Allow accounts without passwords to set passwords

[data-sync-user]

When logging in with a Google OR an Apple account we create an FxA account without a password. On the settings page it looks like this:

!SxeBJKWG_CWn8zWoblxBH-cZf8up5siumik3CDFJa8PPJ-I2o2axxAjiNRB0elyz1mgmYIT300F1QNzkshcVAfDh5dVPkZdc_1ps6gGv553Dg1hQ7eQO7sPHPbpfbV0OjRWJdN26|width=100%!

When you click ‘Change’ it prompts for the current password before allowing a user to set their password. We should change that row on the settings page to say “none” and the “change” button to be “Add”. We should also add a link to a SUMO article (which isn’t written yet) with the text “Why should I set a password?”

Note that this issue will fix https://mozilla-hub.atlassian.net/browse/FXA-4769 for free.

QA: Please verify this functions as described for both Apple and Google authenticated FxAs.

┆Issue is synchronized with this Jira Task
┆Attachments: pDKmUoXSJEKZ-eshM495Se7EM4i02L6X9bLsXMnkcStoLWWNCr9M2ra1DdnYNVb17MuTRjcZKVSRM4GX7Ghww6P9_hXnWCfb6H7zsSpk50wAZdZra1-y6M2LUcEzUo5iNbVdA6A5w3GWXx69bA | SxeBJKWG_CWn8zWoblxBH-cZf8up5siumik3CDFJa8PPJ-I2o2axxAjiNRB0elyz1mgmYIT300F1QNzkshcVAfDh5dVPkZdc_1ps6gGv553Dg1hQ7eQO7sPHPbpfbV0OjRWJdN26 | wrong redirection Apple.gif

[data-sync-user]

➤ Lauren Zugai commented:

Bumping this up to a 5 pointer because this is more of a “reset password” scenario (but not exactly) than a “change password” scenario. Since it feels messy to repurpose PageChangePassword to handle both scenarios + add some conditional in fxa-graphql-api, it's feels like it’s going to be best to create a new route, like "add_password", show a different form, and create a new GQL mutation/resolver that only sends up and processes the new password without the existing one.

[data-sync-user]

➤ Wil Clouser commented:

That sounds good. Let’s coordinate on what the metrics which are emitted will be and I can create funnel charts for tracking. Probably fxa_login - password_add_view, *_engage, *_submit, *_success, and *_fail?

[data-sync-user]

➤ Lauren Zugai commented:

I split the back-end portion out to https://mozilla-hub.atlassian.net/browse/FXA-5046 ( https://mozilla-hub.atlassian.net/browse/FXA-5046|smart-link ) since I’ve been out some this week. This is probably more like a 3 pointer but I’ll bump it down when I see the PR.

Sounds good to me on the metrics. Vesta confirmed the word “create” is preferred over “add” so they’ll be “password_create_view” etc.

[data-sync-user]

➤ Vesta Zare commented:

Here’s the recommended flow:

Set a password for your Firefox Account to unlock Sync and access to privacy-enhancing products.

!pDKmUoXSJEKZ-eshM495Se7EM4i02L6X9bLsXMnkcStoLWWNCr9M2ra1DdnYNVb17MuTRjcZKVSRM4GX7Ghww6P9_hXnWCfb6H7zsSpk50wAZdZra1-y6M2LUcEzUo5iNbVdA6A5w3GWXx69bA|width=1000,height=375!

[data-sync-user]

➤ Bianca Oltean commented:

I was able to verify this on Stage [Train 233] by logging in via Google and the password set up flow works correctly, but I was not able to test the Apple authentication because I’m redirected back to the Enter your email page. CC: Lauren Zugai Wil Clouser

!wrong redirection Apple.gif|width=1909,height=952!

[data-sync-user]

➤ Wil Clouser commented:

Understood. Please file a separate bug for the Apple login failure. Thanks.

[data-sync-user]

➤ Bianca Oltean commented:

A separate bug was filed for the Apple auth issue here: https://mozilla-hub.atlassian.net/browse/FXA-5241 ( https://mozilla-hub.atlassian.net/browse/FXA-5241|smart-link )