feat: signin unblock

[shane-tomlinson]

fixes #4036

[shane-tomlinson]

Ugh, sorry for the gigantic diff. @vbudhram, @seanmonstar, @vladikoff - r?

Going to try to put onto a dev box with @seanmonstar's PRs too.

[shane-tomlinson]

And now some functional tests fail. Still, let's start review to get feedback on code.

[shane-tomlinson]

Add email as a @param

[shane-tomlinson]

Revert this change - it'll be fixed by fixing #4219

[shane-tomlinson]

This test fails locally.

[shane-tomlinson]

Fixed it!

[vladikoff]

nit: missing doc, unlike the function below

[vladikoff]

nit: let's try to use {String} instead of {string}

[vladikoff]

login authorization code -> login unblock code ?

[vladikoff]

I would call this code -> unblockCode I think

[vladikoff]

Reject a login authorization code. -> Reject a signin unblock code. ?

[vladikoff]

unblockCode ?

[vladikoff]

move 'email-captcha' into a const into file above ?

[shane-tomlinson]

This should go into lib/verification-methods.js.

[vladikoff]

might need metrics events for the unblock err dance here

[shane-tomlinson]

might need metrics events for the unblock err dance here

@vladikoff - is fxa.content.screen.signin_unblock sufficient?

[vladikoff]

do we need this const here, we only use it once below

[vladikoff]

nit: maybe a doc above about this view

[vladikoff]

hm surprised to see this error handler in sign_in_unblock.

[shane-tomlinson]

We are re-signing the user in with the email/password they entered on the /signin page + the unblockCode entered here. If the user entered their password incorrectly, we'll only find out after this step, and then we have to send them back to the previous screen.

[shane-tomlinson]

Ahha, I took that out and moved it to user, good eye.

[shane-tomlinson]

for sure we should add it.

[shane-tomlinson]

And we need a real link. :D

[shane-tomlinson]

Good point, I'll change this to something like "problem sending unblock email" because that's how this error condition occurs.

[shane-tomlinson]

This should go into lib/verification-methods.js.

[shane-tomlinson]

might need metrics events for the unblock err dance here

@vladikoff - is fxa.content.screen.signin_unblock sufficient?

[shane-tomlinson]

Add a top level doc.

[shane-tomlinson]

We are re-signing the user in with the email/password they entered on the /signin page + the unblockCode entered here. If the user entered their password incorrectly, we'll only find out after this step, and then we have to send them back to the previous screen.

[shane-tomlinson]

Don't forget about /oauth/signin and users who arrive here from /force_auth and /oauth/force_auth.

[shane-tomlinson]

Fixed it!

[vladikoff]

got a bit stuck here

[vladikoff]

There is an issue with

Correct Code ->> Incorrect Password ->> Press back button ->> arrive to "signin_unblock" with no query params

and I think that threw "invalid code". I'm guessing we would need to handle the "back" case somehow.

[shane-tomlinson]

got a bit stuck here

Hard blocks still remain in place to prevent signin unblock from being used as 1) a spam vector, and 2) a free pass to guess the user's FxA password by continually going through signin unblock. Some restrictions will likely be loosened a bit, @rfk wrote this in an email thread with @seanmonstar and I:

I was able to get into a non-unblockable situation by doing the following:

• Attempting signin to a bunch of non-existing accounts, then
• Attempting signin with the wrong password on my real account

The result was a 429 while calling /send_unblock_code, and UX as shown
in the attached screenshot.

My mental model of what happened is that my IP was rate-limited due to
the failed logins on different accounts, and since rate-limited IPs are
not allowed to do anything, this blocked the sending of the
authorization code email.

Sean, you might remember this failure mode from our time digging into
that weird "Don't block email-sending on IP address alone" comment in
the customs-server:

mozilla/fxa-customs-server@9a4eaf5

Perhaps the right thing in the short term, is to improve the UX of this
failure case, by only transitioning to the "we sent you an authorization
code" screen after we've successfully sent the code.

[shane-tomlinson]

There is an issue with

Correct Code ->> Incorrect Password ->> Press back button ->> arrive to "signin_unblock" with no query params

and I think that threw "invalid code". I'm guessing we would need to handle the "back" case somehow.

Good find!

[vbudhram]

Looks good so far, just a couple comments, haven't looked through tests yet.

[vbudhram]

I think it could be useful to check against the regex the auth server uses for unblock code, https://github.com/mozilla/fxa-auth-server/blob/2c0561df2aae7d166a21c05b70aaaff6efe982e8/lib/routes/validators.js#L17

[vbudhram]

This was a little confusing to me. I read it as either report or reject. Should it be reject and report? From looking at the auth-server endpoint, it appears to log an error, is this what is meant by report?

[shane-tomlinson]

Yup.

[shane-tomlinson]

Comment updated.

[vbudhram]

Can probably be replace with regex as well.

[shane-tomlinson]

Can probably be replace with regex as well.

I replaced this check with Validate.isUnblockCodeValid

[shane-tomlinson]

Problems/follow on work @ryanfeeley and I found today when testing:

• Incorrect password from force_auth does not allow the user to enter the correct password, upon return to /force_auth, the screen is blank except for an error that says "Incorrect password"
• Incorrect password from signup sends the user back to the signup page from signin_unblock, it should instead send the user to the signin page.
• Check how the screen appears from the firstrun page.
• Signin with an unverified account - the user must first enter the unblock code, THEN they see the "verify your account" screen.
• Doesn't work for Sync (user isn't forced through flow)

[shane-tomlinson]

This comment should be expanded upon.

[shane-tomlinson]

Signin with an unverified account - the user must first enter the unblock code, THEN they see the "verify your account" screen.

We have decided to punt on this for now.

[philbooth]

LGTM 👍

[philbooth]

I know this is only test code, but it sounded yesterday like we were agreeing either to move let declarations outside of loops or to use var instead.

[shane-tomlinson]

I'm pretty "meh" since our for loops iterate over such a small range and that was a v8 specific issue.

[shane-tomlinson]

on server side code though, we should probably absolutely worry about it.

[shane-tomlinson]

probably absolutely. Yes. English, not my strongest subject.

[seanmonstar]

Why move the let outside the for? It seems like exactly what is designed for: block level scoping.

[shane-tomlinson]

Why move the let outside the for? It seems like exactly what is designed for: block level scoping.

@jrgm thought he heard v8 has an issue where let inside of loops is significantly slower than var.

[shane-tomlinson]

Comment updated.

[shane-tomlinson]

Remove the link until it the content is ready, or perhaps we can use an able experiment to insert the link when we have one ready.

[shane-tomlinson]

Normalize these to handle the oauth case - this can be done using this.broker.transformLink.

[shane-tomlinson]

This could be a const

[rfk]

We have decided to punt on this for now.

@shane-tomlinson @seanmonstar please ensure we have a follow-up bug on file in the right milestone, so we don't lose track of it

[shane-tomlinson]

Fix the TODO!

[shane-tomlinson]

revert this change.