Merge pull request #19452 from mozilla/FXA-12226

feat(mfa): wrap change primary email action with MFA guard

Author: MagentaManifold

packages/functional-tests/tests/settings/changeEmail.spec.ts

@@ -124,6 +124,7 @@ test.describe('severity-1 #smoke', () => {
 
       // Change back the primary email again
       await settings.secondaryEmail.makePrimaryButton.click();
+      await settings.confirmMfaGuard(secondEmail);
       await settings.signOut();
 
       // Login with primary email and new password

packages/functional-tests/tests/settings/changeEmailBlocked.spec.ts

@@ -28,7 +28,13 @@ test.describe('severity-1 #smoke', () => {
       const invalidPassword = testAccountTracker.generatePassword();
 
       await settings.goto();
-      await changePrimaryEmail(target, settings, secondaryEmail, blockedEmail, credentials.email);
+      await changePrimaryEmail(
+        target,
+        settings,
+        secondaryEmail,
+        blockedEmail,
+        credentials.email
+      );
       await settings.signOut();
       await signin.fillOutEmailFirstForm(blockedEmail);
       await signin.fillOutPasswordForm(invalidPassword);
@@ -47,6 +53,7 @@ test.describe('severity-1 #smoke', () => {
       await expect(settings.settingsHeading).toBeVisible();
       // reset primary email to non-blocked email for account cleanup
       await settings.secondaryEmail.makePrimaryButton.click();
+      await settings.confirmMfaGuard(blockedEmail);
       await expect(settings.alertBar).toHaveText(
         new RegExp(`${credentials.email}.*is now your primary email`)
       );
@@ -67,7 +74,13 @@ test.describe('severity-1 #smoke', () => {
       const blockedEmail = testAccountTracker.generateBlockedEmail();
 
       await settings.goto();
-      await changePrimaryEmail(target, settings, secondaryEmail, blockedEmail, credentials.email);
+      await changePrimaryEmail(
+        target,
+        settings,
+        secondaryEmail,
+        blockedEmail,
+        credentials.email
+      );
       await settings.signOut();
 
       await signin.fillOutEmailFirstForm(blockedEmail);
@@ -81,6 +94,7 @@ test.describe('severity-1 #smoke', () => {
 
       // reset primary email to non-blocked email for account cleanup
       await settings.secondaryEmail.makePrimaryButton.click();
+      await settings.confirmMfaGuard(blockedEmail);
       await expect(settings.alertBar).toHaveText(
         new RegExp(`${credentials.email}.*is now your primary email`)
       );
@@ -111,7 +125,7 @@ async function changePrimaryEmail(
   settings: SettingsPage,
   secondaryEmail: SecondaryEmailPage,
   email: string,
-  primaryEmail: string,
+  primaryEmail: string
 ): Promise<void> {
   await settings.secondaryEmail.addButton.click();
   await settings.confirmMfaGuard(primaryEmail);

packages/fxa-auth-client/lib/client.ts

@@ -1713,6 +1713,9 @@ export default class AuthClient {
     return this.jwtPost('/mfa/recovery_email/destroy', jwt, { email }, headers);
   }
 
+  /**
+   * @deprecated Use recoveryEmailSetPrimaryEmailWithJwt instead
+   */
   async recoveryEmailSetPrimaryEmail(
     sessionToken: hexstring,
     email: string,
@@ -1721,9 +1724,27 @@ export default class AuthClient {
     return this.sessionPost(
       '/recovery_email/set_primary',
       sessionToken,
-      {
-        email,
-      },
+      { email },
+      headers
+    );
+  }
+
+  /**
+   * Sets a secondary email as the primary email for the account.
+   * @param jwt Required scope 'mfa:email'
+   * @param email a secondary email to set as primary
+   * @param headers
+   * @returns Response
+   */
+  async recoveryEmailSetPrimaryEmailWithJwt(
+    jwt: string,
+    email: string,
+    headers?: Headers
+  ) {
+    return this.jwtPost(
+      '/mfa/recovery_email/set_primary',
+      jwt,
+      { email },
       headers
     );
   }

packages/fxa-auth-server/docs/swagger/emails-api.ts

@@ -212,6 +212,38 @@ const RECOVERY_EMAIL_SET_PRIMARY_POST = {
   },
 };
 
+const MFA_RECOVERY_EMAIL_SET_PRIMARY_POST = {
+  ...TAGS_EMAILS,
+  description: '/mfa/recovery_email/set_primary',
+  notes: [
+    dedent`
+      🔒 Authenticated with session MFA JWT (scope: mfa:email)
+
+      This endpoint changes a user's primary email address. This email address must belong to the user and be verified.
+    `,
+  ],
+  plugins: {
+    'hapi-swagger': {
+      responses: {
+        400: {
+          description: dedent`
+            Failing requests may be caused by the following errors (this is not an exhaustive list):
+            - \`errno: 138\` - Unverified session
+            - \`errno: 147\` - Can not change primary email to an unverified email
+            - \`errno: 148\` - Can not change primary email to an email that does not belong to this account
+          `,
+        },
+        401: {
+          description: dedent`
+            Failing requests may be caused by the following errors (this is not an exhaustive list):
+            - \`errno: 110\` - Invalid authentication token in request signature
+          `,
+        },
+      },
+    },
+  },
+};
+
 const RECOVERY_EMAIL_SECONDARY_RESEND_CODE_POST = {
   ...TAGS_EMAILS,
   description: '/recovery_email/secondary/resend_code',
@@ -271,6 +303,7 @@ const API_DOCS = {
   RECOVERY_EMAIL_SECONDARY_RESEND_CODE_POST,
   RECOVERY_EMAIL_SECONDARY_VERIFY_CODE_POST,
   RECOVERY_EMAIL_SET_PRIMARY_POST,
+  MFA_RECOVERY_EMAIL_SET_PRIMARY_POST,
   RECOVERY_EMAIL_STATUS_GET,
   RECOVERY_EMAIL_VERIFY_CODE_POST,
   RECOVERY_EMAILS_GET,

packages/fxa-auth-server/lib/routes/emails.js

@@ -1008,6 +1008,35 @@ module.exports = (
         return {};
       },
     },
+    {
+      method: 'POST',
+      path: '/mfa/recovery_email/set_primary',
+      options: {
+        ...EMAILS_DOCS.MFA_RECOVERY_EMAIL_SET_PRIMARY_POST,
+        auth: {
+          strategy: 'mfa',
+          scope: ['mfa:email'],
+          payload: false,
+        },
+        validate: {
+          payload: isA.object({
+            email: validators
+              .email()
+              .required()
+              .description(DESCRIPTION.emailNewPrimary),
+          }),
+        },
+        response: {},
+      },
+      handler: async function (request) {
+        return routes
+          .find(
+            (r) =>
+              r.path === '/v1/recovery_email/set_primary' && r.method === 'POST'
+          )
+          .handler(request);
+      },
+    },
     {
       method: 'POST',
       path: '/recovery_email/secondary/resend_code',

packages/fxa-graphql-api/src/gql/account.resolver.spec.ts

@@ -450,15 +450,17 @@ describe('#integration - AccountResolver', () => {
 
     describe('updatePrimaryEmail', () => {
       it('succeeds', async () => {
-        authClient.recoveryEmailSetPrimaryEmail = jest
+        authClient.recoveryEmailSetPrimaryEmailWithJwt = jest
           .fn()
           .mockResolvedValue(true);
-        const result = await resolver.updatePrimaryEmail('token', headers, {
+        const result = await resolver.updatePrimaryEmail(headers, {
           jwt: 'jwtToken',
           clientMutationId: 'testid',
           email: '[email protected]',
         });
-        expect(authClient.recoveryEmailSetPrimaryEmail).toBeCalledTimes(1);
+        expect(authClient.recoveryEmailSetPrimaryEmailWithJwt).toBeCalledTimes(
+          1
+        );
         expect(result).toStrictEqual({
           clientMutationId: 'testid',
         });

packages/fxa-graphql-api/src/gql/account.resolver.ts

@@ -376,12 +376,11 @@ export class AccountResolver {
   @UseGuards(GqlAuthGuard)
   @CatchGatewayError
   public async updatePrimaryEmail(
-    @GqlSessionToken() token: string,
     @GqlXHeaders() headers: Headers,
     @Args('input', { type: () => EmailInput }) input: EmailInput
   ): Promise<BasicPayload> {
-    await this.authAPI.recoveryEmailSetPrimaryEmail(
-      token,
+    await this.authAPI.recoveryEmailSetPrimaryEmailWithJwt(
+      input.jwt,
       input.email,
       headers
     );