feat(emails): send email after sms code used as 2fa in reset

Author: chenba

packages/fxa-auth-server/lib/metrics/amplitude.js

@@ -67,6 +67,7 @@ const EMAIL_TYPES = {
   postConsumeRecoveryCode: '2fa',
   postNewRecoveryCodes: '2fa',
   postAddRecoveryPhone: '2fa',
+  passwordResetRecoveryPhone: 'account_recovery',
   postRemoveRecoveryPhone: '2fa',
   postChangeRecoveryPhone: '2fa',
   postSigninRecoveryPhone: 'login',

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -565,7 +565,32 @@ class RecoveryPhoneHandler {
         request,
       });
 
-      // @TODO send email in FXA-11600
+      const account = await this.db.account(uid);
+      const { acceptLanguage, geo, ua } = request.app;
+
+      try {
+        await this.mailer.sendPasswordResetRecoveryPhoneEmail(
+          account.emails,
+          account,
+          {
+            acceptLanguage,
+            timeZone: geo.timeZone,
+            uaBrowser: ua.browser,
+            uaBrowserVersion: ua.browserVersion,
+            uaOS: ua.os,
+            uaOSVersion: ua.osVersion,
+            uaDeviceType: ua.deviceType,
+            uid,
+          }
+        );
+      } catch (error) {
+        this.log.error(
+          'account.recoveryPhone.phonePasswordResetNotification.error',
+          {
+            error,
+          }
+        );
+      }
 
       return { status: RecoveryPhoneStatus.SUCCESS };
     }

packages/fxa-auth-server/lib/senders/email.js

@@ -75,6 +75,7 @@ module.exports = function (log, config, bounces, statsd) {
     passwordForgotOtp: 'password-forgot-otp',
     passwordReset: 'password-reset-success',
     passwordResetAccountRecovery: 'password-reset-account-recovery-success',
+    passwordResetRecoveryPhone: 'password-reset-recovery-phone',
     passwordResetWithRecoveryKeyPrompt: 'password-reset-w-recovery-key-prompt',
     postAddLinkedAccount: 'account-linked',
     postRemoveSecondary: 'account-email-removed',
@@ -136,6 +137,7 @@ module.exports = function (log, config, bounces, statsd) {
     passwordForgotOtp: 'password-reset',
     passwordReset: 'password-reset',
     passwordResetAccountRecovery: 'manage-account',
+    passwordResetRecoveryPhone: 'manage-account',
     passwordResetWithRecoveryKeyPrompt: 'create-recovery-key',
     postAddLinkedAccount: 'manage-account',
     postRemoveSecondary: 'account-email-removed',
@@ -1696,6 +1698,38 @@ module.exports = function (log, config, bounces, statsd) {
     });
   };
 
+  Mailer.prototype.passwordResetRecoveryPhoneEmail = function (message) {
+    const templateName = 'passwordResetRecoveryPhone';
+    const links = this._generateSettingLinks(message, templateName);
+    const [time, date] = this._constructLocalTimeString(
+      message.timeZone,
+      message.acceptLanguage
+    );
+
+    const headers = {
+      'X-Link': links.link,
+    };
+
+    return this.send({
+      ...message,
+      headers,
+      template: templateName,
+      templateValues: {
+        date,
+        device: this._formatUserAgentInfo(message),
+        privacyUrl: links.privacyUrl,
+        link: links.link,
+        resetLink: links.resetLink,
+        resetLinkAttributes: links.resetLinkAttributes,
+        supportLinkAttributes: links.supportLinkAttributes,
+        supportUrl: links.supportUrl,
+        twoFactorSettingsLink: links.twoFactorSettingsLink,
+        twoFactorSettingsLinkAttributes: links.twoFactorSettingsLinkAttributes,
+        time,
+      },
+    });
+  };
+
   Mailer.prototype.postRemoveRecoveryPhoneEmail = function (message) {
     const templateName = 'postRemoveRecoveryPhone';
     const links = this._generateLinks(
@@ -3054,7 +3088,6 @@ module.exports = function (log, config, bounces, statsd) {
     templateName,
     content
   ) {
-    console.log(link);
     const parsedLink = new URL(link);
 
     Object.keys(query).forEach((key) => {

packages/fxa-auth-server/lib/senders/emails/templates/_versions.json

@@ -23,6 +23,7 @@
   "passwordChangeRequired": 3,
   "passwordForgotOtp": 1,
   "passwordReset": 6,
+  "passwordResetRecoveryPhone": 1,
   "postAddLinkedAccount": 1,
   "postChangePrimary": 5,
   "postRemoveSecondary": 5,

packages/fxa-auth-server/lib/senders/emails/templates/passwordResetRecoveryPhone/en.ftl

@@ -0,0 +1,5 @@
+passwordResetRecoveryPhone-subject = Recovery phone used
+passwordResetRecoveryPhone-preview = Check to make sure this was you
+passwordResetRecoveryPhone-title = Your recovery phone was used to confirm a password reset
+passwordResetRecoveryPhone-device = Recovery phone used from:
+passwordResetRecoveryPhone-action = Manage account

packages/fxa-auth-server/lib/senders/emails/templates/passwordResetRecoveryPhone/includes.json

@@ -0,0 +1,14 @@
+{
+  "subject": {
+    "id": "passwordResetRecoveryPhone-subject",
+    "message": "Recovery phone used"
+  },
+  "action": {
+    "id": "passwordResetRecoveryPhone-action",
+    "message": "Manage account"
+  },
+  "preview": {
+    "id": "passwordResetRecoveryPhone-preview",
+    "message": "Check to make sure this was you"
+  }
+}

packages/fxa-auth-server/lib/senders/emails/templates/passwordResetRecoveryPhone/index.mjml

@@ -0,0 +1,23 @@
+<%# This Source Code Form is subject to the terms of the Mozilla Public
+  # License, v. 2.0. If a copy of the MPL was not distributed with this
+  # file, You can obtain one at http://mozilla.org/MPL/2.0/. %>
+
+<mj-section>
+  <mj-column>
+    <mj-text css-class="text-header">
+      <span data-l10n-id="passwordResetRecoveryPhone-title">Your recovery phone was used to confirm a password reset</span>
+    </mj-text>
+
+    <mj-text css-class="text-body">
+      <span data-l10n-id="passwordResetRecoveryPhone-device">Recovery phone used from:</span>
+    </mj-text>
+  </mj-column>
+</mj-section>
+<%- include('/partials/userInfo/index.mjml') %>
+
+<%- include('/partials/button/index.mjml', {
+  buttonL10nId: "passwordResetRecoveryPhone-action",
+  buttonText: "Manage account"
+}) %>
+
+<%- include('/partials/automatedEmailResetPasswordTwoFactor/index.mjml') %>

packages/fxa-auth-server/lib/senders/emails/templates/passwordResetRecoveryPhone/index.stories.ts

@@ -0,0 +1,23 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+import { Meta } from '@storybook/html';
+import { storyWithProps } from '../../storybook-email';
+import { MOCK_USER_INFO } from '../../partials/userInfo/mocks';
+
+export default {
+  title: 'FxA Emails/Templates/passwordResetRecoveryPhone',
+} as Meta;
+
+const createStory = storyWithProps(
+  'passwordResetRecoveryPhone',
+  'Sent when a user uses their recovery phone to reset their password as an alternative to their authenticator app.',
+  {
+    ...MOCK_USER_INFO,
+    link: 'http://localhost:3030/settings',
+    resetLink: 'http://localhost:3030/reset_password',
+  }
+);
+
+export const passwordResetRecoveryPhone = createStory();

packages/fxa-auth-server/lib/senders/emails/templates/passwordResetRecoveryPhone/index.txt

@@ -0,0 +1,10 @@
+passwordResetRecoveryPhone-title = "Your recovery phone was used to confirm a password reset"
+
+passwordResetRecoveryPhone-device = "Recovery phone used from:"
+<%- include('/partials/userInfo/index.txt') %>
+
+<%- include('/partials/manageAccount/index.txt') %>
+
+<%- include('/partials/automatedEmailResetPasswordTwoFactor/index.txt') %>
+
+<%- include('/partials/support/index.txt') %>

packages/fxa-auth-server/test/local/routes/recovery-phone.js

@@ -743,6 +743,7 @@ describe('/recovery_phone', () => {
         mockStatsd.increment,
         'account.resetPassword.recoveryPhone.success'
       );
+      assert.calledOnce(mockMailer.sendPasswordResetRecoveryPhoneEmail);
     });
 
     it('fails confirms a code during signin', async () => {