Merge pull request #18451 from mozilla/fxa-10418-v2

fix(bug): Ensure `unlink` route is called with correct assurance level

Author: vbudhram

packages/fxa-auth-server/lib/routes/linked-accounts.ts

@@ -514,7 +514,21 @@ export class LinkedAccountHandler {
     if (!this.googleAuthClient) {
       throw error.thirdPartyAccountError();
     }
-    const uid = request.auth.credentials.uid;
+    const sessionToken = request.auth && request.auth.credentials;
+    const uid = sessionToken.uid;
+
+    const hasTotpToken = await this.otpUtils.hasTotpToken({ uid });
+
+    // Ensure that the session has the correct assurance level before unlinking
+    if (
+      sessionToken &&
+      hasTotpToken &&
+      (sessionToken.tokenVerificationId ||
+        (sessionToken.authenticatorAssuranceLevel as number) <= 1)
+    ) {
+      throw error.unverifiedSession();
+    }
+
     const provider = (request.payload as any).provider.toLowerCase();
     // TODO: here we'll also delete any session tokens created via a google login
     await this.db.deleteLinkedAccount(uid, provider);

packages/fxa-auth-server/test/local/routes/linked-accounts.js

@@ -562,6 +562,24 @@ describe('/linked_account', function () {
       assert.isTrue(mockDB.deleteLinkedAccount.calledOnceWith(UID));
       assert.isTrue(result.success);
     });
+
+    it('fails to unlink with incorrect assurance level', async () => {
+      mockRequest.auth.credentials.authenticatorAssuranceLevel = 1;
+      mockDB.totpToken = sinon.spy(() =>
+        Promise.resolve({
+          verified: true,
+          enabled: true,
+        })
+      );
+
+      try {
+        await runTest(route, mockRequest);
+        assert.fail('should have failed');
+      } catch(err) {
+        assert.isTrue(mockDB.deleteLinkedAccount.notCalled);
+        assert.equal(err.errno, 138, 'unconfirmed session');
+      }
+    });
   });
 
   describe('/linked_account/webhook/google_event_receiver', () => {