Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

task(settings): Disable 2FA and Recovery Code actions when account has no password #12819

Merged
merged 2 commits into from
May 10, 2022
Merged

task(settings): Disable 2FA and Recovery Code actions when account has no password #12819

merged 2 commits into from
May 10, 2022

Conversation

dschom
Copy link
Contributor

@dschom dschom commented May 9, 2022

Because

  • With third party oauth, we might enter into a state where the user has authenticated, but has not supplied a password yet. In this case, setting up recovery codes or 2FA isn’t applicable.

This pull request

  • Introduces hasPassword flag on account model
  • Guards routes associated to 2FA and recovery codes in the event the account does not have a password
  • Disables 2FA and recovery code action buttons in the event a user’s account has no password set.
  • Provides a tooltip hint on the disabled action button that a password must be set in order to use certain features or sync.

Issue that this pull request solves

Closes: #12774

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

Screenshots (Optional)

image

Other Information

To test this state, login with a third party oauth account (apple or google) for the first time. This will result in a state where you have been authenticated, but haven't set a password yet.

@dschom dschom requested a review from a team as a code owner May 9, 2022 22:18
@dschom
task(settings): Disable 2FA and Recovery Code actions when account ha…
6c911c6 
…s no password

Because:
- With third party oauth, we might enter into a state where the user has authenticated, but has not supplied a password yet. In this case, setting up recovery codes or 2FA isn’t applicable.

This Commit:
- Introduces hasPassword flag on account model
- Guards routes associated to 2FA and recovery codes in the event the account does not have a password
- Disables 2FA and recovery code action buttons in the event a user’s account has no password set.
- Provides a tooltip hint on the disabled action button that a password must be set in order to use certain features or sync.
@dschom dschom force-pushed the FXA-5043-require-passwords-for-rc-and-2fa branch from 00bba1d to 6c911c6 Compare May 9, 2022 22:20
@LZoog LZoog self-assigned this May 10, 2022
@dschom dschom requested a review from xlisachan May 10, 2022 16:01
@dschom
Copy link
Contributor Author

dschom commented May 10, 2022

@LZoog Thanks for the review. I've addressed the feedback. Concerns about mobile can be addressed in another ticket. IMO, they are not that serious.

@dschom dschom requested a review from LZoog May 10, 2022 16:30
LZoog
LZoog approved these changes May 10, 2022
View reviewed changes
Copy link
Contributor

@LZoog LZoog left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I'll rebase my PR once it's merged.

@dschom dschom merged commit c699f8e into main May 10, 2022
@dschom dschom deleted the FXA-5043-require-passwords-for-rc-and-2fa branch June 15, 2022 01:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LZoog LZoog LZoog approved these changes

@xlisachan xlisachan Awaiting requested review from xlisachan

Assignees

@LZoog LZoog

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Disallow users without passwords from accessing recovery key or 2FA flow
2 participants
@dschom @LZoog