Merge pull request #20273 from mozilla/nshirley/email-skip-verify-regex

feat(auth): Add email verify regex bypass

Author: nshirley

packages/fxa-auth-server/config/index.ts

@@ -1693,6 +1693,12 @@ const convictConf = convict({
       default: [],
       env: 'SIGNIN_CONFIRMATION_SKIP_FOR_EMAIL_ADDRESS',
     },
+    skipForEmailRegex: {
+      doc: 'Regex pattern for email addresses that will always skip any non-TOTP sign-in confirmation. Checked in addition to skipForEmailAddresses.',
+      format: RegExp,
+      default: /^$/,
+      env: 'SIGNIN_CONFIRMATION_SKIP_FOR_EMAIL_REGEX',
+    },
     skipForNewAccounts: {
       enabled: {
         doc: 'Skip all sign-in email confirmations for newly-created accounts',

packages/fxa-auth-server/lib/routes/account.spec.ts

@@ -675,6 +675,7 @@ describe('deleteAccountIfUnverified', () => {
   mockConfig.oauth = {};
   mockConfig.signinConfirmation = {};
   mockConfig.signinConfirmation.skipForEmailAddresses = [];
+  mockConfig.signinConfirmation.skipForEmailRegex = /^$/;
   const emailRecord: any = {
     isPrimary: true,
     isVerified: false,
@@ -3171,6 +3172,80 @@ describe('/account/login', () => {
       );
     });
 
+    describe('skip for email regex', () => {
+      function setupSkipForEmailRegex(email: string, regex: RegExp) {
+        config.securityHistory.ipProfiling.allowedRecency = 0;
+        config.signinConfirmation.skipForNewAccounts = { enabled: false };
+        config.signinConfirmation.skipForEmailAddresses = [];
+        config.signinConfirmation.skipForEmailRegex = regex;
+
+        mockDB.verifiedLoginSecurityEvents = sinon.spy(() =>
+          Promise.resolve([])
+        );
+
+        mockRequest.payload.email = email;
+
+        mockDB.accountRecord = () => {
+          return Promise.resolve({
+            authSalt: hexString(32),
+            data: hexString(32),
+            email,
+            emailVerified: true,
+            primaryEmail: {
+              normalizedEmail: normalizeEmail(email),
+              email,
+              isVerified: true,
+              isPrimary: true,
+            },
+            kA: hexString(32),
+            lastAuthAt: () => Date.now(),
+            uid,
+            wrapWrapKb: hexString(32),
+          });
+        };
+
+        const innerAccountRoutes = makeRoutes({
+          checkPassword: () => Promise.resolve(true),
+          config,
+          customs: mockCustoms,
+          db: mockDB,
+          log: mockLog,
+          mailer: mockMailer,
+          push: mockPush,
+        });
+
+        route = getRoute(innerAccountRoutes, '/account/login');
+      }
+
+      afterEach(() => {
+        config.securityHistory.ipProfiling.allowedRecency =
+          defaultConfig.securityHistory.ipProfiling.allowedRecency;
+        config.signinConfirmation.skipForEmailRegex = /^$/;
+      });
+
+      it('should skip sign-in confirmation for email matching regex', () => {
+        setupSkipForEmailRegex('[email protected]', /.+@example\.com$/);
+
+        return runTest(route, mockRequest, (response: any) => {
+          expect(mockDB.createSessionToken.callCount).toBe(1);
+          const tokenData = mockDB.createSessionToken.getCall(0).args[0];
+          expect(tokenData.tokenVerificationId).toBeFalsy();
+          expect(response.emailVerified).toBeTruthy();
+        });
+      });
+
+      it('should not skip sign-in confirmation for email not matching regex', () => {
+        setupSkipForEmailRegex('[email protected]', /.+@example\.com$/);
+
+        return runTest(route, mockRequest, (response: any) => {
+          expect(mockDB.createSessionToken.callCount).toBe(1);
+          const tokenData = mockDB.createSessionToken.getCall(0).args[0];
+          expect(tokenData.tokenVerificationId).toBeTruthy();
+          expect(response.verified).toBeFalsy();
+        });
+      });
+    });
+
     describe('skip for known device', () => {
       let mockAccountEventsManager: any;
       let savedIpProfiling: any;

packages/fxa-auth-server/lib/routes/account.ts

@@ -86,6 +86,7 @@ export class AccountHandler {
   private otpUtils: OtpUtils;
   private otpOptions: ConfigType['otp'];
   private skipConfirmationForEmailAddresses: string[];
+  private skipConfirmationForEmailRegex: RegExp;
   private capabilityService: CapabilityService;
   private accountEventsManager: AccountEventsManager;
   private accountDeleteManager: AccountDeleteManager;
@@ -116,6 +117,8 @@ export class AccountHandler {
     this.otpUtils = require('./utils/otp').default(db, statsd);
     this.skipConfirmationForEmailAddresses = config.signinConfirmation
       .skipForEmailAddresses as string[];
+    this.skipConfirmationForEmailRegex =
+      config.signinConfirmation.skipForEmailRegex;
 
     this.OAUTH_DISABLE_NEW_CONNECTIONS_FOR_CLIENTS = new Set(
       (config.oauth.disableNewConnectionsForClients as string[]) || []
@@ -1259,7 +1262,10 @@ export class AccountHandler {
       // to guarantee the login experience.
       const lowerCaseEmail = account.primaryEmail.normalizedEmail.toLowerCase();
       const alwaysSkip =
-        this.skipConfirmationForEmailAddresses?.includes(lowerCaseEmail);
+        this.skipConfirmationForEmailAddresses?.includes(lowerCaseEmail) ||
+        // use both as a backward compatibility and eventually remove
+        // the array of emails in favor of just a regex which is more flexible
+        this.skipConfirmationForEmailRegex?.test(lowerCaseEmail);
       if (alwaysSkip) {
         this.log.info('account.signin.confirm.bypass.emailAlways', {
           uid: account.uid,