Merge pull request #18987 from mozilla/FXA-11822

fix(auth): Send email when changing recovery phone

Author: vpomerleau

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -536,7 +536,6 @@ class RecoveryPhoneHandler {
   }
 
   async changePhoneNumber(request: AuthRequest) {
-    // need to check first that there is an existing phone number
     const { uid } = request.auth.credentials as SessionTokenAuthCredential;
 
     const { code } = request.payload as unknown as {
@@ -602,11 +601,17 @@ class RecoveryPhoneHandler {
 
     const { phoneNumber, nationalFormat } =
       await this.recoveryPhoneService.hasConfirmed(uid);
+
+    recordSecurityEvent('account.recovery_phone_replace_complete', {
+      db: this.db,
+      request,
+    });
+
     const { acceptLanguage, geo, ua } = request.app;
     const account = await this.db.account(uid);
 
     try {
-      await this.mailer.postChangeRecoveryPhoneEmail(account.emails, account, {
+      await this.mailer.sendPostChangeRecoveryPhoneEmail(account.emails, account, {
         acceptLanguage,
         timeZone: geo.timeZone,
         uaBrowser: ua.browser,
@@ -616,11 +621,6 @@ class RecoveryPhoneHandler {
         uaDeviceType: ua.deviceType,
         uid,
       });
-
-      recordSecurityEvent('account.recovery_phone_replace_complete', {
-        db: this.db,
-        request,
-      });
     } catch (error) {
       // log error, but don't throw
       // user should be allowed to proceed if email or security event fails

packages/fxa-auth-server/test/local/routes/recovery-phone.js

@@ -695,7 +695,7 @@ describe('/recovery_phone', () => {
     });
 
     it('does not reject if email does not send', async () => {
-      mockMailer.postChangeRecoveryPhoneEmail = sinon.fake.returns(
+      mockMailer.sendPostChangeRecoveryPhoneEmail = sinon.fake.returns(
         Promise.reject(new Error('BOOM'))
       );
 
@@ -707,7 +707,7 @@ describe('/recovery_phone', () => {
       });
 
       assert.isDefined(resp);
-      assert.calledOnce(mockMailer.postChangeRecoveryPhoneEmail);
+      assert.calledOnce(mockMailer.sendPostChangeRecoveryPhoneEmail);
       assert.deepEqual(resp, {
         status: 'success',
         phoneNumber,

packages/fxa-auth-server/test/mocks.js

@@ -184,7 +184,7 @@ const MAILER_METHOD_NAMES = [
   'sendPostRemoveRecoveryPhoneEmail',
   'sendPostSigninRecoveryPhoneEmail',
   'sendPostSigninRecoveryCodeEmail',
-  'postChangeRecoveryPhoneEmail',
+  'sendPostChangeRecoveryPhoneEmail',
 ];
 
 const METRICS_CONTEXT_METHOD_NAMES = [