Merge pull request #18382 from mozilla/fxa-11113

feat(security): Add security events for recovery phone, recovery codes

Author: vbudhram

packages/db-migrations/databases/fxa/patches/patch-162-163.sql

@@ -0,0 +1,14 @@
+SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+
+CALL assertPatchLevel('162');
+
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_phone_send_code');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_phone_setup_complete');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_phone_signin_complete');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_phone_signin_failed');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_phone_removed');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_codes_replaced');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_codes_created');
+INSERT INTO securityEventNames(name) VALUES ('account.recovery_codes_signin_complete');
+
+UPDATE dbMetadata SET value = '163' WHERE name = 'schema-patch-level';

packages/db-migrations/databases/fxa/patches/patch-163-162.sql

@@ -0,0 +1,12 @@
+-- SET NAMES utf8mb4 COLLATE utf8mb4_bin;
+--
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_send_code';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_setup_complete';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_signin_complete';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_signin_failed';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_phone_removed';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_codes_replaced';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_codes_created';
+-- DELETE FROM securityEventNames WHERE name = 'account.recovery_codes_signin_complete';
+--
+-- UPDATE dbMetadata SET value = '162' WHERE name = 'schema-patch-level';

packages/db-migrations/databases/fxa/target-patch.json

@@ -1,3 +1,3 @@
 {
-  "level": 162
+  "level": 163
 }

packages/fxa-auth-server/lib/routes/recovery-codes.js

@@ -11,13 +11,15 @@ const { Container } = require('typedi');
 const RECOVERY_CODES_DOCS =
   require('../../docs/swagger/recovery-codes-api').default;
 const { BackupCodeManager } = require('@fxa/accounts/two-factor');
+const { AccountEventsManager } = require('../account-events');
 
 const RECOVERY_CODE_SANE_MAX_LENGTH = 20;
 
 module.exports = (log, db, config, customs, mailer, glean) => {
   const codeConfig = config.recoveryCodes;
   const RECOVERY_CODE_COUNT = (codeConfig && codeConfig.count) || 8;
   const backupCodeManager = Container.get(BackupCodeManager);
+  const accountEventsManager = Container.get(AccountEventsManager);
 
   // Validate backup authentication codes
   const recoveryCodesSchema = validators.recoveryCodes(
@@ -41,7 +43,11 @@ module.exports = (log, db, config, customs, mailer, glean) => {
       async handler(request) {
         log.begin('replaceRecoveryCodes', request);
 
-        const { authenticatorAssuranceLevel, uid } = request.auth.credentials;
+        const {
+          authenticatorAssuranceLevel,
+          uid,
+          id: sessionTokenId,
+        } = request.auth.credentials;
 
         // Since TOTP and backup authentication codes go hand in hand, you should only be
         // able to replace backup authentication codes in a TOTP verified session.
@@ -54,6 +60,13 @@ module.exports = (log, db, config, customs, mailer, glean) => {
           RECOVERY_CODE_COUNT
         );
 
+        accountEventsManager.recordSecurityEvent(db, {
+          name: 'account.recovery_codes_replaced',
+          uid,
+          ipAddr: request.app.clientAddress,
+          tokenId: sessionTokenId,
+        });
+
         const account = await db.account(uid);
         const { acceptLanguage, clientAddress: geo, ua } = request.app;
 
@@ -94,7 +107,11 @@ module.exports = (log, db, config, customs, mailer, glean) => {
       async handler(request) {
         log.begin('updateRecoveryCodes', request);
 
-        const { authenticatorAssuranceLevel, uid } = request.auth.credentials;
+        const {
+          authenticatorAssuranceLevel,
+          uid,
+          id: sessionTokenId,
+        } = request.auth.credentials;
 
         // Since TOTP and backup authentication codes go hand in hand, you should only be
         // able to replace backup authentication codes in a TOTP verified session.
@@ -120,6 +137,13 @@ module.exports = (log, db, config, customs, mailer, glean) => {
           uid,
         });
 
+        accountEventsManager.recordSecurityEvent(db, {
+          name: 'account.recovery_codes_created',
+          uid,
+          ipAddr: request.app.clientAddress,
+          tokenId: sessionTokenId,
+        });
+
         log.info('account.recoveryCode.replaced', { uid });
 
         await request.emitMetricsEvent('recoveryCode.replaced', { uid });
@@ -241,6 +265,13 @@ module.exports = (log, db, config, customs, mailer, glean) => {
         await request.emitMetricsEvent('recoveryCode.verified', { uid });
         glean.login.recoveryCodeSuccess(request, { uid });
 
+        accountEventsManager.recordSecurityEvent(db, {
+          name: 'account.recovery_codes_signin_complete',
+          uid,
+          ipAddr: request.app.clientAddress,
+          tokenId,
+        });
+
         return { remaining };
       },
     },

packages/fxa-auth-server/lib/routes/recovery-phone.ts

@@ -23,6 +23,7 @@ import { E164_NUMBER } from './validators';
 import AppError from '../error';
 import Localizer from '../l10n';
 import NodeRendererBindings from '../senders/renderer/bindings-node';
+import { AccountEventsManager } from '../account-events';
 
 const { Container } = require('typedi');
 
@@ -43,6 +44,7 @@ export type Customs = {
 class RecoveryPhoneHandler {
   private readonly recoveryPhoneService: RecoveryPhoneService;
   private readonly accountManager: AccountManager;
+  private readonly accountEventsManager: AccountEventsManager;
   private readonly localizer: Localizer;
 
   constructor(
@@ -54,6 +56,7 @@ class RecoveryPhoneHandler {
   ) {
     this.recoveryPhoneService = Container.get(RecoveryPhoneService);
     this.accountManager = Container.get(AccountManager);
+    this.accountEventsManager = Container.get(AccountEventsManager);
     this.localizer = new Localizer(new NodeRendererBindings());
   }
 
@@ -86,8 +89,11 @@ class RecoveryPhoneHandler {
   };
 
   async sendCode(request: AuthRequest) {
-    const { uid, email } = request.auth
-      .credentials as SessionTokenAuthCredential;
+    const {
+      uid,
+      email,
+      id: sessionTokenId,
+    } = request.auth.credentials as SessionTokenAuthCredential;
 
     if (!email) {
       throw AppError.invalidToken();
@@ -134,6 +140,14 @@ class RecoveryPhoneHandler {
     if (success) {
       this.log.info('account.recoveryPhone.signinSendCode.success', { uid });
       await this.glean.twoStepAuthPhoneCode.sent(request);
+
+      this.accountEventsManager.recordSecurityEvent(this.db, {
+        name: 'account.recovery_phone_send_code',
+        uid,
+        ipAddr: request.app.clientAddress,
+        tokenId: sessionTokenId,
+      });
+
       return { status: RecoveryPhoneStatus.SUCCESS };
     }
 
@@ -308,6 +322,14 @@ class RecoveryPhoneHandler {
               uid,
             }
           );
+
+          this.accountEventsManager.recordSecurityEvent(this.db, {
+            name: 'account.recovery_phone_setup_complete',
+            uid,
+            ipAddr: request.app.clientAddress,
+            tokenId: sessionTokenId,
+          });
+
           return {
             phoneNumber,
             nationalFormat,
@@ -324,6 +346,13 @@ class RecoveryPhoneHandler {
       } else {
         this.log.info('account.recoveryPhone.phoneSignin.success', { uid });
 
+        this.accountEventsManager.recordSecurityEvent(this.db, {
+          name: 'account.recovery_phone_signin_complete',
+          uid,
+          ipAddr: request.app.clientAddress,
+          tokenId: sessionTokenId,
+        });
+
         try {
           await this.mailer.sendPostSigninRecoveryPhoneEmail(
             account.emails,
@@ -354,11 +383,19 @@ class RecoveryPhoneHandler {
       return { status: RecoveryPhoneStatus.SUCCESS };
     }
 
+    this.accountEventsManager.recordSecurityEvent(this.db, {
+      name: 'account.recovery_phone_signin_failed',
+      uid,
+      ipAddr: request.app.clientAddress,
+      tokenId: sessionTokenId,
+    });
+
     throw AppError.invalidOrExpiredOtpCode();
   }
 
   async destroy(request: AuthRequest) {
-    const { uid } = request.auth.credentials as unknown as { uid: string };
+    const sessionToken = request.auth.credentials as SessionTokenAuthCredential;
+    const { uid } = sessionToken;
 
     let success = false;
     try {
@@ -392,6 +429,13 @@ class RecoveryPhoneHandler {
       const { acceptLanguage, geo, ua } = request.app;
 
       try {
+        this.accountEventsManager.recordSecurityEvent(this.db, {
+          name: 'account.recovery_phone_removed',
+          uid,
+          ipAddr: request.app.clientAddress,
+          tokenId: sessionToken.id,
+        });
+
         await this.mailer.sendPostRemoveRecoveryPhoneEmail(
           account.emails,
           account,

packages/fxa-auth-server/test/local/routes/recovery-codes.js

@@ -11,6 +11,7 @@ const mocks = require('../../mocks');
 const error = require('../../../lib/error');
 const { Container } = require('typedi');
 const { BackupCodeManager } = require('@fxa/accounts/two-factor');
+const { AccountEventsManager } = require('../../../lib/account-events');
 
 let log, db, customs, routes, route, request, requestOptions, mailer, glean;
 const TEST_EMAIL = '[email protected]';
@@ -45,7 +46,9 @@ describe('backup authentication codes', () => {
   const mockBackupCodeManager = {
     getCountForUserId: sandbox.fake(),
   };
-
+  const mockAccountEventsManager = {
+    recordSecurityEvent: sandbox.fake(),
+  };
   beforeEach(() => {
     log = mocks.mockLog();
     customs = mocks.mockCustoms();
@@ -71,10 +74,11 @@ describe('backup authentication codes', () => {
       },
     };
     Container.set(BackupCodeManager, mockBackupCodeManager);
+    Container.set(AccountEventsManager, mockAccountEventsManager);
   });
 
   afterEach(() => {
-    sandbox.restore();
+    sandbox.reset();
   });
 
   describe('GET /recoveryCodes', () => {
@@ -91,6 +95,16 @@ describe('backup authentication codes', () => {
           8,
           'called with backup authentication code count'
         );
+        assert.calledOnceWithExactly(
+          mockAccountEventsManager.recordSecurityEvent,
+          db,
+          {
+            name: 'account.recovery_codes_replaced',
+            uid: UID,
+            ipAddr: '63.245.221.32',
+            tokenId: undefined,
+          }
+        );
       });
     });
 
@@ -122,6 +136,16 @@ describe('backup authentication codes', () => {
           ['123'],
           'called with backup authentication codes'
         );
+        assert.calledOnceWithExactly(
+          mockAccountEventsManager.recordSecurityEvent,
+          db,
+          {
+            name: 'account.recovery_codes_created',
+            uid: UID,
+            ipAddr: '63.245.221.32',
+            tokenId: undefined,
+          }
+        );
       });
     });
 
@@ -174,6 +198,17 @@ describe('backup authentication codes', () => {
       const args = mailer.sendLowRecoveryCodesEmail.args[0];
       assert.lengthOf(args, 3);
       assert.equal(args[2].numberRemaining, 1);
+
+      assert.calledOnceWithExactly(
+        mockAccountEventsManager.recordSecurityEvent,
+        db,
+        {
+          name: 'account.recovery_codes_signin_complete',
+          uid: UID,
+          ipAddr: '63.245.221.32',
+          tokenId: undefined,
+        }
+      );
     });
 
     it('should rate-limit attempts to use a backup authentication code via customs', () => {