Merge pull request #18317 from mozilla/fxa-11060

feat(keys): Update key stretching to optionally use session token on password change

Author: vbudhram

packages/functional-tests/tests/key-stretching-v2/changePassword.spec.ts

@@ -20,7 +20,10 @@ test.describe('severity-2 #smoke', () => {
     password: string
   ) {
     const client = target.createAuthClient(version);
-    const response = await client.signIn(email, password, { keys: true });
+    const response = await client.signIn(email, password, {
+      keys: true,
+      skipPasswordUpgrade: true,
+    });
     expect(response.keyFetchToken).toBeDefined();
     expect(response.unwrapBKey).toBeDefined();
 

packages/functional-tests/tests/key-stretching-v2/recoveryKey.spec.ts

@@ -21,11 +21,14 @@ test.describe('severity-2 #smoke', () => {
     password: string
   ) {
     const client = target.createAuthClient(version);
-    const response = await client.signIn(email, password, { keys: true });
+    const response = await client.signIn(email, password, {
+      keys: true,
+      skipPasswordUpgrade: true,
+    });
     expect(response.keyFetchToken).toBeDefined();
     expect(response.unwrapBKey).toBeDefined();
 
-    const keys = client.accountKeys(
+    const keys = await client.accountKeys(
       response.keyFetchToken as string,
       response.unwrapBKey as string
     );
@@ -62,18 +65,25 @@ test.describe('severity-2 #smoke', () => {
         recoveryKey,
         resetPassword,
         confirmSignupCode,
+        deleteAccount,
       },
       testAccountTracker,
     }) => {
-      const { email, password } = testAccountTracker.generateAccountDetails();
+      const accountDetails = {
+        email: testAccountTracker.generateEmail(),
+        password: testAccountTracker.generatePassword(),
+      };
+      const newPassword = testAccountTracker.generatePassword();
       await page.goto(
         `${target.contentServerUrl}/?forceExperiment=generalizedReactApp&forceExperimentGroup=react&${signupVersion.query}`
       );
       await page.waitForURL(/\//);
-      await signup.fillOutEmailForm(email);
-      await signup.fillOutSignupForm(password, AGE_21);
+      await signup.fillOutEmailForm(accountDetails.email);
+      await signup.fillOutSignupForm(accountDetails.password, AGE_21);
       await expect(page).toHaveURL(/confirm_signup_code/);
-      const code = await target.emailClient.getVerifyShortCode(email);
+      const code = await target.emailClient.getVerifyShortCode(
+        accountDetails.email
+      );
       await confirmSignupCode.fillOutCodeForm(code);
 
       await page.waitForURL(/settings/);
@@ -84,57 +94,72 @@ test.describe('severity-2 #smoke', () => {
       const keys = await _getKeys(
         signupVersion.version,
         target,
-        email,
-        password
+        accountDetails.email,
+        accountDetails.password
       );
       await page.goto(
         `${target.contentServerUrl}/?forceExperiment=generalizedReactApp&forceExperimentGroup=react&${resetVersion.query}`
       );
       await page.waitForURL(/\//);
-      await signin.fillOutEmailFirstForm(email);
-      await signin.fillOutPasswordForm(password);
+      await signin.fillOutEmailFirstForm(accountDetails.email);
+      await signin.fillOutPasswordForm(accountDetails.password);
       await page.waitForURL(/settings/);
       await expect(page).toHaveURL(/settings/);
 
-      await settings.goto(`${resetVersion.version}`);
+      await settings.goto(`${resetVersion.query}`);
       await page.waitForURL(/settings/);
       await settings.recoveryKey.createButton.click();
-      const key = await recoveryKey.createRecoveryKey(password, HINT);
+      const key = await recoveryKey.createRecoveryKey(
+        accountDetails.password,
+        HINT
+      );
       await settings.signOut();
       await page.goto(
         `${target.contentServerUrl}/reset_password?${resetVersion.query}`
       );
       await page.waitForURL(/reset_password/);
-      await resetPassword.fillOutEmailForm(email);
-      const resetCode = await target.emailClient.getResetPasswordCode(email);
+      await resetPassword.fillOutEmailForm(accountDetails.email);
+      const resetCode = await target.emailClient.getResetPasswordCode(
+        accountDetails.email
+      );
       await resetPassword.fillOutResetPasswordCodeForm(resetCode);
       await resetPassword.fillOutRecoveryKeyForm(key);
 
       await expect(page).toHaveURL(
         new RegExp(`account_recovery_reset_password.*${resetVersion.query}`)
       );
 
-      await resetPassword.fillOutNewPasswordForm(password);
+      await resetPassword.fillOutNewPasswordForm(newPassword);
+      accountDetails.password = newPassword;
 
       await expect(page).toHaveURL(/reset_password_with_recovery_key_verified/);
 
+      await resetPassword.continueWithoutDownloadingRecoveryKey();
+      await resetPassword.recoveryKeyFinishButton.click();
+
+      // a successful password reset means that the user is signed in
+      await page.waitForURL(/settings/);
+      await settings.signOut();
+
+      // Attempt to signin
       await page.goto(
         `${target.contentServerUrl}/?forceExperiment=generalizedReactApp&forceExperimentGroup=react&${signinVersion.query}`
       );
       await page.waitForURL(/\//);
-      // a successful password reset means that the user is signed in
-      await expect(signin.cachedSigninHeading).toBeVisible();
-      await signin.signInButton.click();
-
+      await signin.fillOutEmailFirstForm(accountDetails.email);
+      await signin.fillOutPasswordForm(accountDetails.password);
       await page.waitForURL(/settings/);
-      await expect(page).toHaveURL(/settings/);
+
       const keys2 = await _getKeys(
         signinVersion.version,
         target,
-        email,
-        password
+        accountDetails.email,
+        accountDetails.password
       );
       expect(keys2.kB).toEqual(keys.kB);
+
+      await settings.deleteAccountButton.click();
+      await deleteAccount.deleteAccount(accountDetails.password);
     });
   }
 });

packages/functional-tests/tests/key-stretching-v2/resetPassword.spec.ts

@@ -20,7 +20,10 @@ test.describe('severity-2 #smoke', () => {
     password: string
   ) {
     const client = target.createAuthClient(version);
-    const response = await client.signIn(email, password, { keys: true });
+    const response = await client.signIn(email, password, {
+      keys: true,
+      skipPasswordUpgrade: true,
+    });
     expect(response.keyFetchToken).toBeDefined();
     expect(response.unwrapBKey).toBeDefined();
 

packages/functional-tests/tests/misc/authClientV2.spec.ts

@@ -120,6 +120,7 @@ test.describe('auth-client-tests', () => {
     const { email, password } = testAccountTracker.generateAccountDetails();
 
     await signUp(client, email, password);
+
     const signInResult = await client.signIn(email, password, { keys: true });
     expect(signInResult.keyFetchToken).toBeDefined();
     expect(signInResult.unwrapBKey).toBeDefined();
@@ -129,6 +130,7 @@ test.describe('auth-client-tests', () => {
       signInResult.keyFetchToken as string,
       signInResult.unwrapBKey as string
     );
+
     expect(keys1).toBeDefined();
     expect(keys1.kA).toBeDefined();
     expect(keys1.kB).toBeDefined();
@@ -143,13 +145,26 @@ test.describe('auth-client-tests', () => {
     expect(statusBefore.clientSalt).toBeUndefined();
     expect(statusBefore.currentVersion).toBe('v1');
 
-    // The sign in should automatically reset the password
+    // The sign in should automatically upgrade the password, but return V1 creds
     const signInResult2 = await client2.signIn(email, password, {
       keys: true,
     });
     expect(signInResult2).toBeDefined();
     expect(signInResult2.keyFetchToken).toBeDefined();
     expect(signInResult2.unwrapBKey).toBeDefined();
+    expect(signInResult2.unwrapBKey).toEqual(signInResult.unwrapBKey);
+
+    // Grab keys, so we can compare kA and kB
+    const keys2 = await client.accountKeys(
+      signInResult2.keyFetchToken as string,
+      signInResult2.unwrapBKey as string
+    );
+
+    expect(keys2).toBeDefined();
+    expect(keys2.kA).toBeDefined();
+    expect(keys2.kB).toBeDefined();
+    expect(keys2.kA).toEqual(keys1.kA);
+    expect(keys2.kB).toEqual(keys1.kB);
 
     // Check the status after the signin
     const statusAfter = await client2.getCredentialStatusV2(email);
@@ -159,7 +174,12 @@ test.describe('auth-client-tests', () => {
     expect(statusAfter.clientSalt).toMatch('quickStretchV2:');
     expect(statusAfter.currentVersion).toBe('v2');
 
-    // Check unwrapKB. It should match our V2 credential unwrapBKey.
+    // Do another signin to get V2 credentials
+    const signInResult3 = await client2.signIn(email, password, {
+      keys: true,
+    });
+
+    // Check unwrapKB. It should match our V1 credential unwrapBKey.
     const status = await client.getCredentialStatusV2(email);
     expect(status.clientSalt).toBeDefined();
     expect(status.clientSalt).toBeDefined();
@@ -168,22 +188,23 @@ test.describe('auth-client-tests', () => {
       password,
       clientSalt: status.clientSalt as string,
     });
-    expect(credentialsV2.unwrapBKey).toEqual(signInResult2.unwrapBKey);
+    expect(credentialsV2.unwrapBKey).toEqual(signInResult3.unwrapBKey);
 
     const credentialsV1 = await getCredentials(email, password);
-    expect(credentialsV1.unwrapBKey).not.toEqual(signInResult2.unwrapBKey);
-    expect(signInResult2.keyFetchToken).toBeDefined();
-    expect(signInResult2.unwrapBKey).toBeDefined();
+    expect(credentialsV1.unwrapBKey).not.toEqual(signInResult3.unwrapBKey);
+    expect(signInResult3.keyFetchToken).toBeDefined();
+    expect(signInResult3.unwrapBKey).toBeDefined();
 
     // Check that keys didn't drift
-    const keys2 = await client2.accountKeys(
-      signInResult2.keyFetchToken as string,
-      signInResult2.unwrapBKey as string
+    const keys3 = await client2.accountKeys(
+      signInResult3.keyFetchToken as string,
+      signInResult3.unwrapBKey as string
     );
-    expect(keys2).toBeDefined();
-    expect(keys2.kA).toBeDefined();
-    expect(keys2.kB).toBeDefined();
-    expect(keys2.kA).toEqual(keys1.kA);
-    expect(keys2.kB).toEqual(keys1.kB);
+
+    expect(keys3).toBeDefined();
+    expect(keys3.kA).toBeDefined();
+    expect(keys3.kB).toBeDefined();
+    expect(keys3.kA).toEqual(keys1.kA);
+    expect(keys3.kB).toEqual(keys1.kB);
   });
 });