Skip to content

fix(auth): Provide sessionVerified on passwordChange handler#20331

Merged
nshirley merged 1 commit intomainfrom
FXA-13355
Apr 8, 2026
Merged

fix(auth): Provide sessionVerified on passwordChange handler#20331
nshirley merged 1 commit intomainfrom
FXA-13355

Conversation

@nshirley
Copy link
Copy Markdown
Contributor

@nshirley nshirley commented Apr 7, 2026

Because

  • There's a bug where a user can get signed out after changing their password

This pull request

  • Includes the sessionVerified property that updateBasicAccountData looks for.

Issue that this pull request solves

Closes: FXA-13355

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

How to review (Optional)

  • Key files/areas to focus on:
  • Suggested review order:
  • Risky or complex parts:

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

@nshirley nshirley requested a review from a team as a code owner April 7, 2026 18:10
Copilot AI review requested due to automatic review settings April 7, 2026 18:10
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a regression where clients could treat the post-password-change session as unverified (and sign the user out) by ensuring the /mfa/password/change response includes the sessionVerified flag that downstream account storage expects (Closes: FXA-13355).

Changes:

  • Add sessionVerified to the /mfa/password/change route response, sourced from the newly issued session token’s verification state.
  • Add/adjust unit tests to assert sessionVerified is present and consistent with the legacy verified field.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
packages/fxa-auth-server/lib/routes/password.ts Include sessionVerified in the password change response payload.
packages/fxa-auth-server/lib/routes/password.spec.ts Add a test ensuring sessionVerified is returned (and keep formatting tidy in an existing assertion).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

vbudhram
vbudhram approved these changes Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@vbudhram vbudhram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could add a functional test in passwordless to cover the flow

@nshirley
Copy link
Copy Markdown
Contributor Author

nshirley commented Apr 8, 2026

Latest force push was adding a functional test for this bug!

@nshirley
fix(auth): Provide sessionVerified on passwordChange handler
e39d9fc 
Because:
 - There's a bug where a user can be signed out after changing password

This Commit:
 - Fixes the issue by providing the proper sessionVerified property in
   the API response for the client to cache

Closes: FXA-13355
@nshirley nshirley merged commit 365b387 into main Apr 8, 2026
22 checks passed
@nshirley nshirley deleted the FXA-13355 branch April 8, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vbudhram vbudhram vbudhram approved these changes

@vpomerleau vpomerleau vpomerleau approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nshirley @vbudhram @vpomerleau