fix(auth): Skip newTokenNotification for token-exchange grant type

LZoog · LZoog · commit b585fe2b3fdf · 2026-01-27T15:51:19.000-06:00
Because: * This function errors out because it looks for client_id in the request. We could pull the client_id from subject_token to use here, however, we don't want users to be notified about the token exchange since it occurs silently and should not be counted as a new login This commit: * Skips newTokenNotification when the requested grant type results in a refresh token, and is for token-exchange grant type fixes FXA-12963
diff --git a/packages/fxa-auth-server/lib/routes/oauth/token.js b/packages/fxa-auth-server/lib/routes/oauth/token.js
@@ -788,7 +788,9 @@ module.exports = ({ log, oauthDB, db, mailer, devices, statsd, glean }) => {
           grant.session_token = newSessionToken.data;
         }
 
-        if (grant.refresh_token) {
+        // Token exchange is swapping tokens for an already-authenticated user,
+        // so we skip the new token notification.
+        if (grant.refresh_token && req.payload.grant_type !== GRANT_TOKEN_EXCHANGE) {
           // if a refresh token has
           // been provisioned as part of the flow
           // then we want to send some notifications to the user
diff --git a/packages/fxa-auth-server/test/oauth/routes/token.js b/packages/fxa-auth-server/test/oauth/routes/token.js
@@ -701,8 +701,9 @@ describe('/oauth/token POST', function () {
   describe('token exchange via /oauth/token', () => {
     const ScopeSet = require('fxa-shared').oauth.scopes;
 
-    it('handles token exchange with multiple existing scopes (sync + profile)', async () => {
+    it('handles token exchange with multiple existing scopes and skips newTokenNotification', async () => {
       const PROFILE_SCOPE = 'profile';
+      const newTokenNotificationStub = sinon.stub().resolves();
       const routes = proxyquire(tokenRoutePath, {
         ...tokenRoutesDepMocks,
         '../../oauth/grant': {
@@ -716,7 +717,7 @@ describe('/oauth/token POST', function () {
           validateRequestedGrant: () => ({ offline: true, scope: 'testo' }),
         },
         '../utils/oauth': {
-          newTokenNotification: async () => {},
+          newTokenNotification: newTokenNotificationStub,
         },
       })({
         ...tokenRoutesArgMocks,
@@ -761,6 +762,8 @@ describe('/oauth/token POST', function () {
       assert.include(result.scope, SYNC_SCOPE);
       assert.include(result.scope, PROFILE_SCOPE);
       assert.include(result.scope, RELAY_SCOPE);
+      // Token exchange should NOT call newTokenNotification
+      sinon.assert.notCalled(newTokenNotificationStub);
     });
   });
 });
