diff --git a/packages/fxa-auth-client/lib/client.ts b/packages/fxa-auth-client/lib/client.ts index 217babe0658..3206609a49f 100644 --- a/packages/fxa-auth-client/lib/client.ts +++ b/packages/fxa-auth-client/lib/client.ts @@ -750,9 +750,13 @@ export default class AuthClient { ); } } catch (err) { - Sentry.captureMessage( - 'Failure to complete v2 key stretch upgrade.' - ); + Sentry.captureException(err, { + tags: { + errno: err?.errno, + endpoint: 'passwordChange', + source: 'v2-upgrade', + }, + }); } } else if (credentials.v2) { // Already using V2! Just sign in. @@ -1497,45 +1501,40 @@ export default class AuthClient { async sessionReauth( sessionToken: hexstring, - email: string, + primaryEmail: string, password: string, options: SessionReauthOptions = {}, headers?: Headers ): Promise { - const credentials = await crypto.getCredentials(email, password); - try { - const accountData = await this.sessionReauthWithAuthPW( + // v1 stretching salts using the account's initial signup email, which can + // differ from the user's current primary. Resolve the derivation email + // up-front (callers may pre-supply it via `options.originalLoginEmail` to + // skip the roundtrip) so we derive the correct authPW the first time. + let derivationEmail = options.originalLoginEmail; + if (derivationEmail == null) { + const result = await this.fetchOriginalAccountEmail( sessionToken, - email, - credentials.authPW, - options, headers ); - if (options.keys) { - accountData.unwrapBKey = credentials.unwrapBKey; - } - return accountData; - } catch (error: any) { - if ( - error && - error.email && - error.errno === ERRORS.INCORRECT_EMAIL_CASE && - !options.skipCaseError - ) { - options.skipCaseError = true; - options.originalLoginEmail = email; + derivationEmail = result.email; + } - return this.sessionReauth( - sessionToken, - error.email, - password, - options, - headers - ); - } else { - throw error; - } + const credentials = await crypto.getCredentials(derivationEmail, password); + // Server semantics: payload.email is the email used for authPW derivation + // and account lookup (the immutable account.email); payload.originalLoginEmail + // is the email the user typed for login (checked against the current primary + // via checkEmailAddress). Map the helper's args onto the wire format. + const accountData = await this.sessionReauthWithAuthPW( + sessionToken, + derivationEmail, + credentials.authPW, + { ...options, originalLoginEmail: primaryEmail }, + headers + ); + if (options.keys) { + accountData.unwrapBKey = credentials.unwrapBKey; } + return accountData; } async sessionReauthWithAuthPW( @@ -1570,8 +1569,15 @@ export default class AuthClient { } = {}, headers?: Headers ): Promise { + // v1 stretching salts using the accounts initial signup email, which + // can differ from the user's current primary email. Fetch the original + // account email up-front so we derive the correct authPW the first time. + const { email: originalEmail } = await this.fetchOriginalAccountEmail( + sessionToken, + headers + ); const oldCredentials = await this.passwordChangeStart( - email, + originalEmail, oldPassword, sessionToken, undefined, @@ -1604,7 +1610,7 @@ export default class AuthClient { let unwrapBKeyVersion2: string | undefined; if (this.keyStretchVersion === 2) { const v2Payload = await this.createPasswordChangeV2Payload( - email, + originalEmail, newPassword, keys, newCredentials, @@ -1684,6 +1690,15 @@ export default class AuthClient { } } + /** + * Initiates the password change process by validating the old password and returning the necessary tokens for the password change flow. + * @param email - The original email associated with the account, used for deriving the correct credentials. This is the salt. + * @param oldPassword - The current password of the user, used to derive the old credentials for validation. + * @param sessionToken - The session token of the authenticated user, required for authorization of the password change operation. + * @param options - Additional options for the password change process, such as skipping email case error handling. + * @param headers - Optional headers for the request, allowing for customization of the request context. + * @returns + */ private async passwordChangeStart( email: string, oldPassword: string, @@ -1835,16 +1850,28 @@ export default class AuthClient { } = {}, headers?: Headers ): Promise { + // Both the old v1 credentials and the new v1 credentials are salted by + // the account's original signup email, which can differ from the + // user's current primary. Fetch the original account email up-front so + // every derivation below matches the stored verifier on the first try. + const { email: originalEmail } = await this.fetchOriginalAccountEmail( + sessionToken, + headers + ); const oldCredentials = await this.sessionReauth( sessionToken, - options.reauthEmail || email, + email, oldPassword, { keys: true, + originalLoginEmail: originalEmail, }, headers ); - const oldCredentialsAuth = await crypto.getCredentials(email, oldPassword); + const oldCredentialsAuth = await crypto.getCredentials( + originalEmail, + oldPassword + ); const oldAuthPW = oldCredentialsAuth.authPW; const keys = await this.accountKeys( @@ -1853,7 +1880,10 @@ export default class AuthClient { headers ); - const newCredentials = await crypto.getCredentials(email, newPassword); + const newCredentials = await crypto.getCredentials( + originalEmail, + newPassword + ); const wrapKb = crypto.unwrapKB(keys.kB, newCredentials.unwrapBKey); const authPW = newCredentials.authPW; @@ -1867,7 +1897,7 @@ export default class AuthClient { wrapKbVersion2?: string; clientSalt?: string; } = { - email, + email: originalEmail, oldAuthPW, authPW, wrapKb, @@ -1875,7 +1905,7 @@ export default class AuthClient { if (this.keyStretchVersion === 2) { const v2Payload = await this.createPasswordChangeV2Payload( - email, + originalEmail, newPassword, keys, newCredentials, @@ -1890,37 +1920,7 @@ export default class AuthClient { }; } - try { - const accountData = await this.jwtPost( - '/mfa/password/change', - jwt, - payload, - headers - ); - - return accountData; - } catch (error: any) { - if ( - error && - error.email && - error.errno === ERRORS.INCORRECT_EMAIL_CASE && - !options.skipCaseError - ) { - options.skipCaseError = true; - options.reauthEmail = email; - return await this.passwordChangeWithJWT( - jwt, - error.email, - oldPassword, - newPassword, - sessionToken, - options, - headers - ); - } else { - throw error; - } - } + return this.jwtPost('/mfa/password/change', jwt, payload, headers); } async createPassword( @@ -3701,4 +3701,21 @@ export default class AuthClient { throw error; } } + + // Returns the account's signup email — the immutable PBKDF2 salt for v1 + // password derivation. Callers must use this email (not the user's current + // primary) when deriving v1 credentials so the resulting authPW matches + // the stored verifier on accounts whose primary email has been swapped. + // v2 accounts derive from `clientSalt` and don't need this — callers can + // short-circuit when verifierVersion === 2. + public async fetchOriginalAccountEmail( + sessionToken: hexstring, + headers?: Headers + ): Promise<{ email: string }> { + return this.sessionGet( + '/session/original-account-email', + sessionToken, + headers + ); + } } diff --git a/packages/fxa-auth-client/test/client.ts b/packages/fxa-auth-client/test/client.ts index 5ee2722d7ed..daf4b5bc591 100644 --- a/packages/fxa-auth-client/test/client.ts +++ b/packages/fxa-auth-client/test/client.ts @@ -4,6 +4,7 @@ import * as assert from 'assert'; import AuthClient from '../server'; +import * as crypto from '../lib/crypto'; describe('lib/client', () => { let client: AuthClient; @@ -86,4 +87,86 @@ describe('lib/client', () => { assert.notEqual(lastInit?.credentials, 'include'); }); }); + + describe('use original account email for derivation for v1 password flows', () => { + let testClient: AuthClient; + let originalFetch: typeof globalThis.fetch; + const SESSION_TOKEN = '00'.repeat(32); + const SIGNUP_EMAIL = 'signup@example.com'; + const CURRENT_EMAIL = 'primary-now@example.com'; + + let requests: Array<{ url: string; init: RequestInit | undefined }>; + let respondWith: ( + url: string, + init: RequestInit | undefined + ) => Response | Promise; + + before(() => { + testClient = new AuthClient('http://localhost:9000'); + }); + + beforeEach(() => { + originalFetch = globalThis.fetch; + requests = []; + // Default: respond with empty JSON for any path the test doesn't + // explicitly handle. Tests override `respondWith` to assert paths. + respondWith = () => + new Response('{}', { + status: 200, + headers: { 'Content-Type': 'application/json' }, + }); + globalThis.fetch = (async (url: string, init?: RequestInit) => { + requests.push({ url, init }); + return respondWith(url, init); + }) as typeof globalThis.fetch; + }); + + afterEach(() => { + globalThis.fetch = originalFetch; + }); + + it('fetchOriginalAccountEmail GETs /session/original-account-email', async () => { + respondWith = () => + new Response(JSON.stringify({ email: SIGNUP_EMAIL }), { + status: 200, + headers: { 'Content-Type': 'application/json' }, + }); + const result = await testClient.fetchOriginalAccountEmail(SESSION_TOKEN); + assert.deepEqual(result, { email: SIGNUP_EMAIL }); + assert.equal(requests.length, 1); + assert.ok(requests[0].url.endsWith('/session/original-account-email')); + assert.equal(requests[0].init?.method, 'GET'); + }); + + it('sessionReauth derives authPW from the original account email', async () => { + // First request must be /session/original-account-email returning the + // signup email; subsequent /session/reauth call should carry that email + // as `email` (derivation salt + account lookup) and the user's current + // primary as `originalLoginEmail` (validated against the current primary + // server-side by checkEmailAddress). + respondWith = (url) => { + if (url.includes('/session/original-account-email')) { + return new Response(JSON.stringify({ email: SIGNUP_EMAIL }), { + status: 200, + headers: { 'Content-Type': 'application/json' }, + }); + } + return new Response('{}', { + status: 200, + headers: { 'Content-Type': 'application/json' }, + }); + }; + + await testClient.sessionReauth(SESSION_TOKEN, CURRENT_EMAIL, 'pw'); + assert.equal(requests[0].init?.method, 'GET'); + assert.ok(requests[0].url.includes('/session/original-account-email')); + const reauthReq = requests.find((r) => r.url.includes('/session/reauth')); + assert.ok(reauthReq, '/session/reauth should be called'); + const body = JSON.parse(reauthReq!.init?.body as string); + assert.equal(body.email, SIGNUP_EMAIL); + assert.equal(body.originalLoginEmail, CURRENT_EMAIL); + const expected = await crypto.getCredentials(SIGNUP_EMAIL, 'pw'); + assert.equal(body.authPW, expected.authPW); + }); + }); }); diff --git a/packages/fxa-auth-server/docs/swagger/session-api.ts b/packages/fxa-auth-server/docs/swagger/session-api.ts index 3f452b110a8..2e833f8b8d5 100644 --- a/packages/fxa-auth-server/docs/swagger/session-api.ts +++ b/packages/fxa-auth-server/docs/swagger/session-api.ts @@ -130,6 +130,21 @@ const SESSION_RESEND_CODE_POST = { notes: ['🔒 Authenticated with session token'], }; +const SESSION_ORIGINAL_ACCOUNT_EMAIL_GET = { + ...TAGS_SESSION, + description: '/session/original-account-email', + notes: [ + dedent` + 🔒 Authenticated with session token + + Returns the account's signup email — the value used as the salt for v1 password derivation. Clients deriving v1 credentials must use this email (not the user's current primary email) so that the resulting authPW matches the stored verifier. Self-deprecating: v2 accounts derive from \`clientSalt\` and don't need this call; the endpoint can be removed once v1 is fully phased out. + + **Response object:** + - \`email\`: The account's signup email (\`accounts.email\`). + `, + ], +}; + const API_DOCS = { SESSION_DESTROY_POST, SESSION_DUPLICATE_POST, @@ -137,6 +152,7 @@ const API_DOCS = { SESSION_STATUS_GET, SESSION_RESEND_CODE_POST, SESSION_VERIFY_CODE_POST, + SESSION_ORIGINAL_ACCOUNT_EMAIL_GET, }; export default API_DOCS; diff --git a/packages/fxa-auth-server/lib/routes/password.spec.ts b/packages/fxa-auth-server/lib/routes/password.spec.ts index 4cf0ef13c18..b4b83bd3746 100644 --- a/packages/fxa-auth-server/lib/routes/password.spec.ts +++ b/packages/fxa-auth-server/lib/routes/password.spec.ts @@ -559,7 +559,7 @@ describe('/password', () => { TEST_EMAIL, 'authenticatedPasswordChange' ); - expect(mockDB.accountRecord).toHaveBeenCalledWith(TEST_EMAIL); + expect(mockDB.account).toHaveBeenCalledWith(uid); expect(mockDB.createKeyFetchToken).toHaveBeenCalledTimes(1); expect(mockDB.createPasswordChangeToken).toHaveBeenCalledWith({ uid }); @@ -623,13 +623,54 @@ describe('/password', () => { TEST_EMAIL, 'authenticatedPasswordChange' ); - expect(mockDB.accountRecord).toHaveBeenCalledWith(TEST_EMAIL); + expect(mockDB.account).toHaveBeenCalledWith(uid); expect(mockDB.createKeyFetchToken).toHaveBeenCalledTimes(1); expect(mockDB.createPasswordChangeToken).toHaveBeenCalledWith({ uid }); expect(response.keyFetchToken).toBeTruthy(); expect(response.passwordChangeToken).toBeTruthy(); }); + + it('fails fast with INCORRECT_EMAIL_CASE when payload email does not match account.email', async () => { + const uid = uuid.v4({}, Buffer.alloc(16)).toString('hex'); + // Account's signup email is the canonical v1 PBKDF2 salt. + const mockDB = mocks.mockDB({ + email: 'signup@example.com', + uid, + emailVerified: true, + }); + const mockSession = await mockDB.createSessionToken({}); + const mockRequest = mocks.mockRequest({ + credentials: mockSession, + payload: { + // Client deriving with the current primary instead of the + // signup email — the FXA-13627 case. Server must surface the + // canonical email back via errno 120. + email: 'primary-now@example.com', + oldAuthPW: crypto.randomBytes(32).toString('hex'), + }, + log: mocks.mockLog(), + }); + const passwordRoutes = makeRoutes({ + db: mockDB, + push: mocks.mockPush(), + mailer: mocks.mockMailer(), + log: mocks.mockLog(), + customs: mocks.mockCustoms(), + statsd: mocks.mockStatsd(), + }); + + let err: any; + try { + await runRoute(passwordRoutes, '/password/change/start', mockRequest); + } catch (e) { + err = e; + } + expect(err).toBeDefined(); + expect(err.errno).toBe(error.ERRNO.INCORRECT_EMAIL_CASE); + expect(err.output.payload.email).toBe('signup@example.com'); + expect(mockDB.account).toHaveBeenCalledWith(uid); + }); }); describe('/change/finish', () => { @@ -1078,8 +1119,12 @@ describe('/password', () => { expect(response.authAt).toBeTruthy(); expect(response.keyFetchToken).toBeTruthy(); - // Verify database calls - expect(mockDB.account).toHaveBeenCalledTimes(1); + // Verify database calls. db.account is called twice now: once at + // the top of the handler to identify the account by sessionToken.uid + // (replaces the old `accountRecord(email)` lookup), and once inside + // changePassword to load the row for the reset. + expect(mockDB.account).toHaveBeenCalledTimes(2); + expect(mockDB.account).toHaveBeenNthCalledWith(1, uid); expect(mockDB.resetAccount).toHaveBeenCalledTimes(1); expect(mockDB.resetAccount).toHaveBeenCalledWith( expect.objectContaining({ uid }), @@ -1299,5 +1344,66 @@ describe('/password', () => { // verified (deprecated compat field) should remain present and consistent expect(response.verified).toBe(true); }); + + it('fails fast with INCORRECT_EMAIL_CASE when payload email does not match account.email', async () => { + const oldAuthPW = crypto.randomBytes(32).toString('hex'); + const authPW = crypto.randomBytes(32).toString('hex'); + const wrapKb = crypto.randomBytes(32).toString('hex'); + + // Account's signup email is the canonical v1 PBKDF2 salt. + mockDB = mocks.mockDB({ + email: 'signup@example.com', + uid, + emailVerified: true, + isPasswordMatchV1: true, + }); + + const mockRequest = mocks.mockRequest({ + log: mockLog, + auth: { + credentials: { + uid, + email: 'signup@example.com', + emailVerified: true, + tokenVerified: true, + authenticatorAssuranceLevel: 2, + lastAuthAt: () => Date.now(), + data: crypto.randomBytes(32).toString('hex'), + }, + }, + payload: { + // Client deriving with the current primary instead of the + // signup email — the FXA-13627 case. Server must surface the + // canonical email back via errno 120 instead of silently + // failing the password verification. + email: 'primary-now@example.com', + oldAuthPW, + authPW, + wrapKb, + }, + query: { keys: 'true' }, + }); + + const passwordRoutes = makeRoutes({ + db: mockDB, + mailer: mockMailer, + push: mockPush, + log: mockLog, + statsd: mockStatsd, + customs: mockCustoms, + }); + + let err: any; + try { + await runRoute(passwordRoutes, '/mfa/password/change', mockRequest); + } catch (e) { + err = e; + } + expect(err).toBeDefined(); + expect(err.errno).toBe(error.ERRNO.INCORRECT_EMAIL_CASE); + expect(err.output.payload.email).toBe('signup@example.com'); + // Reset must not be invoked when the email mismatch is rejected. + expect(mockDB.resetAccount).not.toHaveBeenCalled(); + }); }); }); diff --git a/packages/fxa-auth-server/lib/routes/password.ts b/packages/fxa-auth-server/lib/routes/password.ts index 7b46b929ce7..4cba3c50cdb 100644 --- a/packages/fxa-auth-server/lib/routes/password.ts +++ b/packages/fxa-auth-server/lib/routes/password.ts @@ -125,10 +125,10 @@ module.exports = function ( let passwordChangeToken: any | undefined = undefined; try { - const emailRecord = await db.accountRecord(email); + const emailRecord = await db.account(sessionToken.uid); - if (sessionToken.uid !== emailRecord.uid) { - throw error.invalidToken('Invalid session token'); + if (!emailsMatch(email, emailRecord.email)) { + throw error.incorrectPassword(emailRecord.email, form.email); } const password = new Password( @@ -661,7 +661,11 @@ module.exports = function ( clientSalt?: string; }; - const emailRecord = await db.accountRecord(email); + const emailRecord = await db.account(uid); + + if (!emailsMatch(email, emailRecord.email)) { + throw error.incorrectPassword(emailRecord.email, email); + } const password = new Password( oldAuthPW, diff --git a/packages/fxa-auth-server/lib/routes/session.js b/packages/fxa-auth-server/lib/routes/session.js index 7fbb2eaef13..3e8322c2249 100644 --- a/packages/fxa-auth-server/lib/routes/session.js +++ b/packages/fxa-auth-server/lib/routes/session.js @@ -5,6 +5,7 @@ 'use strict'; const { AppError: error } = require('@fxa/accounts/errors'); +const { emailsMatch } = require('fxa-shared/email/helpers'); const isA = require('joi'); const requestHelper = require('../routes/utils/request_helper'); const METRICS_CONTEXT_SCHEMA = require('../metrics/context').schema; @@ -173,19 +174,19 @@ module.exports = function ( throw error.disabledClientId(service); } - const account = await db.accountRecord(email); - if (account.uid !== sessionToken.uid) { - throw error.unknownAccount(email); + const account = await db.account(sessionToken.uid); + if (!emailsMatch(email, account.email)) { + throw error.incorrectPassword(account.email, email); } - const { accountRecord } = await signinUtils.checkCustomsAndLoadAccount( + await signinUtils.checkCustomsAndLoadAccount( request, email, sessionToken.uid ); // Start temporary metrics section - if (!account?.primaryEmail?.isVerified) { + if (!account.primaryEmail?.isVerified) { statsd.increment( 'session_reauth.primary_email_not_verified', getClientServiceTags(request) @@ -208,29 +209,29 @@ module.exports = function ( // End temporary metrics section await signinUtils.checkEmailAddress( - accountRecord, + account, email, originalLoginEmail ); const password = new Password( authPW, - accountRecord.authSalt, - accountRecord.verifierVersion + account.authSalt, + account.verifierVersion ); const match = await signinUtils.checkPassword( - accountRecord, + account, password, request ); if (!match) { - throw error.incorrectPassword(accountRecord.email, email); + throw error.incorrectPassword(account.email, email); } // Check to see if the user has a TOTP token and it is verified and // enabled, if so then the verification method is automatically forced so that // they have to verify the token. - const hasTotpToken = await otpUtils.hasTotpToken(accountRecord); + const hasTotpToken = await otpUtils.hasTotpToken(account); if (hasTotpToken) { // User has enabled TOTP, no way around it, they must verify TOTP token verificationMethod = 'totp-2fa'; @@ -261,7 +262,7 @@ module.exports = function ( await signinUtils.sendSigninNotifications( request, - accountRecord, + account, sessionToken, verificationMethod ); @@ -269,14 +270,14 @@ module.exports = function ( const response = { uid: sessionToken.uid, authAt: sessionToken.lastAuthAt(), - metricsEnabled: !accountRecord.metricsOptOut, + metricsEnabled: !account.metricsOptOut, emailVerified: sessionToken.emailVerified, }; if (requestHelper.wantsKeys(request)) { const keyFetchToken = await signinUtils.createKeyFetchToken( request, - accountRecord, + account, password, sessionToken ); @@ -364,6 +365,29 @@ module.exports = function ( }; }, }, + { + method: 'GET', + path: '/session/original-account-email', + options: { + ...SESSION_DOCS.SESSION_ORIGINAL_ACCOUNT_EMAIL_GET, + auth: { + strategy: 'sessionToken', + }, + response: { + schema: isA.object({ + email: isA.string().required(), + }), + }, + }, + handler: async function (request) { + log.begin('Session.originalAccountEmail', request); + const sessionToken = request.auth.credentials; + const account = await db.account(sessionToken.uid); + return { + email: account.email + }; + }, + }, { method: 'POST', path: '/session/duplicate', diff --git a/packages/fxa-auth-server/lib/routes/session.spec.ts b/packages/fxa-auth-server/lib/routes/session.spec.ts index 50d795db343..397818f6c7c 100644 --- a/packages/fxa-auth-server/lib/routes/session.spec.ts +++ b/packages/fxa-auth-server/lib/routes/session.spec.ts @@ -400,6 +400,37 @@ describe('/session/status', () => { }); }); +describe('/session/original-account-email', () => { + let log: any, db: any, config: any, routes: any, route: any; + + beforeEach(() => { + jest.clearAllMocks(); + log = mocks.mockLog(); + mocks.mockFxaMailer(); + mocks.mockOAuthClientInfo(); + db = { + account: jest.fn().mockResolvedValue({ + uid: 'account-123', + email: 'signup@example.com', + }), + }; + config = {}; + routes = makeRoutes({ log, db, config }); + route = getRoute(routes, '/session/original-account-email'); + }); + + it('returns the signup email for the session uid', async () => { + const request = mocks.mockRequest({ + credentials: { uid: 'account-123' }, + }); + const resp = await runTest(route, request); + expect(db.account).toHaveBeenCalledWith('account-123'); + expect(resp).toEqual({ + email: 'signup@example.com', + }); + }); +}); + describe('/session/reauth', () => { const TEST_EMAIL = 'foo@example.com'; const TEST_UID = 'abcdef123456'; @@ -497,8 +528,10 @@ describe('/session/reauth', () => { expect(checkCustomsArgs[0]).toBe(request); expect(checkCustomsArgs[1]).toBe(TEST_EMAIL); - expect(db.accountRecord).toHaveBeenCalledTimes(2); - expect(db.accountRecord).toHaveBeenNthCalledWith(1, TEST_EMAIL); + + expect(db.account).toHaveBeenCalledTimes(1); + expect(db.account).toHaveBeenNthCalledWith(1, TEST_UID); + expect(db.accountRecord).toHaveBeenCalledTimes(1); expect(signinUtils.checkEmailAddress).toHaveBeenCalledTimes(1); const checkEmailArgs = signinUtils.checkEmailAddress.mock.calls[0]; @@ -553,10 +586,10 @@ describe('/session/reauth', () => { }); }); - it('erorrs when session uid and email account uid mismatch', () => { + it('errors with INCORRECT_EMAIL_CASE when payload email does not match account.email', () => { db = mocks.mockDB({ - email: 'hello@bs.gg', - uid: 'quux', + email: 'signup@example.com', + uid: TEST_UID, }); const routes = makeRoutes({ log, @@ -569,15 +602,20 @@ describe('/session/reauth', () => { const route = getRoute(routes, '/session/reauth'); const req = { ...request, - payload: { ...request.payload, email: 'hello@bs.gg' }, + // Client sends current primary instead of the signup email — has been a + // common issue with client side implementations. Server must surface + // the original account email back so the client can derive the correct + // V1 authPW. + payload: { ...request.payload, email: 'primary-now@example.com' }, }; return runTest(route, req).then( () => { throw new Error('request should have been rejected'); }, (err: any) => { - expect(db.accountRecord).toHaveBeenCalledTimes(1); - expect(err.errno).toBe(error.ERRNO.ACCOUNT_UNKNOWN); + expect(db.account).toHaveBeenCalledTimes(1); + expect(err.errno).toBe(error.ERRNO.INCORRECT_EMAIL_CASE); + expect(err.output.payload.email).toBe('signup@example.com'); } ); }); diff --git a/packages/fxa-auth-server/test/mocks.js b/packages/fxa-auth-server/test/mocks.js index c436fd5bf00..a7f2cf898b2 100644 --- a/packages/fxa-auth-server/test/mocks.js +++ b/packages/fxa-auth-server/test/mocks.js @@ -417,7 +417,11 @@ function mockDB(data, errors) { ], uid: uid || data.uid, // Prefer the uid parameter, fall back to data.uid verifierSetAt: data.verifierSetAt ?? Date.now(), - wrapWrapKb: data.wrapWrapKb, + // Match `accountRecord` so flows that switched from + // `accountRecord(email)` to `account(uid)` get a usable record. + kA: data.kA || crypto.randomBytes(32), + wrapWrapKb: data.wrapWrapKb || crypto.randomBytes(32), + verifierVersion: data.verifierVersion ?? 1, metricsOptOutAt: data.metricsOptOutAt || null, }); }), diff --git a/packages/fxa-auth-server/test/remote/password_change.in.spec.ts b/packages/fxa-auth-server/test/remote/password_change.in.spec.ts index 215973189e2..4795ab36530 100644 --- a/packages/fxa-auth-server/test/remote/password_change.in.spec.ts +++ b/packages/fxa-auth-server/test/remote/password_change.in.spec.ts @@ -508,7 +508,7 @@ describe.each(testVersions)( ); fail('Should have failed.'); } catch (err: any) { - expect(err.message).toBe('Invalid session token'); + expect(err.message).toBe('Incorrect email case'); } });