fix(passkeys): gate rpId/allowedOrigins validation on enabled flag

Because:

* buildPasskeyConfig validated rpId and allowedOrigins unconditionally, causing auth-server to crash at startup on any environment where passkeys is disabled but the required fields are left at their Convict defaults (empty string / empty array)

This commit:

* Adds @ValidateIf((o) => o.enabled) to rpId and allowedOrigins in PasskeyConfig so those constraints are skipped when the feature is off
* Wraps the buildPasskeyConfig call in key_server.js with try/catch so that misconfigured-but-enabled passkeys logs via log.error (structured mozlog) before exiting, instead of falling through to console.error
* Adds a test asserting that disabled passkeys with empty defaults no longer throws

Closes #FXA-13378

Author: vpomerleau

libs/accounts/passkey/src/lib/passkey.config.ts

@@ -12,6 +12,7 @@ import {
   IsOptional,
   IsString,
   Matches,
+  ValidateIf,
 } from 'class-validator';
 import type {
   AuthenticatorAttachment,
@@ -39,6 +40,7 @@ export class PasskeyConfig {
    * WebAuthn Relying Party ID (must match the domain).
    * @example 'accounts.firefox.com'
    */
+  @ValidateIf((o) => o.enabled)
   @IsString()
   @IsNotEmpty()
   public rpId!: string;
@@ -48,6 +50,7 @@ export class PasskeyConfig {
    * Must include protocol and domain.
    * @example ['https://accounts.firefox.com', 'https://accounts.stage.mozaws.net']
    */
+  @ValidateIf((o) => o.enabled)
   @IsArray()
   @ArrayMinSize(1)
   @IsString({ each: true })

libs/accounts/passkey/src/lib/passkey.provider.spec.ts

@@ -117,6 +117,21 @@ describe('PasskeyConfigProvider', () => {
     });
   });
 
+  describe('when passkeys is disabled', () => {
+    it('allows empty rpId and allowedOrigins without throwing', async () => {
+      const { config } = await buildModule({
+        ...VALID_RAW_CONFIG,
+        enabled: false,
+        rpId: '',
+        allowedOrigins: [],
+      });
+      expect(config).toBeInstanceOf(PasskeyConfig);
+      expect(config!.enabled).toBe(false);
+      expect(config!.rpId).toBe('');
+      expect(config!.allowedOrigins).toEqual([]);
+    });
+  });
+
   describe('when config is invalid', () => {
     it('throws', async () => {
       await expect(() =>
@@ -138,7 +153,7 @@ describe('PasskeyConfigProvider', () => {
       );
     });
 
-    it('rejects allowedOrigins with trailing path', async () => {
+    it('rejects allowedOrigins URL with a path suffix', async () => {
       await expect(() =>
         buildModule({
           ...VALID_RAW_CONFIG,

packages/fxa-auth-server/bin/key_server.js

@@ -310,7 +310,13 @@ async function run(config) {
     ...config.redis,
     ...config.redis.passkey,
   });
-  const passkeyConfig = buildPasskeyConfig(config.passkeys);
+  let passkeyConfig;
+  try {
+    passkeyConfig = buildPasskeyConfig(config.passkeys);
+  } catch (err) {
+    log.error('startup.passkey.configInvalid', { err });
+    process.exit(8);
+  }
   const passkeyManager = new PasskeyManager(
     accountDatabase,
     passkeyConfig,