Skip to content

bug(auth, tests): Issue AAL2 token for password reset with recovery key#19486

Merged
dschom merged 1 commit intomainfrom
FXA-12425
Sep 20, 2025
Merged

bug(auth, tests): Issue AAL2 token for password reset with recovery key#19486
dschom merged 1 commit intomainfrom
FXA-12425

Conversation

@vpomerleau
Copy link
Copy Markdown
Contributor

@vpomerleau vpomerleau commented Sep 19, 2025

Because

  • Account recovery key is considered equivalent to 2FA, and the issued token should match 2FA AAL

This pull request

  • When using an account recovery key, verify token with totp-2fa method
  • Add a test to verify that this change allows account deletion

Issue that this pull request solves

Closes: FXA-12425

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

@vpomerleau vpomerleau requested a review from a team as a code owner September 19, 2025 19:56
@vpomerleau vpomerleau requested a review from dschom September 19, 2025 19:56
dschom
dschom reviewed Sep 19, 2025
View reviewed changes
Comment thread packages/fxa-auth-server/lib/routes/account.ts
accountResetToken.verificationMethod
);
} else if (recoveryKeyId) {
await this.db.verifyTokensWithMethod(sessionToken.id, 'totp-2fa');
Copy link
Copy Markdown
Contributor

@dschom dschom Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put a comment here about what this is doing. Without understanding the context around this change, it might seem like a mistake at first glance.

dschom
dschom approved these changes Sep 19, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@dschom dschom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@vpomerleau
bug(auth, tests): Issue AAL2 token for password reset with recovery key
393eba8 
Because:

* Account recovery key is considered equivalent to 2FA, and the issued token should match 2FA AAL

This commit:

* When using an account recovery key, verify token with totp-2fa method
* Add a test to verify that this change allows account deletion

Closes #FXA-12425
@dschom dschom merged commit 8cab0e5 into main Sep 20, 2025
19 checks passed
@dschom dschom deleted the FXA-12425 branch September 20, 2025 01:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dschom dschom dschom approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vpomerleau @dschom