Skip to content

bug(auth): Fix mfa strategy return type#19470

Merged
dschom merged 1 commit intomainfrom
bug-fix-mfa-strategy-return-type
Sep 18, 2025
Merged

bug(auth): Fix mfa strategy return type#19470
dschom merged 1 commit intomainfrom
bug-fix-mfa-strategy-return-type

Conversation

@dschom
Copy link
Copy Markdown
Contributor

@dschom dschom commented Sep 17, 2025

Because

  • The return type must be of type session token, or down stream code can fail
  • When auth.credentials was populated by the mfa auth strategy, downstream code would fail if authenticatorAssuranceLevel was accessed.

This pull request

  • Avoids spreading the sessionToken object
  • Ensures the original sessionToken object is returned
  • A little bit of cleanup... AppError.unauthorized to be consistent with sessionToken strategy
  • Adds test to directly test the mfa auth strategy.

Issue that this pull request solves

Closes: (issue number)

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

@dschom dschom requested a review from a team as a code owner September 17, 2025 21:57
This was referenced Sep 17, 2025
Merged
Merged
Merged
vpomerleau
vpomerleau approved these changes Sep 18, 2025
View reviewed changes
Comment thread packages/fxa-auth-server/test/local/routes/auth-schemes/mfa.js Outdated
Comment thread packages/fxa-auth-server/test/local/routes/auth-schemes/mfa.js
Comment thread packages/fxa-auth-server/lib/routes/auth-schemes/mfa.ts
@dschom
bug(auth): Fix mfa strategy return type
31f4377 
Because:
- The return type must be of type session token, or down stream code can fail

This commit:
- Avoids spreading the sessionToken object
- Ensures the original sessionToken object is returned
- Uses errors consistent with sessionToken auth strategy, ie AppError.unauthorized

This was detected, because the authenticatorAssuranceLevel was undefined on the credentials object returned by the mfa auth strategy.
@dschom dschom force-pushed the bug-fix-mfa-strategy-return-type branch from 8390095 to 31f4377 Compare September 18, 2025 17:34
@dschom dschom merged commit ccc259d into main Sep 18, 2025
19 checks passed
@dschom dschom deleted the bug-fix-mfa-strategy-return-type branch September 18, 2025 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vpomerleau vpomerleau vpomerleau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dschom @vpomerleau