Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

task(auth): Update /totp/destroy to take an sms code #18154

Merged
merged 1 commit into from
Dec 21, 2024
Merged

task(auth): Update /totp/destroy to take an sms code #18154

merged 1 commit into from
Dec 21, 2024
+227 −6

Conversation

dschom
Copy link
Contributor

@dschom dschom commented Dec 18, 2024
edited
Loading

Because

  • We want to be able to remove totp for users that have a recovery phone registered.

This pull request

  • Allows a totp code to be passed to the totp/detroy endpoint
  • Checks the totp code's validity before removing totp.

Issue that this pull request solves

Closes: # (issue number)

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

@dschom dschom requested a review from a team as a code owner December 18, 2024 17:13
dschom
dschom commented Dec 18, 2024
View reviewed changes
packages/fxa-auth-server/lib/routes/totp.js
.string()
.max(32)
.regex(validators.DIGITS)
.optional()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep this backwards compatible, I made the code optional. However that means that for now there's no enforcement of providing a code in order to remove TOTP. Perhaps there should also be check to see if the account has a back up phone, and if it does an SMS must be provided. This was not in the ACs for the ticket though...

chenba
chenba reviewed Dec 19, 2024
View reviewed changes
packages/fxa-auth-server/lib/routes/totp.js
payload: isA.object({
code: isA
.string()
.max(32)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry I have not been following the SMS work that closely but is this a code sent to the user?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it would be a code sent to the users phone. There's some things about this ticket that are a little fuzzy to me as well. I'm thinking when we do the front end implementation the usage will be more clear.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

32 characters is a looooong code. 😅

chenba
chenba approved these changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@chenba chenba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Make sense to me but I do have a couple questions/concerns (see inline comments).

@dschom dschom merged commit ddd64dc into main Dec 21, 2024
25 checks passed
@dschom dschom deleted the FXA-10360 branch December 21, 2024 00:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chenba chenba chenba approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dschom @chenba