizedIpEmail,
+        })
+      );
+    });
   });
 
   describe('statsd metrics', () => {