Merge pull request #18419 from mozilla/FXA-11168

bug(customs): Fix misconfigured custom rules for recovery phone

Author: dschom

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -103,7 +103,7 @@ class RecoveryPhoneHandler {
       throw AppError.invalidToken();
     }
 
-    await this.customs.check(request, email, 'recoveryPhoneSendCode');
+    await this.customs.check(request, email, 'recoveryPhoneSendSigninCode');
 
     const getFormattedMessage = async (code: string) => {
       const localizedMessage = await this.getLocalizedMessage(
@@ -170,7 +170,12 @@ class RecoveryPhoneHandler {
     if (!email) {
       throw AppError.invalidToken();
     }
-    await this.customs.checkAuthenticated(request, uid, 'recoveryPhoneCreate');
+
+    await this.customs.checkAuthenticated(
+      request,
+      uid,
+      'recoveryPhoneSendSetupCode'
+    );
 
     const getFormattedMessage = async (code: string) => {
       const localizedMessage = await this.getLocalizedMessage(
@@ -252,7 +257,7 @@ class RecoveryPhoneHandler {
     await this.customs.checkAuthenticated(
       request,
       uid,
-      'recoveryPhoneConfirmCode'
+      'verifyRecoveryPhoneTotpCode'
     );
 
     let success = false;

packages/fxa-auth-server/test/local/routes/recovery-phone.js

@@ -117,7 +117,7 @@ describe('/recovery_phone', () => {
       assert.equal(mockCustoms.check.getCall(0).args[1], email);
       assert.equal(
         mockCustoms.check.getCall(0).args[2],
-        'recoveryPhoneSendCode'
+        'recoveryPhoneSendSigninCode'
       );
 
       assert.calledOnceWithExactly(
@@ -219,7 +219,7 @@ describe('/recovery_phone', () => {
       assert.equal(mockCustoms.checkAuthenticated.getCall(0).args[1], uid);
       assert.equal(
         mockCustoms.checkAuthenticated.getCall(0).args[2],
-        'recoveryPhoneCreate'
+        'recoveryPhoneSendSetupCode'
       );
       assert.calledOnceWithExactly(
         mockStatsd.increment,

packages/fxa-auth-server/test/remote/recovery_phone_tests.js

@@ -337,14 +337,14 @@ describe(`#integration - recovery phone - customs checks`, function () {
     // One code gets sent here
     await client.recoveryPhoneCreate(phoneNumber);
 
-    // Send 8 more codes, for a total of 9 codes.
-    for (let i = 0; i < 9; i++) {
+    // Send 15 more codes, for a total of 16 codes.
+    for (let i = 0; i < 15; i++) {
       try {
         await client.recoveryPhoneConfirmSetup('000001');
       } catch {}
     }
 
-    // The 10th code should get throttled.
+    // The 16th code should get throttled.
     let error;
     try {
       await client.recoveryPhoneConfirmSetup('000001');
@@ -366,7 +366,7 @@ describe(`#integration - recovery phone - customs checks`, function () {
 
     let error;
     try {
-      for (let i = 0; i < 9; i++) {
+      for (let i = 0; i < 7; i++) {
         await client.recoveryPhoneSendCode();
       }
     } catch (err) {

packages/fxa-customs-server/lib/actions.js

@@ -24,7 +24,7 @@ const CODE_VERIFYING_ACTION = {
   // changes at 60 seconds
   // limits by email
   verifyTotpCode: true,
-  recoveryPhoneConfirmCode: true,
+  verifyRecoveryPhoneTotpCode: true,
 };
 
 // Actions that, if allowed, would allow an attacker
@@ -61,8 +61,8 @@ const EMAIL_SENDING_ACTION = {
 // very annoying to a user if abused.
 const SMS_SENDING_ACTION = {
   connectDeviceSms: true,
-  recoveryPhoneSendCode: true,
-  recoveryPhoneCreate: true,
+  recoveryPhoneSendSigninCode: true,
+  recoveryPhoneSendSetupCode: true,
 };
 
 // Actions that may grant access to an account but

packages/fxa-customs-server/lib/config/config.js

@@ -448,6 +448,33 @@ module.exports = function (fs, path, url, convict) {
           },
         },
       },
+      recoveryPhoneTotpCodeRules: {
+        actions: {
+          doc: 'Array of actions that this rule should be applied to',
+          default: ['verifyRecoveryPhoneTotpCode'],
+          format: Array,
+        },
+        limits: {
+          max: {
+            doc: 'max actions during `period` that can occur before rate limit is applied',
+            format: 'nat',
+            default: 10,
+            env: 'RECOVERY_PHONE_TOTP_CODE_RULE_MAX',
+          },
+          periodMs: {
+            doc: 'period needed before rate limit is reset',
+            format: 'duration',
+            default: '15 minutes',
+            env: 'RECOVERY_PHONE_TOTP_CODE_RULE_PERIOD_MS',
+          },
+          rateLimitIntervalMs: {
+            doc: 'how long rate limit is applied',
+            format: 'duration',
+            default: '15 minutes',
+            env: 'RECOVERY_PHONE_TOTP_CODE_RULE_LIMIT_INTERVAL_MS',
+          },
+        },
+      },
       tokenCodeRules: {
         actions: {
           doc: 'Array of actions that this rule should be applied to',
@@ -475,61 +502,61 @@ module.exports = function (fs, path, url, convict) {
           },
         },
       },
-      recoveryPhoneCreateCodeRules: {
+      recoveryPhoneSendSetupCodeRules: {
         actions: {
           doc:
             'Array of actions that this rule should be applied to. A user should only be able to initiate ' +
-            'a recovery phone setup X times a day.',
-          default: ['recoveryPhoneCreate'],
+            'a recovery phone setup X times a day by sending a setup code.',
+          default: ['recoveryPhoneSendSetupCode'],
           format: Array,
         },
         limits: {
           max: {
             doc: 'max actions during `period` that can occur before rate limit is applied',
             format: 'nat',
             default: 9,
-            env: 'RECOVERY_PHONE_SETUP_CODE_RULE_MAX',
+            env: 'RECOVERY_PHONE_SEND_SETUP_CODE_RULE_MAX',
           },
           periodMs: {
             doc: 'period needed before rate limit is reset',
             format: 'duration',
             default: '1 day',
-            env: 'RECOVERY_PHONE_SETUP_CODE_RULE_PERIOD_MS',
+            env: 'RECOVERY_PHONE_SEND_SETUP_CODE_RULE_PERIOD_MS',
           },
           rateLimitIntervalMs: {
             doc: 'how long rate limit is applied',
             format: 'duration',
-            default: '2 hours',
-            env: 'RECOVERY_PHONE_SETUP_CODE_RULE_LIMIT_INTERVAL_MS',
+            default: '24 hours',
+            env: 'RECOVERY_PHONE_SEND_SETUP_CODE_RULE_LIMIT_INTERVAL_MS',
           },
         },
       },
-      recoveryPhoneConfirmCodeRules: {
+      recoveryPhoneSendSigninCodeRules: {
         actions: {
           doc:
             'Array of actions that this rule should be applied to. A user should only be able to initiate ' +
-            'a recovery phone confirm X times a day.',
-          default: ['recoveryPhoneConfirmCode'],
+            'a recovery phone signin X times a day by sending an sms code.',
+          default: ['recoveryPhoneSendSigninCode'],
           format: Array,
         },
         limits: {
           max: {
             doc: 'max actions during `period` that can occur before rate limit is applied',
             format: 'nat',
             default: 6,
-            env: 'RECOVERY_PHONE_CONFIRM_CODE_RULE_MAX',
+            env: 'RECOVERY_PHONE_SEND_SIGNIN_CODE_RULE_MAX',
           },
           periodMs: {
             doc: 'period needed before rate limit is reset',
             format: 'duration',
             default: '1 day',
-            env: 'RECOVERY_PHONE_CONFIRM_CODE_RULE_PERIOD_MS',
+            env: 'RECOVERY_PHONE_SEND_SIGNIN_CODE_RULE_PERIOD_MS',
           },
           rateLimitIntervalMs: {
             doc: 'how long rate limit is applied',
             format: 'duration',
-            default: '2 hours',
-            env: 'RECOVERY_PHONE_CONFIRM_CODE_RULE_LIMIT_INTERVAL_MS',
+            default: '24 hours',
+            env: 'RECOVERY_PHONE_SEND_SIGNIN_CODE_RULE_LIMIT_INTERVAL_MS',
           },
         },
       },

packages/fxa-customs-server/test/remote/too_many_sms.js

@@ -372,132 +372,6 @@ test('clear everything', function (t) {
   });
 });
 
-test('/check `recoveryPhoneSendCode` by email', function (t) {
-  const action = 'recoveryPhoneSendCode';
-  return (
-    client
-      .postAsync('/check', {
-        ip: TEST_IP,
-        email: '[email protected]',
-        action,
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, false, 'not rate limited');
-        return client.postAsync('/check', {
-          ip: TEST_IP,
-          email: '[email protected]',
-          action,
-        });
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, false, 'not rate limited');
-        return client.postAsync('/check', {
-          ip: TEST_IP,
-          email: '[email protected]',
-          action,
-        });
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, true, 'rate limited');
-        t.equal(obj.retryAfter, 1, 'rate limit retry amount');
-
-        // Delay ~1s for rate limit to go away
-        return Promise.delay(1010);
-      })
-
-      // Reissue requests to verify that throttling is disabled
-      .then(function () {
-        return client.postAsync('/check', {
-          ip: TEST_IP,
-          email: '[email protected]',
-          action,
-        });
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, false, 'not rate limited');
-        t.end();
-      })
-      .catch(function (err) {
-        t.fail(err);
-        t.end();
-      })
-  );
-});
-
-test('clear everything', function (t) {
-  mcHelper.clearEverything(function (err) {
-    t.notOk(err, 'no errors were returned');
-    t.end();
-  });
-});
-
-test('/check `recoveryPhoneCreate` by email', function (t) {
-  const action = 'recoveryPhoneCreate';
-  return (
-    client
-      .postAsync('/check', {
-        ip: TEST_IP,
-        email: '[email protected]',
-        action,
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, false, 'not rate limited');
-        return client.postAsync('/check', {
-          ip: TEST_IP,
-          email: '[email protected]',
-          action,
-        });
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, false, 'not rate limited');
-        return client.postAsync('/check', {
-          ip: TEST_IP,
-          email: '[email protected]',
-          action,
-        });
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, true, 'rate limited');
-        t.equal(obj.retryAfter, 1, 'rate limit retry amount');
-
-        // Delay ~1s for rate limit to go away
-        return Promise.delay(1010);
-      })
-
-      // Reissue requests to verify that throttling is disabled
-      .then(function () {
-        return client.postAsync('/check', {
-          ip: TEST_IP,
-          email: '[email protected]',
-          action,
-        });
-      })
-      .spread(function (req, res, obj) {
-        t.equal(res.statusCode, 200, 'returns a 200');
-        t.equal(obj.block, false, 'not rate limited');
-        t.end();
-      })
-      .catch(function (err) {
-        t.fail(err);
-        t.end();
-      })
-  );
-});
-
-test('clear everything', function (t) {
-  mcHelper.clearEverything(function (err) {
-    t.notOk(err, 'no errors were returned');
-    t.end();
-  });
-});
-
 test('teardown', async function (t) {
   await testServer.stop();
   t.end();

packages/fxa-customs-server/test/remote/user_defined_rules.js

@@ -30,13 +30,13 @@ config.userDefinedRateLimitRules.tokenCodeRules.limits.max = 2;
 config.userDefinedRateLimitRules.tokenCodeRules.limits.periodMs = 1000;
 config.userDefinedRateLimitRules.tokenCodeRules.limits.rateLimitIntervalMs = 1000;
 
-config.userDefinedRateLimitRules.recoveryPhoneCreateCodeRules.limits.max = 5;
-config.userDefinedRateLimitRules.recoveryPhoneCreateCodeRules.limits.periodMs = 5000;
-config.userDefinedRateLimitRules.recoveryPhoneCreateCodeRules.limits.rateLimitIntervalMs = 1000;
+config.userDefinedRateLimitRules.recoveryPhoneSendSetupCodeRules.limits.max = 5;
+config.userDefinedRateLimitRules.recoveryPhoneSendSetupCodeRules.limits.periodMs = 5000;
+config.userDefinedRateLimitRules.recoveryPhoneSendSetupCodeRules.limits.rateLimitIntervalMs = 1000;
 
-config.userDefinedRateLimitRules.recoveryPhoneConfirmCodeRules.limits.max = 5;
-config.userDefinedRateLimitRules.recoveryPhoneConfirmCodeRules.limits.periodMs = 5000;
-config.userDefinedRateLimitRules.recoveryPhoneConfirmCodeRules.limits.rateLimitIntervalMs = 1000;
+config.userDefinedRateLimitRules.recoveryPhoneSendSigninCodeRules.limits.max = 5;
+config.userDefinedRateLimitRules.recoveryPhoneSendSigninCodeRules.limits.periodMs = 5000;
+config.userDefinedRateLimitRules.recoveryPhoneSendSigninCodeRules.limits.rateLimitIntervalMs = 1000;
 
 const ACTIONS = ['verifyTotpCode', 'verifyTokenCode'];
 
@@ -150,8 +150,8 @@ ACTIONS.forEach((action) => {
 });
 
 const recoveryPhoneActions = [
-  'recoveryPhoneCreate',
-  'recoveryPhoneConfirmCode',
+  'recoveryPhoneSendSetupCode',
+  'recoveryPhoneSendSigninCode',
 ];
 recoveryPhoneActions.forEach((action) => {
   test(`clear everything for ${action}`, async (t) => {