Merge pull request #20028 from mozilla/fxa-13014-add-passwordless

feat(auth): add passwordless email otp routes

Author: StaberindeZA

packages/fxa-auth-client/lib/client.ts

@@ -1211,7 +1211,7 @@ export default class AuthClient {
 
   async accountStatusByEmail(
     email: string,
-    options: { thirdPartyAuthStatus?: boolean } = {},
+    options: { thirdPartyAuthStatus?: boolean; clientId?: string } = {},
     headers?: Headers
   ) {
     return this.request(
@@ -1222,6 +1222,61 @@ export default class AuthClient {
     );
   }
 
+  /**
+   * Send a passwordless OTP code to the user's email
+   */
+  async passwordlessSendCode(
+    email: string,
+    options: { service?: string; metricsContext?: MetricsContext } = {},
+    headers?: Headers
+  ): Promise<{}> {
+    return this.request(
+      'POST',
+      '/account/passwordless/send_code',
+      { email, ...options },
+      headers
+    );
+  }
+
+  /**
+   * Confirm a passwordless OTP code and get a session token
+   */
+  async passwordlessConfirmCode(
+    email: string,
+    code: string,
+    options: { service?: string; metricsContext?: MetricsContext } = {},
+    headers?: Headers
+  ): Promise<{
+    uid: string;
+    sessionToken: string;
+    verified: boolean;
+    authAt: number;
+    isNewAccount: boolean;
+  }> {
+    return this.request(
+      'POST',
+      '/account/passwordless/confirm_code',
+      { email, code, ...options },
+      headers
+    );
+  }
+
+  /**
+   * Resend a passwordless OTP code
+   */
+  async passwordlessResendCode(
+    email: string,
+    options: { service?: string; metricsContext?: MetricsContext } = {},
+    headers?: Headers
+  ): Promise<{}> {
+    return this.request(
+      'POST',
+      '/account/passwordless/resend_code',
+      { email, ...options },
+      headers
+    );
+  }
+
   async emailBounceStatus(
     email: string,
     headers?: Headers
@@ -1907,11 +1962,17 @@ export default class AuthClient {
     return this.sessionGet('/account/sessions', sessionToken, headers);
   }
 
-  async securityEvents(sessionToken: hexstring, headers?: Headers): Promise<SecurityEvent[]> {
+  async securityEvents(
+    sessionToken: hexstring,
+    headers?: Headers
+  ): Promise<SecurityEvent[]> {
     return this.sessionGet('/securityEvents', sessionToken, headers);
   }
 
-  async attachedClients(sessionToken: hexstring, headers?: Headers): Promise<AttachedClient[]> {
+  async attachedClients(
+    sessionToken: hexstring,
+    headers?: Headers
+  ): Promise<AttachedClient[]> {
     return this.sessionGet('/account/attached_clients', sessionToken, headers);
   }
 
@@ -3377,4 +3438,4 @@ export default class AuthClient {
       throw error;
     }
   }
-}
+}

packages/fxa-auth-server/config/index.ts

@@ -2166,6 +2166,38 @@ const convictConf = convict({
       env: 'OTP_SIGNUP_DIGIT',
     },
   },
+  passwordlessOtp: {
+    enabled: {
+      doc: 'Enable passwordless authentication feature',
+      default: false,
+      format: Boolean,
+      env: 'PASSWORDLESS_ENABLED',
+    },
+    forcedEmailAddresses: {
+      doc: 'Force passwordless flow for email addresses matching this regex (for testing)',
+      format: RegExp,
+      default: /^passwordless.*@restmail\.net$/,
+      env: 'PASSWORDLESS_FORCED_EMAIL_REGEX',
+    },
+    allowedClientIds: {
+      doc: 'Array of clients ids allowed to use passwordless authentication. Empty array means all services allowed.',
+      format: Array,
+      default: [],
+      env: 'PASSWORDLESS_ALLOWED_SERVICES',
+    },
+    digits: {
+      doc: 'Number of digits in passwordless OTP code',
+      default: 8,
+      format: 'nat',
+      env: 'OTP_PASSWORDLESS_DIGITS',
+    },
+    ttl: {
+      doc: 'Duration in seconds when the passwordless OTP is valid',
+      default: 10 * 60,
+      format: 'nat',
+      env: 'OTP_PASSWORDLESS_TTL',
+    },
+  },
   accountDestroy: {
     requireVerifiedAccount: {
       doc: 'Whether or not the account must be verified in order to destroy it.',

packages/fxa-auth-server/config/rate-limit-rules.txt

@@ -180,3 +180,19 @@ passkeyLogin                           : ip_uid            : 15          : 15 mi
 passkeysList                           : ip_uid            : 100         : 15 minutes      : 15 minutes  : block
 passkeysRename                         : ip_uid            : 100         : 15 minutes      : 15 minutes  : block
 passkeyDelete                          : ip_uid            : 100         : 15 minutes      : 15 minutes  : block
+
+#
+# Passwordless Authentication OTP Limits
+# Controls the rate at which passwordless OTP codes can be sent and verified
+#
+passwordlessSendOtp                    : email            : 2           : 15 minutes      : 15 minutes   : block
+passwordlessSendOtp                    : email            : 5           : 24 hours        : 12 hours     : block
+passwordlessSendOtp                    : ip               : 50          : 24 hours        : 12 hours     : block
+passwordlessSendOtp                    : ip               : 20          : 15 minutes      : 30 minutes   : block
+passwordlessSendOtp                    : ip               : 100         : 24 hours        : 15 minutes   : ban
+
+# Passwordless OTP Verification Limits
+passwordlessVerifyOtp                  : ip_email         : 5           : 10 minutes      : 15 minutes   : block
+passwordlessVerifyOtp                  : ip               : 100         : 24 hours        : 15 minutes   : ban
+passwordlessVerifyOtpPerDay            : ip_email         : 10          : 24 hours        : 24 hours     : block
+passwordlessVerifyOtpPerDay            : ip               : 100         : 24 hours        : 15 minutes   : ban

packages/fxa-auth-server/docs/swagger/passwordless-api.ts

@@ -0,0 +1,107 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import dedent from 'dedent';
+import TAGS from './swagger-tags';
+
+const TAGS_PASSWORDLESS = {
+  tags: TAGS.PASSWORDLESS,
+};
+
+const PASSWORDLESS_SEND_CODE_POST = {
+  ...TAGS_PASSWORDLESS,
+  description: '/account/passwordless/send_code',
+  notes: [
+    dedent`
+      Send a one-time password (OTP) code to the user's email for passwordless authentication.
+
+      This endpoint can be used for both:
+      - New user registration (account doesn't exist)
+      - Login for existing passwordless accounts (accounts without a password)
+
+      Accounts with passwords set cannot use this endpoint.
+    `,
+  ],
+  plugins: {
+    'hapi-swagger': {
+      responses: {
+        400: {
+          description: dedent`
+            Failing requests may be caused by the following errors:
+            - \`errno: 148\` - Account has a password set, use standard login flow
+          `,
+        },
+        429: {
+          description: 'Rate limit exceeded',
+        },
+      },
+    },
+  },
+};
+
+const PASSWORDLESS_CONFIRM_CODE_POST = {
+  ...TAGS_PASSWORDLESS,
+  description: '/account/passwordless/confirm_code',
+  notes: [
+    dedent`
+      Confirm the OTP code sent via \`/account/passwordless/send_code\`.
+
+      On success:
+      - For new users: Creates a new account and returns a session token
+      - For existing users: Returns a session token for the existing account
+
+      The \`isNewAccount\` field in the response indicates whether a new account was created.
+    `,
+  ],
+  plugins: {
+    'hapi-swagger': {
+      responses: {
+        400: {
+          description: dedent`
+            Failing requests may be caused by the following errors:
+            - \`errno: 183\` - Invalid OTP code
+            - \`errno: 148\` - Account has a password set
+          `,
+        },
+        429: {
+          description: 'Rate limit exceeded',
+        },
+      },
+    },
+  },
+};
+
+const PASSWORDLESS_RESEND_CODE_POST = {
+  ...TAGS_PASSWORDLESS,
+  description: '/account/passwordless/resend_code',
+  notes: [
+    dedent`
+      Resend the OTP code for passwordless authentication.
+
+      This invalidates any previously sent code and sends a new one.
+      Subject to the same rate limits as \`/account/passwordless/send_code\`.
+    `,
+  ],
+  plugins: {
+    'hapi-swagger': {
+      responses: {
+        400: {
+          description: dedent`
+            Failing requests may be caused by the following errors:
+            - \`errno: 148\` - Account has a password set
+          `,
+        },
+        429: {
+          description: 'Rate limit exceeded',
+        },
+      },
+    },
+  },
+};
+
+export default {
+  PASSWORDLESS_SEND_CODE_POST,
+  PASSWORDLESS_CONFIRM_CODE_POST,
+  PASSWORDLESS_RESEND_CODE_POST,
+};

packages/fxa-auth-server/docs/swagger/swagger-tags.ts

@@ -11,6 +11,7 @@ const TAGS = {
   OAUTH: ['api', 'Oauth'],
   OAUTH_SERVER: ['api', 'OAuth Server API Overview'],
   PASSWORD: ['api', 'Password'],
+  PASSWORDLESS: ['api', 'Passwordless'],
   RECOVERY_PHONE: ['api', 'Recovery phone'],
   RECOVERY_CODES: ['api', 'Backup authentication codes'],
   RECOVERY_KEY: ['api', 'Account recovery key'],