fix(routes): Remove deprecated non-MFA endpoints and redundant session checks

Author: vbudhram

packages/functional-tests/lib/testAccountTracker.ts

@@ -340,9 +340,9 @@ export class TestAccountTracker {
     }
 
     if (has2FA) {
-      // TODO: `deleteTotpToken` is deprecated, use `deleteTotpTokenWithJwt` instead
-      // https://mozilla-hub.atlassian.net/browse/FXA-12629
-      await this.target.authClient.deleteTotpToken(sessionToken);
+      // Get MFA JWT for 2FA scope to delete TOTP
+      const mfaJwt = await this.getMfaJwtForScope('2fa', sessionToken, account.email);
+      await this.target.authClient.deleteTotpTokenWithJwt(mfaJwt);
     }
 
     await this.target.authClient.accountDestroy(
@@ -387,6 +387,39 @@ export class TestAccountTracker {
     await this.target.authClient.verifyTotpCode(sessionToken, code);
   }
 
+  /**
+   * Gets an MFA JWT for a specific scope by requesting and verifying an OTP.
+   * This is used for operations that require MFA authentication.
+   */
+  private async getMfaJwtForScope(
+    scope: MfaScope,
+    sessionToken: string,
+    email: string
+  ): Promise<string> {
+    const { status } = await this.target.authClient.mfaRequestOtp(
+      sessionToken,
+      scope
+    );
+    if (status !== 'success') {
+      throw new Error(`Failed to request MFA OTP for scope: ${scope}`);
+    }
+
+    const code = await this.target.emailClient.getVerifyAccountChangeCode(email);
+
+    const { accessToken } = await this.target.authClient.mfaOtpVerify(
+      sessionToken,
+      code,
+      scope
+    );
+    if (!accessToken) {
+      throw new Error(
+        `Failed to get MFA JWT for scope: ${scope}. No accessToken returned`
+      );
+    }
+
+    return accessToken;
+  }
+
   /**
    * Clears the MFA JWT cache of tokens for the given scopes.
    *

packages/fxa-auth-client/lib/client.ts

@@ -1941,19 +1941,6 @@ export default class AuthClient {
     return this.jwtPost('/mfa/recovery_email', jwt, { email }, headers);
   }
 
-  async recoveryEmailDestroy(
-    sessionToken: hexstring,
-    email: string,
-    headers?: Headers
-  ) {
-    return this.sessionPost(
-      '/recovery_email/destroy',
-      sessionToken,
-      { email },
-      headers
-    );
-  }
-
   async recoveryEmailDestroyWithJwt(
     jwt: string,
     email: string,
@@ -2315,19 +2302,6 @@ export default class AuthClient {
     return this.jwtPost('/mfa/totp/replace/confirm', jwt, { code }, headers);
   }
 
-  /**
-   * @deprecated Use deleteTotpTokenWithJwt instead
-   *
-   * Disables 2FA Protection on the account.
-   *
-   * @param sessionToken - required, must be a verified session token
-   * @param headers - Optional additional headers for the request
-   * @returns A promise that resolves when the 2FA has been removed
-   */
-  async deleteTotpToken(sessionToken: hexstring, headers?: Headers) {
-    return this.sessionPost('/totp/destroy', sessionToken, {}, headers);
-  }
-
   /**
    * Disables 2FA Protection on the account.
    *

packages/fxa-auth-server/lib/routes/attached-clients.js

@@ -123,7 +123,7 @@ module.exports = (log, db, devices, clientUtils) => {
         ...DEVICES_AND_SESSIONS_DOC.ACCOUNT_ATTACHED_CLIENT_DESTROY_POST,
         auth: {
           strategy: 'verifiedSessionToken',
-          payload: 'false',
+          payload: false,
         },
         validate: {
           payload: isA