Merge pull request #20288 from mozilla/FXA-13360

nshirley · web-flow · commit 64c32d0e8c92 · 2026-04-03T08:41:35.000-06:00
chore(auth): Remove skipConfirmationForEmailAddresses config
diff --git a/packages/fxa-auth-server/config/index.ts b/packages/fxa-auth-server/config/index.ts
@@ -1693,14 +1693,8 @@ const convictConf = convict({
       default: /.+@mozilla\.com$/,
       env: 'SIGNIN_CONFIRMATION_FORCE_EMAIL_REGEX',
     },
-    skipForEmailAddresses: {
-      doc: 'Comma separated list of email addresses that will always skip any non TOTP sign-in confirmation',
-      format: Array,
-      default: [],
-      env: 'SIGNIN_CONFIRMATION_SKIP_FOR_EMAIL_ADDRESS',
-    },
     skipForEmailRegex: {
-      doc: 'Regex pattern for email addresses that will always skip any non-TOTP sign-in confirmation. Checked in addition to skipForEmailAddresses.',
+      doc: 'Regex pattern for email addresses that will always skip any non-TOTP sign-in confirmation.',
       format: RegExp,
       default: /^$/,
       env: 'SIGNIN_CONFIRMATION_SKIP_FOR_EMAIL_REGEX',
diff --git a/packages/fxa-auth-server/lib/routes/account.spec.ts b/packages/fxa-auth-server/lib/routes/account.spec.ts
@@ -3080,86 +3080,14 @@ describe('/account/login', () => {
           );
         });
       });
-    });
-
-    describe('skip for emails', () => {
-      function setupSkipForEmails(email: string) {
-        config.securityHistory.ipProfiling.allowedRecency = 0;
-        config.signinConfirmation.skipForNewAccounts = { enabled: false };
-        config.signinConfirmation.skipForEmailAddresses = [
-          'skip@confirmation.com',
-          'other@email.com',
-        ];
-
-        // Reset the spy to avoid leaking state between tests
-        mockDB.verifiedLoginSecurityEvents = sinon.spy(() =>
-          Promise.resolve([])
-        );
-
-        mockRequest.payload.email = email;
-
-        mockDB.accountRecord = () => {
-          return Promise.resolve({
-            authSalt: hexString(32),
-            data: hexString(32),
-            email,
-            emailVerified: true,
-            primaryEmail: {
-              normalizedEmail: normalizeEmail(email),
-              email,
-              isVerified: true,
-              isPrimary: true,
-            },
-            kA: hexString(32),
-            lastAuthAt: () => Date.now(),
-            uid,
-            wrapWrapKb: hexString(32),
-          });
-        };
-
-        const innerAccountRoutes = makeRoutes({
-          checkPassword: () => Promise.resolve(true),
-          config,
-          customs: mockCustoms,
-          db: mockDB,
-          log: mockLog,
-          mailer: mockMailer,
-          push: mockPush,
-        });
-
-        route = getRoute(innerAccountRoutes, '/account/login');
-      }
 
       afterEach(() => {
-        // Restore config to default to avoid leaking into subsequent tests
+        config.signinConfirmation.skipForNewAccounts = undefined;
         config.securityHistory.ipProfiling.allowedRecency =
           defaultConfig.securityHistory.ipProfiling.allowedRecency;
-      });
-
-      it('should not skip sign-in confirmation for specified email', () => {
-        setupSkipForEmails('not@skip.com');
-
-        return runTest(route, mockRequest, (response: any) => {
-          expect(mockDB.createSessionToken.callCount).toBe(1);
-          const tokenData = mockDB.createSessionToken.getCall(0).args[0];
-          expect(tokenData.tokenVerificationId).toBeTruthy();
-          expect(mockFxaMailer.sendVerifyLoginEmail.callCount).toBe(1);
-          expect(mockFxaMailer.sendNewDeviceLoginEmail.callCount).toBe(0);
-          expect(response.verified).toBeFalsy();
-        });
-      });
-
-      it('should skip sign-in confirmation for specified email', () => {
-        setupSkipForEmails('skip@confirmation.com');
-
-        return runTest(route, mockRequest, (response: any) => {
-          expect(mockDB.createSessionToken.callCount).toBe(1);
-          const tokenData = mockDB.createSessionToken.getCall(0).args[0];
-          expect(tokenData.tokenVerificationId).toBeFalsy();
-          expect(mockMailer.sendVerifyLoginEmail.callCount).toBe(0);
-          expect(mockFxaMailer.sendNewDeviceLoginEmail.callCount).toBe(1);
-          expect(response.emailVerified).toBeTruthy();
-        });
+        mockDB.verifiedLoginSecurityEvents = sinon.spy(() =>
+          Promise.resolve([])
+        );
       });
     });
 
@@ -3184,7 +3112,6 @@ describe('/account/login', () => {
       function setupSkipForEmailRegex(email: string, regex: RegExp) {
         config.securityHistory.ipProfiling.allowedRecency = 0;
         config.signinConfirmation.skipForNewAccounts = { enabled: false };
-        config.signinConfirmation.skipForEmailAddresses = [];
         config.signinConfirmation.skipForEmailRegex = regex;
 
         mockDB.verifiedLoginSecurityEvents = sinon.spy(() =>
@@ -3224,11 +3151,18 @@ describe('/account/login', () => {
 
         route = getRoute(innerAccountRoutes, '/account/login');
       }
-
+      beforeEach(() => {
+        // one test is checking the statsd, and this is included in it.
+        // We set it here, and reset in the afterEach to avoid having the
+        // config state leak to other tests if these fail
+        mockRequest.app.clientIdTag = 'test-client-id';
+        statsd.increment.resetHistory();
+      });
       afterEach(() => {
         config.securityHistory.ipProfiling.allowedRecency =
           defaultConfig.securityHistory.ipProfiling.allowedRecency;
         config.signinConfirmation.skipForEmailRegex = /^$/;
+        mockRequest.app.clientIdTag = undefined;
       });
 
       it('should skip sign-in confirmation for email matching regex', () => {
@@ -3252,6 +3186,19 @@ describe('/account/login', () => {
           expect(response.verified).toBeFalsy();
         });
       });
+
+      it('should increment statsd metric for emailAlways', () => {
+        setupSkipForEmailRegex('qa-test@example.com', /.+@example\.com$/);
+
+        return runTest(route, mockRequest, () => {
+          sinon.assert.calledWith(
+            statsd.increment,
+            'account.signin.confirm.bypass.emailAlways',
+            { clientId: 'test-client-id' }
+          );
+          mockRequest.app.clientIdTag = undefined;
+        });
+      });
     });
 
     describe('skip for known device', () => {
diff --git a/packages/fxa-auth-server/lib/routes/account.ts b/packages/fxa-auth-server/lib/routes/account.ts
@@ -87,7 +87,6 @@ export class AccountHandler {
 
   private otpUtils: OtpUtils;
   private otpOptions: ConfigType['otp'];
-  private skipConfirmationForEmailAddresses: string[];
   private skipConfirmationForEmailRegex: RegExp;
   private capabilityService: CapabilityService;
   private accountEventsManager: AccountEventsManager;
@@ -117,8 +116,6 @@ export class AccountHandler {
     private authServerCacheRedis: Redis
   ) {
     this.otpUtils = require('./utils/otp').default(db, statsd);
-    this.skipConfirmationForEmailAddresses = config.signinConfirmation
-      .skipForEmailAddresses as string[];
     this.skipConfirmationForEmailRegex =
       config.signinConfirmation.skipForEmailRegex;
 
@@ -1264,9 +1261,6 @@ export class AccountHandler {
       // to guarantee the login experience.
       const lowerCaseEmail = account.primaryEmail.normalizedEmail.toLowerCase();
       const alwaysSkip =
-        this.skipConfirmationForEmailAddresses?.includes(lowerCaseEmail) ||
-        // use both as a backward compatibility and eventually remove
-        // the array of emails in favor of just a regex which is more flexible
         this.skipConfirmationForEmailRegex?.test(lowerCaseEmail);
       if (alwaysSkip) {
         this.log.info('account.signin.confirm.bypass.emailAlways', {
diff --git a/packages/fxa-auth-server/test/local/routes/account.js b/packages/fxa-auth-server/test/local/routes/account.js
@@ -781,7 +781,6 @@ describe('deleteAccountIfUnverified', () => {
   const mockConfig = {};
   mockConfig.oauth = {};
   mockConfig.signinConfirmation = {};
-  mockConfig.signinConfirmation.skipForEmailAddresses = [];
   const emailRecord = {
     isPrimary: true,
     isVerified: false,
@@ -3780,116 +3779,14 @@ describe('/account/login', () => {
           );
         });
       });
-    });
-
-    describe('skip for emails', () => {
-      function setup(email) {
-        config.securityHistory.ipProfiling.allowedRecency = 0;
-        config.signinConfirmation.skipForNewAccounts = { enabled: false };
-        config.signinConfirmation.skipForEmailAddresses = [
-          'skip@confirmation.com',
-          'other@email.com',
-        ];
-
-        // Reset the spy to avoid leaking state between tests
-        // Previously, "should not skip sign-in confirmation for specified email" test
-        // was failing intermittently because the spy was not reset between tests.
-        mockDB.verifiedLoginSecurityEvents = sinon.spy(() =>
-          Promise.resolve([])
-        );
-
-        mockRequest.payload.email = email;
-
-        mockDB.accountRecord = () => {
-          return Promise.resolve({
-            authSalt: hexString(32),
-            data: hexString(32),
-            email,
-            emailVerified: true,
-            primaryEmail: {
-              normalizedEmail: normalizeEmail(email),
-              email,
-              isVerified: true,
-              isPrimary: true,
-            },
-            kA: hexString(32),
-            lastAuthAt: () => Date.now(),
-            uid,
-            wrapWrapKb: hexString(32),
-          });
-        };
-
-        const accountRoutes = makeRoutes({
-          checkPassword: () => Promise.resolve(true),
-          config,
-          customs: mockCustoms,
-          db: mockDB,
-          log: mockLog,
-          mailer: mockMailer,
-          push: mockPush,
-        });
-
-        route = getRoute(accountRoutes, '/account/login');
-      }
 
       afterEach(() => {
-        // Restore config to default to avoid leaking into subsequent tests
+        config.signinConfirmation.skipForNewAccounts = undefined;
         config.securityHistory.ipProfiling.allowedRecency =
           defaultConfig.securityHistory.ipProfiling.allowedRecency;
-      });
-
-      it('should not skip sign-in confirmation for specified email', () => {
-        setup('not@skip.com');
-
-        return runTest(route, mockRequest, (response) => {
-          assert.equal(
-            mockDB.createSessionToken.callCount,
-            1,
-            'db.createSessionToken was called'
-          );
-          const tokenData = mockDB.createSessionToken.getCall(0).args[0];
-          assert.ok(
-            tokenData.tokenVerificationId,
-            'sessionToken was created unverified'
-          );
-          assert.equal(
-            mockFxaMailer.sendVerifyLoginEmail.callCount,
-            1,
-            'mailer.sendVerifyLoginEmail was called'
-          );
-          assert.equal(mockFxaMailer.sendNewDeviceLoginEmail.callCount, 0);
-          assert.ok(
-            !response.verified,
-            'response indicates account is unverified'
-          );
-        });
-      });
-
-      it('should skip sign-in confirmation for specified email', () => {
-        setup('skip@confirmation.com');
-
-        return runTest(route, mockRequest, (response) => {
-          assert.equal(
-            mockDB.createSessionToken.callCount,
-            1,
-            'db.createSessionToken was called'
-          );
-          const tokenData = mockDB.createSessionToken.getCall(0).args[0];
-          assert.ok(
-            !tokenData.tokenVerificationId,
-            'sessionToken was created verified'
-          );
-          assert.equal(
-            mockMailer.sendVerifyLoginEmail.callCount,
-            0,
-            'mailer.sendVerifyLoginEmail was not called'
-          );
-          assert.equal(mockFxaMailer.sendNewDeviceLoginEmail.callCount, 1);
-          assert.ok(
-            response.emailVerified,
-            'response indicates account is verified'
-          );
-        });
+        mockDB.verifiedLoginSecurityEvents = sinon.spy(() =>
+          Promise.resolve([])
+        );
       });
     });
 
