mozilla · dschom · May 15, 2026
@@ -750,9 +750,13 @@ export default class AuthClient {
               );
             }
           } catch (err) {
-            Sentry.captureMessage(
-              'Failure to complete v2 key stretch upgrade.'
-            );
+            Sentry.captureException(err, {
+              tags: {
+                errno: err?.errno,
+                endpoint: 'passwordChange',
+                source: 'v2-upgrade',
+              },
+            });
           }
         } else if (credentials.v2) {
           // Already using V2! Just sign in.
@@ -1497,45 +1501,40 @@ export default class AuthClient {
 
   async sessionReauth(
     sessionToken: hexstring,
-    email: string,
+    primaryEmail: string,
     password: string,
     options: SessionReauthOptions = {},
     headers?: Headers
   ): Promise<SessionReauthedAccountData> {
-    const credentials = await crypto.getCredentials(email, password);
-    try {
-      const accountData = await this.sessionReauthWithAuthPW(
+    // v1 stretching salts using the account's initial signup email, which can
+    // differ from the user's current primary. Resolve the derivation email
+    // up-front (callers may pre-supply it via `options.originalLoginEmail` to
+    // skip the roundtrip) so we derive the correct authPW the first time.
+    let derivationEmail = options.originalLoginEmail;
+    if (derivationEmail == null) {
+      const result = await this.fetchOriginalAccountEmail(
         sessionToken,
-        email,
-        credentials.authPW,
-        options,
         headers
       );
-      if (options.keys) {
-        accountData.unwrapBKey = credentials.unwrapBKey;
-      }
-      return accountData;
-    } catch (error: any) {
-      if (
-        error &&
-        error.email &&
-        error.errno === ERRORS.INCORRECT_EMAIL_CASE &&
-        !options.skipCaseError
-      ) {
-        options.skipCaseError = true;
-        options.originalLoginEmail = email;
+      derivationEmail = result.email;
+    }
 
-        return this.sessionReauth(
-          sessionToken,
-          error.email,
-          password,
-          options,
-          headers
-        );
-      } else {
-        throw error;
-      }
+    const credentials = await crypto.getCredentials(derivationEmail, password);
+    // Server semantics: payload.email is the email used for authPW derivation
+    // and account lookup (the immutable account.email); payload.originalLoginEmail
+    // is the email the user typed for login (checked against the current primary
+    // via checkEmailAddress). Map the helper's args onto the wire format.
+    const accountData = await this.sessionReauthWithAuthPW(
+      sessionToken,
+      derivationEmail,
+      credentials.authPW,
+      { ...options, originalLoginEmail: primaryEmail },
+      headers
+    );
+    if (options.keys) {
+      accountData.unwrapBKey = credentials.unwrapBKey;
     }
+    return accountData;
   }
 
   async sessionReauthWithAuthPW(
@@ -1570,8 +1569,15 @@ export default class AuthClient {
     } = {},
     headers?: Headers
   ): Promise<SignedInAccountData> {
+    // v1 stretching salts using the accounts initial signup email, which
+    // can differ from the user's current primary email. Fetch the original
+    // account email up-front so we derive the correct authPW the first time.
+    const { email: originalEmail } = await this.fetchOriginalAccountEmail(
+      sessionToken,
+      headers
+    );
     const oldCredentials = await this.passwordChangeStart(
-      email,
+      originalEmail,
       oldPassword,
       sessionToken,
       undefined,
@@ -1604,7 +1610,7 @@ export default class AuthClient {
     let unwrapBKeyVersion2: string | undefined;
     if (this.keyStretchVersion === 2) {
       const v2Payload = await this.createPasswordChangeV2Payload(
-        email,
+        originalEmail,
         newPassword,
         keys,
         newCredentials,
@@ -1684,6 +1690,15 @@ export default class AuthClient {
     }
   }
 
+  /**
+   * Initiates the password change process by validating the old password and returning the necessary tokens for the password change flow.
+   * @param email - The original email associated with the account, used for deriving the correct credentials. This is the salt.
+   * @param oldPassword - The current password of the user, used to derive the old credentials for validation.
+   * @param sessionToken - The session token of the authenticated user, required for authorization of the password change operation.
+   * @param options - Additional options for the password change process, such as skipping email case error handling.
+   * @param headers - Optional headers for the request, allowing for customization of the request context.
+   * @returns
+   */
   private async passwordChangeStart(
     email: string,
     oldPassword: string,
@@ -1835,16 +1850,28 @@ export default class AuthClient {
     } = {},
     headers?: Headers
   ): Promise<SignedInAccountData> {
+    // Both the old v1 credentials and the new v1 credentials are salted by
+    // the account's original signup email, which can differ from the
+    // user's current primary. Fetch the original account email up-front so
+    // every derivation below matches the stored verifier on the first try.
+    const { email: originalEmail } = await this.fetchOriginalAccountEmail(
+      sessionToken,
+      headers
+    );
     const oldCredentials = await this.sessionReauth(
       sessionToken,
-      options.reauthEmail || email,
+      email,
       oldPassword,
       {
         keys: true,
+        originalLoginEmail: originalEmail,
       },
       headers
     );
-    const oldCredentialsAuth = await crypto.getCredentials(email, oldPassword);
+    const oldCredentialsAuth = await crypto.getCredentials(
+      originalEmail,
+      oldPassword
+    );
     const oldAuthPW = oldCredentialsAuth.authPW;
 
     const keys = await this.accountKeys(
@@ -1853,7 +1880,10 @@ export default class AuthClient {
       headers
     );
 
-    const newCredentials = await crypto.getCredentials(email, newPassword);
+    const newCredentials = await crypto.getCredentials(
+      originalEmail,
+      newPassword
+    );
 
     const wrapKb = crypto.unwrapKB(keys.kB, newCredentials.unwrapBKey);
     const authPW = newCredentials.authPW;
@@ -1867,15 +1897,15 @@ export default class AuthClient {
       wrapKbVersion2?: string;
       clientSalt?: string;
     } = {
-      email,
+      email: originalEmail,
       oldAuthPW,
       authPW,
       wrapKb,
     };
 
     if (this.keyStretchVersion === 2) {
       const v2Payload = await this.createPasswordChangeV2Payload(
-        email,
+        originalEmail,
         newPassword,
         keys,
         newCredentials,
@@ -1890,37 +1920,7 @@ export default class AuthClient {
       };
     }
 
-    try {
-      const accountData = await this.jwtPost(
-        '/mfa/password/change',
-        jwt,
-        payload,
-        headers
-      );
-
-      return accountData;
-    } catch (error: any) {
-      if (
-        error &&
-        error.email &&
-        error.errno === ERRORS.INCORRECT_EMAIL_CASE &&
-        !options.skipCaseError
-      ) {
-        options.skipCaseError = true;
-        options.reauthEmail = email;
-        return await this.passwordChangeWithJWT(
-          jwt,
-          error.email,
-          oldPassword,
-          newPassword,
-          sessionToken,
-          options,
-          headers
-        );
-      } else {
-        throw error;
-      }
-    }
+    return this.jwtPost('/mfa/password/change', jwt, payload, headers);
   }
 
   async createPassword(
@@ -3701,4 +3701,21 @@ export default class AuthClient {
       throw error;
     }
   }
+
+  // Returns the account's signup email — the immutable PBKDF2 salt for v1
+  // password derivation. Callers must use this email (not the user's current
+  // primary) when deriving v1 credentials so the resulting authPW matches
+  // the stored verifier on accounts whose primary email has been swapped.
+  // v2 accounts derive from `clientSalt` and don't need this — callers can
+  // short-circuit when verifierVersion === 2.
+  public async fetchOriginalAccountEmail(
+    sessionToken: hexstring,
+    headers?: Headers
+  ): Promise<{ email: string }> {
+    return this.sessionGet(
+      '/session/original-account-email',
+      sessionToken,
+      headers
+    );
+  }
 }
@@ -4,6 +4,7 @@
 
 import * as assert from 'assert';
 import AuthClient from '../server';
+import * as crypto from '../lib/crypto';
 
 describe('lib/client', () => {
   let client: AuthClient;
@@ -86,4 +87,86 @@ describe('lib/client', () => {
       assert.notEqual(lastInit?.credentials, 'include');
     });
   });
+
+  describe('use original account email for derivation for v1 password flows', () => {
+    let testClient: AuthClient;
+    let originalFetch: typeof globalThis.fetch;
+    const SESSION_TOKEN = '00'.repeat(32);
+    const SIGNUP_EMAIL = 'signup@example.com';
+    const CURRENT_EMAIL = 'primary-now@example.com';
+
+    let requests: Array<{ url: string; init: RequestInit | undefined }>;
+    let respondWith: (
+      url: string,
+      init: RequestInit | undefined
+    ) => Response | Promise<Response>;
+
+    before(() => {
+      testClient = new AuthClient('http://localhost:9000');
+    });
+
+    beforeEach(() => {
+      originalFetch = globalThis.fetch;
+      requests = [];
+      // Default: respond with empty JSON for any path the test doesn't
+      // explicitly handle. Tests override `respondWith` to assert paths.
+      respondWith = () =>
+        new Response('{}', {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      globalThis.fetch = (async (url: string, init?: RequestInit) => {
+        requests.push({ url, init });
+        return respondWith(url, init);
+      }) as typeof globalThis.fetch;
+    });
+
+    afterEach(() => {
+      globalThis.fetch = originalFetch;
+    });
+
+    it('fetchOriginalAccountEmail GETs /session/original-account-email', async () => {
+      respondWith = () =>
+        new Response(JSON.stringify({ email: SIGNUP_EMAIL }), {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      const result = await testClient.fetchOriginalAccountEmail(SESSION_TOKEN);
+      assert.deepEqual(result, { email: SIGNUP_EMAIL });
+      assert.equal(requests.length, 1);
+      assert.ok(requests[0].url.endsWith('/session/original-account-email'));
+      assert.equal(requests[0].init?.method, 'GET');
+    });
+
+    it('sessionReauth derives authPW from the original account email', async () => {
+      // First request must be /session/original-account-email returning the
+      // signup email; subsequent /session/reauth call should carry that email
+      // as `email` (derivation salt + account lookup) and the user's current
+      // primary as `originalLoginEmail` (validated against the current primary
+      // server-side by checkEmailAddress).
+      respondWith = (url) => {
+        if (url.includes('/session/original-account-email')) {
+          return new Response(JSON.stringify({ email: SIGNUP_EMAIL }), {
+            status: 200,
+            headers: { 'Content-Type': 'application/json' },
+          });
+        }
+        return new Response('{}', {
+          status: 200,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      };
+
+      await testClient.sessionReauth(SESSION_TOKEN, CURRENT_EMAIL, 'pw');
+      assert.equal(requests[0].init?.method, 'GET');
+      assert.ok(requests[0].url.includes('/session/original-account-email'));
+      const reauthReq = requests.find((r) => r.url.includes('/session/reauth'));
+      assert.ok(reauthReq, '/session/reauth should be called');
+      const body = JSON.parse(reauthReq!.init?.body as string);
+      assert.equal(body.email, SIGNUP_EMAIL);
+      assert.equal(body.originalLoginEmail, CURRENT_EMAIL);
+      const expected = await crypto.getCredentials(SIGNUP_EMAIL, 'pw');
+      assert.equal(body.authPW, expected.authPW);
+    });
+  });
 });
@@ -130,13 +130,29 @@ const SESSION_RESEND_CODE_POST = {
   notes: ['🔒 Authenticated with session token'],
 };
 
+const SESSION_ORIGINAL_ACCOUNT_EMAIL_GET = {
+  ...TAGS_SESSION,
+  description: '/session/original-account-email',
+  notes: [
+    dedent`
+      🔒 Authenticated with session token
+
+      Returns the account's signup email — the value used as the salt for v1 password derivation. Clients deriving v1 credentials must use this email (not the user's current primary email) so that the resulting authPW matches the stored verifier. Self-deprecating: v2 accounts derive from \`clientSalt\` and don't need this call; the endpoint can be removed once v1 is fully phased out.
+
+      **Response object:**
+      - \`email\`: The account's signup email (\`accounts.email\`).
+    `,
+  ],
+};
+
 const API_DOCS = {
   SESSION_DESTROY_POST,
   SESSION_DUPLICATE_POST,
   SESSION_REAUTH_POST,
   SESSION_STATUS_GET,
   SESSION_RESEND_CODE_POST,
   SESSION_VERIFY_CODE_POST,
+  SESSION_ORIGINAL_ACCOUNT_EMAIL_GET,
 };
 
 export default API_DOCS;