Merge pull request #17968 from mozilla/revert-17827-fxa-10418

Revert "feat(2fa): Add auth scheme to require 2FA on session token"
mozilla · Nov 4, 2024 · e4a0a37 · e4a0a37
2 parents 8a62611 + cab438a
commit e4a0a37
Show file tree

Hide file tree

Showing 9 changed files with 635 additions and 686 deletions.
diff --git a/packages/fxa-auth-server/lib/routes/auth-schemes/hawk-fxa-token.js b/packages/fxa-auth-server/lib/routes/auth-schemes/hawk-fxa-token.js
@@ -4,7 +4,6 @@
 
 const AppError = require('../../error');
 const Boom = require('@hapi/boom');
-const error = require('../../error');
 
 // The following regexes and Hawk header parsing are taken from the Hawk library.
 // See https://github.com/mozilla/hawk/blob/01f3d35479fe76654bb50f2886b37310555d088e/lib/utils.js#L126
@@ -109,15 +108,8 @@ function strategy(
 
           try {
             token = await getCredentialsFunc(parsedHeader.id);
-          } catch (err) {
-            // An error in the getCredentialsFunc means that the token was not found
-            // or it does not have a high enough assurance level to be used for this request.
-            // (e.g. a session token that is not 2FA verified)
-            if (err.errno === error.ERRNO.SESSION_UNVERIFIED) {
-              throw err;
-            }
-
-            // handle the empty token case below
+          } catch (_) {
+            // we'll handle the empty token case below
           }
 
           // If a token isn't found, this means it doesn't exist or expired and

diff --git a/packages/fxa-auth-server/lib/routes/emails.js b/packages/fxa-auth-server/lib/routes/emails.js
@@ -104,7 +104,7 @@ module.exports = (
       options: {
         ...EMAILS_DOCS.RECOVERY_EMAIL_STATUS_GET,
         auth: {
-          strategy: 'sessionTokenNoAssurance',
+          strategy: 'sessionToken',
         },
         validate: {
           query: {

diff --git a/packages/fxa-auth-server/lib/routes/oauth/token.js b/packages/fxa-auth-server/lib/routes/oauth/token.js
@@ -446,7 +446,7 @@ module.exports = ({ log, oauthDB, db, mailer, devices, statsd, glean }) => {
           // XXX TODO: To be able to fully replace the /token route from oauth-server,
           // this route must also be able to accept 'client_secret' as Basic Auth in header.
           mode: 'optional',
-          strategy: 'sessionTokenNoAssurance',
+          strategy: 'sessionToken',
         },
         validate: {
           // Note: the use of 'alternatives' here means that `grant_type` will default to

diff --git a/packages/fxa-auth-server/lib/routes/recovery-codes.js b/packages/fxa-auth-server/lib/routes/recovery-codes.js
@@ -128,7 +128,7 @@ module.exports = (log, db, config, customs, mailer, glean) => {
       options: {
         ...RECOVERY_CODES_DOCS.SESSION_VERIFY_RECOVERYCODE_POST,
         auth: {
-          strategy: 'sessionTokenNoAssurance',
+          strategy: 'sessionToken',
           payload: 'required',
         },
         validate: {

diff --git a/packages/fxa-auth-server/lib/routes/session.js b/packages/fxa-auth-server/lib/routes/session.js
@@ -103,7 +103,7 @@ module.exports = function (
       options: {
         ...SESSION_DOCS.SESSION_REAUTH_POST,
         auth: {
-          strategy: 'sessionTokenNoAssurance',
+          strategy: 'sessionToken',
           payload: 'required',
         },
         validate: {

diff --git a/packages/fxa-auth-server/lib/routes/totp.js b/packages/fxa-auth-server/lib/routes/totp.js
@@ -128,7 +128,7 @@ module.exports = (log, db, mailer, customs, config, glean, profileClient) => {
       options: {
         ...TOTP_DOCS.TOTP_DESTROY_POST,
         auth: {
-          strategy: 'sessionTokenNoAssurance',
+          strategy: 'sessionToken',
         },
         response: {},
       },
@@ -397,7 +397,7 @@ module.exports = (log, db, mailer, customs, config, glean, profileClient) => {
       options: {
         ...TOTP_DOCS.SESSION_VERIFY_TOTP_POST,
         auth: {
-          strategy: 'sessionTokenNoAssurance',
+          strategy: 'sessionToken',
           payload: 'required',
         },
         validate: {

diff --git a/packages/fxa-auth-server/lib/server.js b/packages/fxa-auth-server/lib/server.js
@@ -86,7 +86,6 @@ async function create(log, error, config, routes, db, statsd, glean) {
   const metricsContext = require('./metrics/context')(log, config);
   const metricsEvents = require('./metrics/events')(log, config, glean);
   const { sharedSecret: SUBSCRIPTIONS_SECRET } = config.subscriptions;
-  const otpUtils = require('./routes/utils/otp')(log, config, db);
 
   function makeCredentialFn(dbGetFn) {
     return function (id) {
@@ -377,22 +376,6 @@ async function create(log, error, config, routes, db, statsd, glean) {
   // Register auth strategies for all token types. These strategies support Hawk (without validation) and FxA token types.
   server.auth.scheme(
     'fxa-hawk-session-token',
-    hawkFxAToken.strategy(
-      makeCredentialFn(async function (id) {
-        const sessionToken = await db.sessionToken(id);
-
-        const hasTotpToken = await otpUtils.hasTotpToken(sessionToken);
-
-        if (hasTotpToken && sessionToken.authenticatorAssuranceLevel <= 1) {
-          throw error.unverifiedSession();
-        }
-
-        return sessionToken;
-      })
-    )
-  );
-  server.auth.scheme(
-    'fxa-hawk-session-token-no-assurance',
     hawkFxAToken.strategy(makeCredentialFn(db.sessionToken.bind(db)))
   );
   server.auth.scheme(
@@ -437,10 +420,6 @@ async function create(log, error, config, routes, db, statsd, glean) {
   );
 
   server.auth.strategy('sessionToken', 'fxa-hawk-session-token');
-  server.auth.strategy(
-    'sessionTokenNoAssurance',
-    'fxa-hawk-session-token-no-assurance'
-  );
   server.auth.strategy('keyFetchToken', 'fxa-hawk-keyFetch-token');
   server.auth.strategy(
     // This strategy fetches the keyFetchToken with its