task(settings): Wrap create account recovery keys with MFA guard

dschom · dschom · commit e8fc8ef1028c · 2025-09-23T16:46:50.000-07:00
diff --git a/packages/functional-tests/tests/key-stretching-v2/recoveryKey.spec.ts b/packages/functional-tests/tests/key-stretching-v2/recoveryKey.spec.ts
@@ -114,6 +114,9 @@ test.describe('severity-2 #smoke', () => {
       await settings.goto(`${resetVersion.query}`);
       await page.waitForURL(/settings/);
       await settings.recoveryKey.createButton.click();
+
+      await settings.confirmMfaGuard(accountDetails.email);
+
       const key = await recoveryKey.createRecoveryKey(
         accountDetails.password,
         HINT
diff --git a/packages/functional-tests/tests/key-stretching-v2/recoveryKeyUpgrade.spec.ts b/packages/functional-tests/tests/key-stretching-v2/recoveryKeyUpgrade.spec.ts
@@ -29,6 +29,9 @@ test.describe('severity-2 #smoke', () => {
     await expect(settings.recoveryKey.status).toHaveText('Not Set');
 
     await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(email);
+
     await recoveryKey.createRecoveryKey(password, HINT);
 
     await expect(settings.recoveryKey.status).toHaveText('Enabled');
diff --git a/packages/functional-tests/tests/misc/recoveryKeyPromoInline.spec.ts b/packages/functional-tests/tests/misc/recoveryKeyPromoInline.spec.ts
@@ -64,6 +64,7 @@ test.describe('recovery key promo', () => {
       await signin.fillOutPasswordForm(credentials.password);
       await page.waitForURL(/settings/);
       await settings.recoveryKey.createButton.click();
+      await settings.confirmMfaGuard(credentials.email);
       await recoveryKey.acknowledgeInfoForm();
       await recoveryKey.fillOutConfirmPasswordForm(credentials.password);
       await recoveryKey.clickDownload();
diff --git a/packages/functional-tests/tests/misc/recoveryKeyPromoSettingsBanner.spec.ts b/packages/functional-tests/tests/misc/recoveryKeyPromoSettingsBanner.spec.ts
@@ -27,6 +27,8 @@ test.describe('recovery key promo', () => {
 
       await inlineRecoveryKey.getBannerCreateLink().click();
 
+      await settings.confirmMfaGuard(credentials.email);
+
       await recoveryKey.acknowledgeInfoForm();
       await recoveryKey.fillOutConfirmPasswordForm(credentials.password);
 
@@ -57,6 +59,8 @@ test.describe('recovery key promo', () => {
 
       await inlineRecoveryKey.getBannerCreateLink().click();
 
+      await settings.confirmMfaGuard(credentials.email);
+
       await recoveryKey.acknowledgeInfoForm();
       await recoveryKey.fillOutConfirmPasswordForm(credentials.password);
 
diff --git a/packages/functional-tests/tests/resetPassword/oauthResetPasswordRecoveryKey.spec.ts b/packages/functional-tests/tests/resetPassword/oauthResetPasswordRecoveryKey.spec.ts
@@ -22,6 +22,9 @@ test.describe('severity-1 #smoke', () => {
 
       // Goes to settings and enables the account recovery key on user's account.
       await settings.recoveryKey.createButton.click();
+
+      await settings.confirmMfaGuard(credentials.email);
+
       const accountRecoveryKey = await recoveryKey.createRecoveryKey(
         credentials.password,
         'hint'
diff --git a/packages/functional-tests/tests/resetPassword/resetPassword2FA.spec.ts b/packages/functional-tests/tests/resetPassword/resetPassword2FA.spec.ts
@@ -143,6 +143,9 @@ test.describe('severity-1 #smoke', () => {
 
     // Create recovery key
     await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(credentials.email);
+
     const key = await recoveryKey.createRecoveryKey(
       credentials.password,
       'hint'
@@ -218,6 +221,9 @@ test.describe('severity-1 #smoke', () => {
 
     // Create recovery key
     await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(credentials.email);
+
     const key = await recoveryKey.createRecoveryKey(
       credentials.password,
       'hint'
@@ -287,6 +293,9 @@ test.describe('severity-1 #smoke', () => {
 
     // Create recovery key
     await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(credentials.email);
+
     await recoveryKey.createRecoveryKey(credentials.password, 'hint');
 
     // Verify status as 'enabled'
@@ -357,6 +366,9 @@ test.describe('severity-1 #smoke', () => {
 
     // Create recovery key
     await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(credentials.email);
+
     await recoveryKey.createRecoveryKey(credentials.password, 'hint');
 
     // Verify status as 'enabled'
diff --git a/packages/functional-tests/tests/resetPassword/resetPasswordRecoveryKey.spec.ts b/packages/functional-tests/tests/resetPassword/resetPasswordRecoveryKey.spec.ts
@@ -2,6 +2,7 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+import { emit } from 'node:process';
 import { expect, test } from '../../lib/fixtures/standard';
 import { SettingsPage } from '../../pages/settings';
 import { RecoveryKeyPage } from '../../pages/settings/recoveryKey';
@@ -26,6 +27,7 @@ test.describe('severity-1 #smoke', () => {
       );
 
       const key = await enableRecoveryKey(
+        credentials.email,
         credentials.password,
         recoveryKey,
         settings
@@ -127,7 +129,12 @@ test.describe('severity-1 #smoke', () => {
         signin
       );
 
-      await enableRecoveryKey(credentials.password, recoveryKey, settings);
+      await enableRecoveryKey(
+        credentials.email,
+        credentials.password,
+        recoveryKey,
+        settings
+      );
 
       await settings.signOut();
 
@@ -170,6 +177,7 @@ test.describe('severity-1 #smoke', () => {
       );
 
       const key = await enableRecoveryKey(
+        credentials.email,
         credentials.password,
         recoveryKey,
         settings
@@ -223,13 +231,17 @@ test.describe('severity-1 #smoke', () => {
   }
 
   async function enableRecoveryKey(
+    email: string,
     password: string,
     recoveryKey: RecoveryKeyPage,
     settings: SettingsPage
   ): Promise<string> {
     await expect(settings.recoveryKey.status).toHaveText('Not Set');
 
     await settings.recoveryKey.createButton.click();
+
+    await settings.confirmMfaGuard(email);
+
     const key = await recoveryKey.createRecoveryKey(password, 'hint');
 
     await expect(settings.settingsHeading).toBeVisible();
diff --git a/packages/functional-tests/tests/settings/recoveryKey.spec.ts b/packages/functional-tests/tests/settings/recoveryKey.spec.ts
@@ -19,7 +19,7 @@ test.describe('severity-1 #smoke', () => {
       pages: { page, recoveryKey, settings, signin },
       testAccountTracker,
     }) => {
-      const { password } = await signInAccount(
+      const { email, password } = await signInAccount(
         target,
         page,
         settings,
@@ -33,6 +33,9 @@ test.describe('severity-1 #smoke', () => {
       await expect(settings.recoveryKey.status).toHaveText('Not Set');
 
       await settings.recoveryKey.createButton.click();
+
+      await settings.confirmMfaGuard(email);
+
       await recoveryKey.acknowledgeInfoForm();
       await recoveryKey.fillOutConfirmPasswordForm(password);
 
@@ -61,6 +64,9 @@ test.describe('severity-1 #smoke', () => {
       await expect(settings.recoveryKey.status).toHaveText('Not Set');
 
       await settings.recoveryKey.createButton.click();
+
+      await settings.confirmMfaGuard(credentials.email);
+
       await recoveryKey.acknowledgeInfoForm();
       await recoveryKey.fillOutConfirmPasswordForm(credentials.password);
 
@@ -118,6 +124,9 @@ test.describe('severity-1 #smoke', () => {
       await expect(settings.recoveryKey.status).toHaveText('Not Set');
 
       await settings.recoveryKey.createButton.click();
+
+      await settings.confirmMfaGuard(credentials.email);
+
       await recoveryKey.createRecoveryKey(credentials.password, HINT);
       await expect(page.getByRole('alert')).toHaveText(
         'Account recovery key created'
diff --git a/packages/fxa-auth-client/lib/client.ts b/packages/fxa-auth-client/lib/client.ts
@@ -2099,6 +2099,16 @@ export default class AuthClient {
     );
   }
 
+  /**
+   * Creates an account recovery key that can be used to restore account data in the password is lost.
+   * @param sessionToken
+   * @param recoveryKeyId
+   * @param recoveryData
+   * @param enabled
+   * @param replaceKey
+   * @param headers
+   * @returns
+   */
   async createRecoveryKey(
     sessionToken: hexstring,
     recoveryKeyId: string,
@@ -2120,6 +2130,37 @@ export default class AuthClient {
     );
   }
 
+  /**
+   * Creates an account recovery key that can be used to restore account data in the password is lost.
+   * @param sessionToken
+   * @param recoveryKeyId
+   * @param recoveryData
+   * @param enabled
+   * @param replaceKey
+   * @param headers
+   * @returns
+   */
+  async createRecoveryKeyWithJwt(
+    jwt: string,
+    recoveryKeyId: string,
+    recoveryData: any,
+    enabled: boolean = true,
+    replaceKey: boolean = false,
+    headers?: Headers
+  ): Promise<{}> {
+    return this.jwtPost(
+      '/mfa/recoveryKey',
+      jwt,
+      {
+        recoveryKeyId,
+        recoveryData,
+        enabled,
+        replaceKey,
+      },
+      headers
+    );
+  }
+
   async getRecoveryKey(
     accountResetToken: hexstring,
     recoveryKeyId: string,
diff --git a/packages/fxa-auth-server/config/index.ts b/packages/fxa-auth-server/config/index.ts
@@ -2476,7 +2476,7 @@ const convictConf = convict({
       env: 'MFA__ENABLED',
     },
     actions: {
-      default: ['test', '2fa', 'email'],
+      default: ['test', '2fa', 'email', 'recovery_key'],
       doc: 'Actions protected by MFA',
       format: Array,
       env: 'MFA__ACTIONS',
diff --git a/packages/fxa-auth-server/docs/swagger/recovery-key-api.ts b/packages/fxa-auth-server/docs/swagger/recovery-key-api.ts
@@ -21,6 +21,18 @@ const RECOVERYKEY_POST = {
   ],
 };
 
+const MFA_RECOVERY_KEY_POST = {
+  ...TAGS_RECOVERY_KEY,
+  description: '/recoveryKey',
+  notes: [
+    dedent`
+      🔒 Authenticated with MFA jwt
+
+      Creates a new account recovery key for a user. Account recovery keys are one-time-use tokens that can be used to recover the user's kB if they forget their password. For more details, see the [account recovery keys](https://mozilla.github.io/ecosystem-platform/reference/tokens#account-recovery-tokens) docs.
+    `,
+  ],
+};
+
 const RECOVERYKEY_RECOVERYKEYID_GET = {
   ...TAGS_RECOVERY_KEY,
   description: '/recoveryKey/{recoveryKeyId}',
@@ -82,6 +94,7 @@ const API_DOCS = {
   RECOVERYKEY_DELETE,
   RECOVERYKEY_EXISTS_POST,
   RECOVERYKEY_POST,
+  MFA_RECOVERY_KEY_POST,
   RECOVERYKEY_RECOVERYKEYID_GET,
   RECOVERYKEY_VERIFY_POST,
   // RECOVERYKEY_HINT_GET,
diff --git a/packages/fxa-auth-server/lib/routes/recovery-key.js b/packages/fxa-auth-server/lib/routes/recovery-key.js
@@ -25,7 +25,7 @@ module.exports = (
   mailer,
   glean
 ) => {
-  return [
+  const routes = [
     {
       method: 'POST',
       path: '/recoveryKey',
@@ -186,6 +186,38 @@ module.exports = (
         return {};
       },
     },
+    {
+      method: 'POST',
+      path: '/mfa/recoveryKey',
+      options: {
+        ...RECOVERY_KEY_DOCS.MFA_RECOVERY_KEY_POST,
+        auth: {
+          strategy: 'mfa',
+          scope: ['mfa:recovery_key'],
+          payload: false,
+        },
+        validate: {
+          payload: isA.object({
+            recoveryKeyId: validators.recoveryKeyId.description(
+              DESCRIPTION.recoveryKeyId
+            ),
+            recoveryData: validators.recoveryData.description(
+              DESCRIPTION.recoveryData
+            ),
+            enabled: isA.boolean().default(true),
+            replaceKey: isA.boolean().default(false),
+          }),
+        },
+      },
+      handler: async function (request) {
+        return routes
+          .find(
+            (route) =>
+              route.path === '/v1/recoveryKey' && route.method === 'POST'
+          )
+          .handler(request);
+      },
+    },
     {
       method: 'POST',
       path: '/recoveryKey/verify',
@@ -438,4 +470,6 @@ module.exports = (
       },
     },
   ];
+
+  return routes;
 };
diff --git a/packages/fxa-settings/src/components/Settings/FlowRecoveryKeyConfirmPwd/index.tsx b/packages/fxa-settings/src/components/Settings/FlowRecoveryKeyConfirmPwd/index.tsx
@@ -3,6 +3,7 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 import React, { useCallback, useEffect, useState } from 'react';
+import { useErrorHandler } from 'react-error-boundary';
 import FlowContainer from '../FlowContainer';
 import ProgressBar from '../ProgressBar';
 import { FtlMsg } from 'fxa-react/lib/utils';
@@ -42,6 +43,7 @@ export const FlowRecoveryKeyConfirmPwd = ({
 }: FlowRecoveryKeyConfirmPwdProps) => {
   const account = useAccount();
   const ftlMsgResolver = useFtlMsgResolver();
+  const errorHandler = useErrorHandler();
 
   const [errorText, setErrorText] = useState<string>();
   const [localizedErrorBannerMessage, setLocalizedErrorBannerMessage] =
@@ -71,11 +73,21 @@ export const FlowRecoveryKeyConfirmPwd = ({
     setLocalizedErrorBannerMessage('');
     try {
       const replaceKey = actionType === RecoveryKeyAction.Change;
-      const recoveryKey = await account.createRecoveryKey(password, replaceKey);
+      const recoveryKey = await account.createRecoveryKey(
+        password,
+        replaceKey,
+        true
+      );
       setFormattedRecoveryKey(formatRecoveryKey(recoveryKey.buffer));
       logViewEvent(`flow.${viewName}`, 'confirm-password.success');
       navigateForward();
     } catch (err) {
+      if (err && err.code === 401 && err.errno === 110) {
+        // JWT invalid/expired
+        errorHandler(err);
+        return;
+      }
+
       const localizedErrorMessage = getLocalizedErrorMessage(
         ftlMsgResolver,
         err
@@ -103,6 +115,7 @@ export const FlowRecoveryKeyConfirmPwd = ({
     setIsLoading,
     setFormattedRecoveryKey,
     viewName,
+    errorHandler,
   ]);
 
   return (
diff --git a/packages/fxa-settings/src/components/Settings/PageRecoveryKeyCreate/index.stories.tsx b/packages/fxa-settings/src/components/Settings/PageRecoveryKeyCreate/index.stories.tsx
@@ -5,7 +5,7 @@
 import React from 'react';
 import { Meta } from '@storybook/react';
 import { withLocalization } from 'fxa-react/lib/storybooks';
-import PageRecoveryKeyCreate from '.';
+import { PageRecoveryKeyCreate } from '.';
 import { Account, AppContext } from '../../../models';
 import { mockAppContext, MOCK_ACCOUNT } from '../../../models/mocks';
 import { LocationProvider } from '@reach/router';
diff --git a/packages/fxa-settings/src/components/Settings/PageRecoveryKeyCreate/index.test.tsx b/packages/fxa-settings/src/components/Settings/PageRecoveryKeyCreate/index.test.tsx
diff --git a/packages/fxa-settings/src/components/Settings/PageRecoveryKeyCreate/index.tsx b/packages/fxa-settings/src/components/Settings/PageRecoveryKeyCreate/index.tsx
diff --git a/packages/fxa-settings/src/components/Settings/index.test.tsx b/packages/fxa-settings/src/components/Settings/index.test.tsx
diff --git a/packages/fxa-settings/src/components/Settings/index.tsx b/packages/fxa-settings/src/components/Settings/index.tsx
diff --git a/packages/fxa-settings/src/lib/types.ts b/packages/fxa-settings/src/lib/types.ts
diff --git a/packages/fxa-settings/src/models/Account.ts b/packages/fxa-settings/src/models/Account.ts
diff --git a/packages/fxa-settings/src/pages/ResetPassword/CompleteResetPassword/container.tsx b/packages/fxa-settings/src/pages/ResetPassword/CompleteResetPassword/container.tsx
