fix(fxa-settings,fxa-auth-server): cached passwordless sessions show signin page, not OTP redirect

Author: vbudhram

.circleci/config.yml

@@ -876,6 +876,7 @@ jobs:
             sudo tee -a /etc/hosts \<<<'127.0.0.1 localhost'
             sudo cat /etc/hosts
       - wait-for-infrastructure
+      - ensure-glean-venv
       - run:
           name: Start services for playwright tests
           command: ./packages/functional-tests/scripts/start-services.sh

packages/functional-tests/tests/passwordless/signinPasswordless.spec.ts

@@ -3,7 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 import { expect, test } from '../../lib/fixtures/standard';
-import { syncDesktopOAuthQueryParams } from '../../lib/query-params';
+import { relayDesktopOAuthQueryParams, syncDesktopOAuthQueryParams } from '../../lib/query-params';
 import { getTotpCode } from '../../lib/totp';
 
 test.describe('severity-1 #smoke', () => {
@@ -730,42 +730,88 @@ test.describe('severity-1 #smoke', () => {
 
 test.describe('severity-2', () => {
   test.describe('Passwordless authentication - Cached login', () => {
-    test('passwordless account navigating to content server redirects to OTP (not cached login)', async ({
+    test('passwordless account with cached session navigating to content server sees cached signin', async ({
       target,
-      pages: { page, signin, relier, signinPasswordlessCode, settings },
+      pages: { page, signin, relier, signinPasswordlessCode },
       testAccountTracker,
     }) => {
-      // Create passwordless account via 123done
       const { email } =
         testAccountTracker.generatePasswordlessAccountDetails();
 
       await relier.goto('force_passwordless=true');
       await relier.clickEmailFirst();
       await signin.fillOutEmailFirstForm(email);
 
-      // Should redirect to passwordless code page
       await expect(page).toHaveURL(/signin_passwordless_code/);
 
-      // Get OTP code from email
       const code = await target.emailClient.getPasswordlessSignupCode(email);
       await signinPasswordlessCode.fillOutCodeForm(code);
 
-      // Should complete OAuth and redirect to RP
       expect(await relier.isLoggedIn()).toBe(true);
 
-      // Navigate to content server — passwordless accounts are always
-      // redirected to OTP verification (container.tsx checks hasPassword=false
-      // && passwordlessSupported=true and redirects before cached UI renders)
+      // Navigate to / — cached session should show signin, not OTP
       await page.goto(target.contentServerUrl);
 
+      await expect(page).not.toHaveURL(/signin_passwordless_code/);
+      await expect(signin.cachedSigninHeading).toBeVisible();
+    });
+
+    test('passwordless account with cached session navigating to /signin sees cached signin page', async ({
+      target,
+      pages: { page, signin, relier, signinPasswordlessCode },
+      testAccountTracker,
+    }) => {
+      const { email } =
+        testAccountTracker.generatePasswordlessAccountDetails();
+
+      await relier.goto('force_passwordless=true');
+      await relier.clickEmailFirst();
+      await signin.fillOutEmailFirstForm(email);
+
       await expect(page).toHaveURL(/signin_passwordless_code/);
-      await expect(signinPasswordlessCode.heading).toBeVisible();
+      const code = await target.emailClient.getPasswordlessSignupCode(email);
+      await signinPasswordlessCode.fillOutCodeForm(code);
 
-      // Complete OTP flow to reach settings
-      const signinCode = await target.emailClient.getPasswordlessSigninCode(email);
-      await signinPasswordlessCode.fillOutCodeForm(signinCode);
+      expect(await relier.isLoggedIn()).toBe(true);
+
+      // Navigate to / — cached session should show signin, not OTP
+      await page.goto(target.contentServerUrl);
+
+      await expect(page).not.toHaveURL(/signin_passwordless_code/);
+      await expect(signin.cachedSigninHeading).toBeVisible();
+
+      // Navigate to /signin directly — same behavior
+      await page.goto(
+        `${target.contentServerUrl}/signin?email=${email}`
+      );
+      await expect(page).not.toHaveURL(/signin_passwordless_code/);
+      await expect(signin.cachedSigninHeading).toBeVisible();
+    });
+
+    test('passwordless signup via Settings then navigating to / shows cached signin (not OTP)', async ({
+      target,
+      pages: { page, signin, signinPasswordlessCode, settings },
+      testAccountTracker,
+    }) => {
+      const { email } =
+        testAccountTracker.generatePasswordlessAccountDetails();
+
+      await page.goto(
+        `${target.contentServerUrl}/?force_passwordless=true`
+      );
+      await signin.fillOutEmailFirstForm(email);
+
+      await expect(page).toHaveURL(/signin_passwordless_code/);
+
+      const code = await target.emailClient.getPasswordlessSignupCode(email);
+      await signinPasswordlessCode.fillOutCodeForm(code);
 
       await expect(settings.settingsHeading).toBeVisible();
+
+      // Navigate to / — cached session should show signin, not OTP
+      await page.goto(target.contentServerUrl);
+      await expect(page).not.toHaveURL(/signin_passwordless_code/);
+      await expect(signin.cachedSigninHeading).toBeVisible();
     });
   });
 
@@ -992,6 +1038,29 @@ test.describe('severity-2', () => {
       // flow since webchannel state from first login is stale.
     });
   });
-});
 
+test.describe('Passwordless authentication - Browser Service (Relay)', () => {
+    test('passwordless signin via Relay OAuth flow', async ({
+      target,
+      pages: { page, signin, signinPasswordlessCode },
+      testAccountTracker,
+    }) => {
+      const { email } = await testAccountTracker.signUpPasswordless();
+
+      const params = new URLSearchParams(relayDesktopOAuthQueryParams);
+      await signin.goto('/authorization', params);
+
+      await signin.fillOutEmailFirstForm(email);
+
+      await expect(page).toHaveURL(/signin_passwordless_code/);
+      await expect(signinPasswordlessCode.heading).toBeVisible();
+
+      const code = await target.emailClient.getPasswordlessSigninCode(email);
+      await signinPasswordlessCode.fillOutCodeForm(code);
 
+      // After OTP, the flow either redirects to set_password or
+      // completes the OAuth flow — verify we left the OTP page
+      await expect(page).not.toHaveURL(/signin_passwordless_code/);
+    });
+});
+});

packages/fxa-auth-server/test/mail_helper.js

@@ -86,6 +86,8 @@ module.exports = (printLogs) => {
           const sc = mail.headers['x-signin-verify-code'];
           const rpc = mail.headers['x-password-forgot-otp'];
           const mfa = mail.headers['x-account-change-verify-code'];
+          const plSignup = mail.headers['x-passwordless-signup-otp'];
+          const plSignin = mail.headers['x-passwordless-signin-otp'];
           const template = mail.headers['x-template-name'];
 
           // Workaround because the email service wraps this header in `< >`.
@@ -108,6 +110,10 @@ module.exports = (printLogs) => {
             console.log('\x1B[36mReset password Otp:', rpc, '\x1B[39m');
           } else if (mfa) {
             console.log('\x1B[36mMfa code:', mfa, '\x1B[39m');
+          } else if (plSignup) {
+            console.log('\x1B[35mPasswordless signup code:', plSignup, '\x1B[39m');
+          } else if (plSignin) {
+            console.log('\x1B[35mPasswordless signin code:', plSignin, '\x1B[39m');
           } else if (TEMPLATES_WITH_NO_CODE.has(template)) {
             console.log(`Notification email: ${template}`);
           } else {

packages/fxa-settings/src/pages/Index/container.test.tsx

@@ -868,6 +868,53 @@ describe('IndexContainer', () => {
       });
     });
 
+    it('should redirect cached passwordless account to signin (not OTP) when sessionToken exists', async () => {
+      // When a logged-in passwordless user navigates to `/`, currentAccount()
+      // returns their account with a sessionToken. The IndexContainer skips
+      // the passwordless OTP redirect and sends to /signin for cached login.
+      mockLocationState = {};
+
+      jest.spyOn(cache, 'currentAccount').mockReturnValue({
+        uid: 'abc123',
+        email: '[email protected]',
+        sessionToken: 'abc123def456',
+        lastLogin: Date.now(),
+      });
+      jest.spyOn(cache, 'lastStoredAccount').mockReturnValue(undefined);
+
+      mockUseValidatedQueryParams.mockReturnValue({
+        queryParamModel: {},
+        validationError: null,
+      });
+
+      mockUseAuthClient.mockReturnValue({
+        accountStatusByEmail: jest.fn().mockResolvedValue({
+          exists: true,
+          hasLinkedAccount: false,
+          hasPassword: false,
+          passwordlessSupported: true,
+        }),
+      });
+
+      renderWithLocalizationProvider(
+        <IndexContainer
+          {...{
+            integration,
+            serviceName: MozServices.Default,
+            useFxAStatusResult: mockUseFxAStatusResult,
+          }}
+        />
+      );
+
+      await waitFor(() => {
+        expect(mockNavigate).toHaveBeenCalledTimes(1);
+      });
+
+      const [calledUrl, options] = mockNavigate.mock.calls[0];
+      expect(calledUrl).toMatch(/\/signin$/);
+      expect(options.state.email).toBe('[email protected]');
+    });
+
     describe('passwordless redirect', () => {
       it('redirects existing passwordless account to passwordless code without feature flag', async () => {
         // When passwordlessSupported=true and hasPassword=false, canUsePasswordlessExisting

packages/fxa-settings/src/pages/Index/container.tsx

@@ -99,6 +99,10 @@ const IndexContainer = ({
   const { prefillEmail, deleteAccountSuccess, hasBounced } =
     location.state || {};
 
+  // Only used for suggestedEmail; handleSuccessNavigation reads fresh from
+  // localStorage to avoid stale closures when checking session state.
+  const cachedAccount = currentAccount() || lastStoredAccount();
+
   const handleSuccessNavigation = useCallback(
     (
       exists: boolean,
@@ -119,8 +123,11 @@ const IndexContainer = ({
       const passwordlessEnabled =
         config.featureFlags?.passwordlessEnabled === true ||
         queryParamModel.forcePasswordless === true;
+      // Skip passwordless redirect if the user has a cached session
+      const storedAccount = currentAccount() || lastStoredAccount();
+      const hasCachedSession = !!storedAccount?.sessionToken;
       const canUsePasswordlessExisting =
-        passwordlessSupported && !hasPassword && !hasLinkedAccount;
+        passwordlessSupported && !hasPassword && !hasLinkedAccount && !hasCachedSession;
       const canUsePasswordlessNew = passwordlessEnabled && passwordlessSupported && !wantsKeys;
 
       if (exists) {
@@ -308,8 +315,7 @@ const IndexContainer = ({
   const suggestedEmail =
     queryParamModel.email ||
     queryParamModel.loginHint ||
-    currentAccount()?.email ||
-    lastStoredAccount()?.email;
+    cachedAccount?.email;
 
   // If we just came from another Mozilla accounts page with a prefill email in location state,
   // ignore suggested email. Prefill email is used for clicks on "Use different account" or "Change email".

packages/fxa-settings/src/pages/Signin/container.test.tsx

@@ -1324,6 +1324,72 @@ describe('signin container', () => {
         );
       });
     });
+
+    it('passwordless user with valid sessionToken sees cached signin page, not OTP redirect', async () => {
+      // When a passwordless user has a valid cached session (sessionToken in localStorage),
+      // the useEffect should NOT redirect to /signin_passwordless_code.
+      // Instead, the Signin component should render with the cached session.
+      const storedAccount = {
+        ...MOCK_STORED_ACCOUNT,
+        email: MOCK_QUERY_PARAM_EMAIL,
+        sessionToken: MOCK_SESSION_TOKEN,
+      };
+      mockCurrentAccount(storedAccount);
+      mockAuthClient.accountStatusByEmail = jest.fn().mockResolvedValue({
+        exists: true,
+        hasLinkedAccount: false,
+        hasPassword: false,
+        passwordlessSupported: true,
+      });
+      mockUseValidateModule({
+        queryParams: {
+          email: MOCK_QUERY_PARAM_EMAIL,
+          isV2: () => false,
+        },
+      });
+      render();
+
+      // The Signin component should render (not redirect to passwordless code)
+      await waitFor(() => {
+        expect(SigninModule.default).toHaveBeenCalled();
+        expect(currentSigninProps?.sessionToken).toBe(MOCK_SESSION_TOKEN);
+      });
+
+      // Should NOT have navigated to passwordless code page
+      expect(mockNavigate).not.toHaveBeenCalledWith(
+        '/signin_passwordless_code',
+        expect.anything()
+      );
+    });
+
+    it('passwordless user without sessionToken redirects to OTP', async () => {
+      const storedAccount = {
+        ...MOCK_STORED_ACCOUNT,
+        email: MOCK_QUERY_PARAM_EMAIL,
+        sessionToken: undefined,
+      };
+      mockCurrentAccount(storedAccount);
+      mockAuthClient.accountStatusByEmail = jest.fn().mockResolvedValue({
+        exists: true,
+        hasLinkedAccount: false,
+        hasPassword: false,
+        passwordlessSupported: true,
+      });
+      mockUseValidateModule({
+        queryParams: {
+          email: MOCK_QUERY_PARAM_EMAIL,
+          isV2: () => false,
+        },
+      });
+      render();
+
+      await waitFor(() => {
+        expect(mockNavigate).toHaveBeenCalledWith(
+          '/signin_passwordless_code',
+          expect.anything()
+        );
+      });
+    });
   });
 
   describe('cachedSigninHandler', () => {

packages/fxa-settings/src/pages/Signin/container.tsx

@@ -288,7 +288,8 @@ const SigninContainer = ({
               passwordlessSupported &&
               !hasPassword &&
               !hasLinkedAccount &&
-              !skipPasswordlessRedirect
+              !skipPasswordlessRedirect &&
+              !sessionToken
             ) {
               // Existing passwordless account — server returns
               // passwordlessSupported=true regardless of flag/allowlist