bug(auth): Fix broken functional tests due to rate-limiting

Because:
- We were tripping rate limits during functional tests

This Commit:
- Adds email to `customs.checkAuthenticated`
- Fixes the verifySessionCode check. We can check on UID here, so we don't need to also check IP since the endpoint is protected by a session token.

Author: dschom

packages/fxa-auth-server/config/rate-limit-rules.txt

@@ -67,7 +67,6 @@
   passwordForgotVerifyCode              : email             : 10            : 15 minutes        : 15 minutes
   verifyRecoveryCode                    : ip                : 10            : 10 minutes        : 30 minutes
   verifyRecoveryCode                    : email             : 10            : 15 minutes        : 15 minutes
-  verifySessionCode                     : ip                : 10            : 10 minutes        : 30 minutes
   verifySessionCode                     : uid               : 10            : 15 minutes        : 15 minutes
 
 # Verify TOTP Code Limits

packages/fxa-auth-server/lib/customs.js

@@ -117,7 +117,7 @@ class CustomsClient {
     return this.handleCustomsResult(request, result);
   }
 
-  async checkAuthenticated(request, uid, action) {
+  async checkAuthenticated(request, uid, email, action) {
     const checked = await this.checkV2(request, 'checkAuthenticated', action, {
       ip: request?.app?.clientAddress,
       uid,

packages/fxa-auth-server/lib/routes/devices-and-sessions.js

@@ -322,6 +322,7 @@ module.exports = (
         let { ttl } = request.payload;
         const credentials = request.auth.credentials;
         const uid = credentials.uid;
+        const email = credentials.email;
         const sender = credentials.deviceId;
 
         if (
@@ -331,7 +332,12 @@ module.exports = (
           throw new error.featureNotEnabled();
         }
 
-        await customs.checkAuthenticated(request, uid, 'invokeDeviceCommand');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          email,
+          'invokeDeviceCommand'
+        );
 
         const targetDevice = await db.device(uid, target);
 
@@ -468,6 +474,7 @@ module.exports = (
         const body = request.payload;
         const sessionToken = request.auth.credentials;
         const uid = sessionToken.uid;
+        const email = sessionToken.email;
         const payload = body.payload;
         const endpointAction = body._endpointAction || 'devicesNotify';
 
@@ -484,7 +491,7 @@ module.exports = (
         }
 
         let [, deviceArray] = await Promise.all([
-          customs.checkAuthenticated(request, uid, endpointAction),
+          customs.checkAuthenticated(request, uid, email, endpointAction),
           request.app.devices,
         ]);
 

packages/fxa-auth-server/lib/routes/password.ts

@@ -108,6 +108,7 @@ module.exports = function (
           await customs.checkAuthenticated(
             request,
             sessionToken.uid,
+            sessionToken.email,
             customs.v2Enabled()
               ? 'authenticatedPasswordChange'
               : 'passwordChange'

packages/fxa-auth-server/lib/routes/recovery-key.js

@@ -203,7 +203,7 @@ module.exports = (
         log.begin('verifyRecoveryKey', request);
 
         const sessionToken = request.auth.credentials;
-        const { uid } = sessionToken;
+        const { uid, email } = sessionToken;
 
         try {
           if (sessionToken.tokenVerificationId) {
@@ -212,7 +212,12 @@ module.exports = (
 
           // This route can let you check if a key is valid therefore we
           // rate limit it.
-          await customs.checkAuthenticated(request, uid, 'getRecoveryKey');
+          await customs.checkAuthenticated(
+            request,
+            uid,
+            email,
+            'getRecoveryKey'
+          );
 
           const { recoveryKeyId } = request.payload;
 
@@ -278,10 +283,10 @@ module.exports = (
       handler: async function (request) {
         log.begin('getRecoveryKey', request);
 
-        const { uid } = request.auth.credentials;
+        const { uid, email } = request.auth.credentials;
         const { recoveryKeyId } = request.params;
 
-        await customs.checkAuthenticated(request, uid, 'getRecoveryKey');
+        await customs.checkAuthenticated(request, uid, email, 'getRecoveryKey');
 
         const { recoveryData } = await db.getRecoveryKey(uid, recoveryKeyId);
 

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -48,6 +48,7 @@ export type Customs = {
   checkAuthenticated: (
     req: AuthRequest,
     uid: string,
+    email: string,
     action: string
   ) => Promise<void>;
 };
@@ -202,6 +203,7 @@ class RecoveryPhoneHandler {
     await this.customs.checkAuthenticated(
       request,
       uid,
+      email,
       'recoveryPhoneSendResetPasswordCode'
     );
 
@@ -285,6 +287,7 @@ class RecoveryPhoneHandler {
     await this.customs.checkAuthenticated(
       request,
       uid,
+      email,
       'recoveryPhoneSendSetupCode'
     );
 
@@ -381,6 +384,7 @@ class RecoveryPhoneHandler {
     await this.customs.checkAuthenticated(
       request,
       uid,
+      email,
       'verifyRecoveryPhoneTotpCode'
     );
 
@@ -645,6 +649,7 @@ class RecoveryPhoneHandler {
     await this.customs.checkAuthenticated(
       request,
       uid,
+      email,
       'verifyRecoveryPhoneTotpCode'
     );
 
@@ -665,10 +670,7 @@ class RecoveryPhoneHandler {
     }
 
     if (success) {
-      await this.db.verifyPasswordForgotTokenWithMethod(
-        id,
-        'totp-2fa'
-      );
+      await this.db.verifyPasswordForgotTokenWithMethod(id, 'totp-2fa');
 
       await this.glean.resetPassword.recoveryPhoneCodeComplete(request);
 

packages/fxa-auth-server/lib/routes/session.js

@@ -371,10 +371,15 @@ module.exports = function (
         const options = request.payload;
         const sessionToken = request.auth.credentials;
         const { code } = options;
-        const { uid } = sessionToken;
+        const { uid, email } = sessionToken;
         const devices = await request.app.devices;
 
-        await customs.checkAuthenticated(request, uid, 'verifySessionCode');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          email,
+          'verifySessionCode'
+        );
 
         request.emitMetricsEvent('session.verify_code');
 
@@ -618,10 +623,15 @@ module.exports = function (
         log.begin('Session.verify_push', request);
         const options = request.payload;
         const sessionToken = request.auth.credentials;
-        const { uid } = sessionToken;
+        const { uid, email } = sessionToken;
         const { code, tokenVerificationId } = options;
 
-        await customs.checkAuthenticated(request, uid, 'verifySessionCode');
+        await customs.checkAuthenticated(
+          request,
+          uid,
+          email,
+          'verifySessionCode'
+        );
         request.emitMetricsEvent('session.verify_push');
 
         const device = await db.deviceFromTokenVerificationId(

packages/fxa-auth-server/lib/routes/totp.js

@@ -346,6 +346,7 @@ module.exports = (
         await customs.checkAuthenticated(
           request,
           passwordForgotToken.uid,
+          passwordForgotToken.email,
           'verifyTotpCode'
         );
 
@@ -505,7 +506,7 @@ module.exports = (
         const sessionToken = request.auth.credentials;
         const { uid, email } = sessionToken;
 
-        await customs.checkAuthenticated(request, uid, 'verifyTotpCode');
+        await customs.checkAuthenticated(request, uid, email, 'verifyTotpCode');
 
         const token = await db.totpToken(sessionToken.uid);
         const sharedSecret = token.sharedSecret;

packages/fxa-auth-server/lib/routes/utils/signin.js

@@ -139,6 +139,7 @@ module.exports = (
             await customs.checkAuthenticated(
               request,
               checkAuthenticatedUid,
+              email,
               customs.v2Enabled ? 'authenticatedAccountLogin' : 'accountLogin'
             );
           } else {

packages/fxa-auth-server/test/local/customs.js

@@ -511,6 +511,7 @@ describe('Customs', () => {
 
     action = 'devicesNotify';
     const uid = 'foo';
+    const email = '[email protected]';
 
     function checkRequestBody(body) {
       assert.deepEqual(
@@ -540,42 +541,42 @@ describe('Customs', () => {
       .reply(200, '{"block":true,"retryAfter":10001}');
 
     return customsWithUrl
-      .checkAuthenticated(request, uid, action)
+      .checkAuthenticated(request, uid, email, action)
       .then((result) => {
         assert.equal(
           result,
           undefined,
           'Nothing is returned when /checkAuthenticated succeeds - 1'
         );
-        return customsWithUrl.checkAuthenticated(request, uid, action);
+        return customsWithUrl.checkAuthenticated(request, uid, email, action);
       })
       .then((result) => {
         assert.equal(
           result,
           undefined,
           'Nothing is returned when /checkAuthenticated succeeds - 2'
         );
-        return customsWithUrl.checkAuthenticated(request, uid, action);
+        return customsWithUrl.checkAuthenticated(request, uid, email, action);
       })
       .then((result) => {
         assert.equal(
           result,
           undefined,
           'Nothing is returned when /checkAuthenticated succeeds - 3'
         );
-        return customsWithUrl.checkAuthenticated(request, uid, action);
+        return customsWithUrl.checkAuthenticated(request, uid, email, action);
       })
       .then((result) => {
         assert.equal(
           result,
           undefined,
           'Nothing is returned when /checkAuthenticated succeeds - 4'
         );
-        return customsWithUrl.checkAuthenticated(request, uid, action);
+        return customsWithUrl.checkAuthenticated(request, uid, email, action);
       })
       .then(() => {
         // request is blocked
-        return customsWithUrl.checkAuthenticated(request, uid, action);
+        return customsWithUrl.checkAuthenticated(request, uid, email, action);
       })
       .then(
         () => {
@@ -861,7 +862,12 @@ describe('Customs', () => {
       });
 
       try {
-        await customsWithUrl.checkAuthenticated(request, 'uid', action);
+        await customsWithUrl.checkAuthenticated(
+          request,
+          'uid',
+          'email',
+          action
+        );
         assert.fail('should have failed');
       } catch (err) {
         assert.isTrue(