fix(recovery): set assuranceLevel when verifying with recovery code (#2388), r=@rfk

Author: vbudhram

lib/authMethods.js

@@ -17,7 +17,8 @@ const METHOD_TO_AMR = {
   'email': 'email',
   'email-captcha': 'email',
   'email-2fa': 'email',
-  'totp-2fa': 'otp'
+  'totp-2fa': 'otp',
+  'recovery-code': 'otp'
 }
 
 // Maps AMR values to the type of authenticator they represent, e.g.

lib/tokens/session_token.js

@@ -15,7 +15,8 @@ module.exports = (log, Token, config) => {
     [
       [0, 'email'],
       [1, 'email-2fa'],
-      [2, 'totp-2fa']
+      [2, 'totp-2fa'],
+      [3, 'recovery-code']
     ]
   )
 

test/client/index.js

@@ -135,18 +135,6 @@ module.exports = config => {
             }
             return client.verifyTotpCode(client.totpAuthenticator.generate())
           })
-          .then(() => {
-            // The above enables TOTP on the account, but doesn't mark the
-            // session as being verified via TOTP, because it was already verified
-            // via email.  Create a new session that's explicitly TOTP-verified.
-            return client.setupCredentials(email, password)
-          })
-          .then(() => {
-            return client.auth(options)
-          })
-          .then(() => {
-            return client.verifyTotpCode(client.totpAuthenticator.generate())
-          })
           .then(() => {
             return client
           })

test/local/authMethods.js

@@ -89,6 +89,10 @@ describe('verificationMethodToAMR', () => {
     assert.equal(authMethods.verificationMethodToAMR('totp-2fa'), 'otp')
   })
 
+  it('maps `recovery-code` to `otp`', () => {
+    assert.equal(authMethods.verificationMethodToAMR('recovery-code'), 'otp')
+  })
+
   it('throws when given an unknown verification method', () => {
     assert.throws(() => { authMethods.verificationMethodToAMR('email-gotcha') }, /unknown verificationMethod/)
   })

test/remote/recovery_code_tests.js

@@ -103,7 +103,7 @@ describe('remote recovery codes', function () {
         })
     })
 
-    it('should consume recovery and verify session', () => {
+    it('should consume recovery code and verify session', () => {
       return client.consumeRecoveryCode(recoveryCodes[0], {metricsContext})
         .then((res) => {
           assert.equal(res.remaining, 7, 'correct remaining codes')
@@ -117,6 +117,25 @@ describe('remote recovery codes', function () {
           assert.equal(emailData.headers['x-template-name'], 'postConsumeRecoveryCodeEmail', 'correct template sent')
         })
     })
+
+    it('should consume recovery code and can remove TOTP token', () => {
+      return client.consumeRecoveryCode(recoveryCodes[0], {metricsContext})
+        .then((res) => {
+          assert.equal(res.remaining, 7, 'correct remaining codes')
+          return server.mailbox.waitForEmail(email)
+        })
+        .then((emailData) => {
+          assert.equal(emailData.headers['x-template-name'], 'postConsumeRecoveryCodeEmail', 'correct template sent')
+          return client.deleteTotpToken()
+        })
+        .then((result) => {
+          assert.ok(result, 'delete totp token successfully')
+          return server.mailbox.waitForEmail(email)
+        })
+        .then((emailData) => {
+          assert.equal(emailData.headers['x-template-name'], 'postRemoveTwoStepAuthenticationEmail', 'correct template sent')
+        })
+    })
   })
 
   after(() => {