Skip to content

fix(webchannel): Send 'can_link_account' during signin_unblock#20001

Merged
LZoog merged 1 commit intomainfrom
FXA-13009
Feb 5, 2026
Merged

fix(webchannel): Send 'can_link_account' during signin_unblock#20001
LZoog merged 1 commit intomainfrom
FXA-13009

Conversation

@LZoog
Copy link
Copy Markdown
Contributor

@LZoog LZoog commented Feb 5, 2026

Because:

  • Users can keep 'canceling' the login when they see the merge warning until they get rate limited, and then they can bypass the merge warning by going through signin_unblock

This commit:

  • Sends the 'can_link_account' command on this screen after unblock

fixes FXA-13009

--

See this doc - signin_unblock wasn't listed on places to add this check for the MVP, an oversight.

Since we need the uid, we have to wait until the user is at least partially authenticated with password before we can send this web channel message up. However, for signin_unblock, we don't get back the user's uid after password entry, we must wait until they are verified. So now, users in this flow will see the merge warning after the successful unblock, but they'll be redirected to email-first once they hit "cancel".

I will file an issue for this: one thing that would make this flow much better because users would get "blocked" much earlier in the flow, would be the non-MVP cases shown in that doc - e.g., user has an entry in local storage and therefore as soon as we know the email they're trying to sign in with and it matches what's in local storage, use the UID there to send can_link_account. However, there is an edge case where if a user deleted their account on another device and recreated it, we'd be sending the wrong UID up. This is probably OK, but I think that should be a separate task.
edit: here's that ticket

Because:
* Users can keep 'canceling' the login when they see the merge warning until they get rate limited, and then they can bypass the merge warning by going through signin_unblock

This commit:
* Sends the command on this screen

fixes FXA-13009
@LZoog LZoog requested a review from a team as a code owner February 5, 2026 00:21
Copy link
Copy Markdown
Contributor

@vpomerleau vpomerleau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good and works as expected when testing locally in nightly.

  • Merge warning is shown on signin_unblock when the final password attempt was correct (though throttled) + authorization code is correct;
  • merge warning not shown on signin_unblock when the final password attempt before blocking was incorrect - the merge warning is instead shown on the signin page after successfully unblocking and re-entering the correct password.

@LZoog LZoog merged commit 36c3b30 into main Feb 5, 2026
21 checks passed
@LZoog LZoog deleted the FXA-13009 branch February 5, 2026 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants