FXA-13463: The “Bad request” page is displayed for account with 2Fa that tried to use backup codes at sign in#20600
Conversation
When a user with 2FA enabled follows a passwordless (OTP email code) sign-in flow and clicks "Trouble entering code?" on the TOTP page, the recovery code and recovery phone containers were calling useOAuthKeysCheck without the isPasswordlessFlow skip flag. Passwordless users never derive keys (no password was entered), so the check incorrectly produced a TRY_AGAIN error that rendered the "Bad Request" page instead of the backup authentication code or recovery phone page. The fix mirrors what SigninTotpCodeContainer already does: pass isSignInWithThirdPartyAuth || isPasswordlessFlow as the skip flag.
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes an FxA Settings sign-in regression where passwordless (OTP email) users with 2FA could hit an OAuth keys “TRY_AGAIN” check when navigating to backup-code or recovery-phone flows, resulting in a “Bad Request” error page instead of the intended recovery UI.
Changes:
- Skip the OAuth keys check in
SigninRecoveryCodeandSigninRecoveryPhonewhensigninState.isPasswordlessFlowis true (matching existing TOTP behavior). - Add unit tests asserting the passwordless skip flag is forwarded to
useOAuthKeysCheckand that recovery components render when the check is skipped. - Refactor/mocking updates in
SigninRecoveryCodetests to support the new assertions.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/fxa-settings/src/pages/Signin/SigninRecoveryPhone/container.tsx | Skip OAuth keys check for passwordless recovery-phone sign-in flow. |
| packages/fxa-settings/src/pages/Signin/SigninRecoveryPhone/container.test.tsx | Add tests for passwordless skip behavior and rendering path. |
| packages/fxa-settings/src/pages/Signin/SigninRecoveryCode/container.tsx | Skip OAuth keys check for passwordless recovery-code sign-in flow. |
| packages/fxa-settings/src/pages/Signin/SigninRecoveryCode/container.test.tsx | Add/migrate tests to cover passwordless skip behavior and rendering path. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+263
to
+277
| it('renders the recovery phone component when keys check is skipped for passwordless flow', () => { | ||
| (useOAuthKeysCheck as jest.Mock).mockImplementationOnce( | ||
| (_integration: any, _kft: any, _ubk: any, skipKeysCheck: boolean) => ({ | ||
| oAuthKeysCheckError: skipKeysCheck | ||
| ? null | ||
| : { errno: 1, message: 'TRY_AGAIN' }, | ||
| }) | ||
| ); | ||
| mockReachRouter('/signin_recovery_phone', { | ||
| signinState: { ...mockSigninLocationState, isPasswordlessFlow: true }, | ||
| lastFourPhoneDigits: '1234', | ||
| }); | ||
| renderSigninRecoveryPhoneContainer(); | ||
| expect(currentPageProps).toBeDefined(); | ||
| }); |
Contributor
There was a problem hiding this comment.
Seems like good testing feedback.
dschom
approved these changes
May 15, 2026
Contributor
dschom
left a comment
dschom
left a comment
There was a problem hiding this comment.
LGTM. The co-pilot feedback is easy to address and worth it.
Comment on lines
+263
to
+277
| it('renders the recovery phone component when keys check is skipped for passwordless flow', () => { | ||
| (useOAuthKeysCheck as jest.Mock).mockImplementationOnce( | ||
| (_integration: any, _kft: any, _ubk: any, skipKeysCheck: boolean) => ({ | ||
| oAuthKeysCheckError: skipKeysCheck | ||
| ? null | ||
| : { errno: 1, message: 'TRY_AGAIN' }, | ||
| }) | ||
| ); | ||
| mockReachRouter('/signin_recovery_phone', { | ||
| signinState: { ...mockSigninLocationState, isPasswordlessFlow: true }, | ||
| lastFourPhoneDigits: '1234', | ||
| }); | ||
| renderSigninRecoveryPhoneContainer(); | ||
| expect(currentPageProps).toBeDefined(); | ||
| }); |
Contributor
There was a problem hiding this comment.
Seems like good testing feedback.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.