Skip to content

feat(auth): Add email verify regex bypass#20273

Merged
nshirley merged 1 commit intomainfrom
nshirley/email-skip-verify-regex
Mar 27, 2026
Merged

feat(auth): Add email verify regex bypass#20273
nshirley merged 1 commit intomainfrom
nshirley/email-skip-verify-regex

Conversation

@nshirley
Copy link
Copy Markdown
Contributor

@nshirley nshirley commented Mar 26, 2026
edited
Loading

Because

  • We currently use a list of exact matching emails to allow bypassing verification emails

This pull request

  • Adds a regex variable option to make bypassing a bit more flexible
  • Leaves old variable in place so we don't break existing functionality until code is live and webservices-infra is updated
  • Adds tests

Issue that this pull request solves

Closes: FXA-13352

Sister webservices-infra pr: https://github.com/mozilla/webservices-infra/pull/10328/changes

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

How to review (Optional)

  • Key files/areas to focus on:
  • Suggested review order:
  • Risky or complex parts:

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

@nshirley nshirley requested a review from a team as a code owner March 26, 2026 20:42
Copilot AI review requested due to automatic review settings March 26, 2026 20:42
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for bypassing sign-in email confirmation based on a configurable regex, while keeping the existing allowlist for backward compatibility.

Changes:

  • Introduced skipForEmailRegex configuration option (convict) with an env var.
  • Updated login flow to bypass confirmation when the email matches either an allowlist entry or the configured regex.
  • Added unit tests covering regex-based bypass behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
packages/fxa-auth-server/lib/routes/account.ts Adds regex-based bypass check in the login confirmation logic.
packages/fxa-auth-server/lib/routes/account.spec.ts Adds test coverage for regex-based bypass behavior.
packages/fxa-auth-server/config/index.ts Introduces new convict config entry/env var for regex bypass.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/fxa-auth-server/config/index.ts
Comment thread packages/fxa-auth-server/lib/routes/account.ts Outdated
Comment thread packages/fxa-auth-server/lib/routes/account.ts
Comment on lines +1265 to +1268
this.skipConfirmationForEmailAddresses?.includes(lowerCaseEmail) ||
// use both as a backward compatability and eventually remove
// the array of emails in favor of just a regex which is more flexible
this.skipConfirmationForEmailRegex?.test(lowerCaseEmail);
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Calling .test() on a shared RegExp instance can be stateful if the configured regex includes the g or y flags (because lastIndex is mutated), leading to incorrect allow/deny behavior across requests. To avoid this, either (a) disallow g/y in validation, (b) reset lastIndex = 0 before testing, or (c) test against a cloned RegExp instance without g/y.

Copilot uses AI. Check for mistakes.
Comment thread packages/fxa-auth-server/lib/routes/account.ts Outdated
Comment thread packages/fxa-auth-server/lib/routes/account.spec.ts
Comment on lines +3226 to +3235
it('should skip sign-in confirmation for email matching regex', () => {
setupSkipForEmailRegex('qa-test@example.com', /.+@example\.com$/);

return runTest(route, mockRequest, (response: any) => {
expect(mockDB.createSessionToken.callCount).toBe(1);
const tokenData = mockDB.createSessionToken.getCall(0).args[0];
expect(tokenData.tokenVerificationId).toBeFalsy();
expect(response.emailVerified).toBeTruthy();
});
});
Copy link

Copilot AI Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new behavior depends on a configured RegExp instance, but tests currently don't cover the stateful-regex edge case (e.g., a configured /.+@example\\.com$/g), which can produce flaky bypass decisions due to lastIndex mutation. Add a test that sets a g (and/or y) regex and asserts consistent behavior across multiple login attempts, or enforce validation that rejects these flags and test that validation path.

Copilot uses AI. Check for mistakes.
dschom
dschom reviewed Mar 26, 2026
View reviewed changes
Comment thread packages/fxa-auth-server/lib/routes/account.spec.ts
mockConfig.oauth = {};
mockConfig.signinConfirmation = {};
mockConfig.signinConfirmation.skipForEmailAddresses = [];
mockConfig.signinConfirmation.skipForEmailRegex = /^$/;
Copy link
Copy Markdown
Contributor

@dschom dschom Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it redundant to have both skipForEmailAddresses and skipForEmailRegex?

Copy link
Copy Markdown
Contributor Author

@nshirley nshirley Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably! My only thinking is that this wouldn't break anything and have weird timing with updates to webservices-infra to deploy updates to both. This way we can deploy the new code, and add the regex to webservices, test to make sure it works, then go back and rip out the old version

dschom
dschom approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dschom dschom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me. Thanks for the update!

@nshirley
feat(auth): Add email verify regex bypass
104f397 
Because:
 - We currently use a list of exact matching emails to allow bypassing verification emails

This Commit:
 - Adds a regex variable option to make bypassing a bit more flexible
 - Leaves old variable in place so we don't break existing functionality until code is live and webservices-infra is updated
 - Adds tests
@nshirley nshirley force-pushed the nshirley/email-skip-verify-regex branch from 630bec3 to 104f397 Compare March 27, 2026 13:49
@nshirley nshirley merged commit cec090a into main Mar 27, 2026
21 checks passed
@nshirley nshirley deleted the nshirley/email-skip-verify-regex branch March 27, 2026 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dschom dschom dschom approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nshirley @dschom