Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(oauth): Move keyFetchToken and unwrapBKey to sensitiveDataClient #17994

Merged
merged 1 commit into from
Nov 8, 2024
Merged

fix(oauth): Move keyFetchToken and unwrapBKey to sensitiveDataClient #17994

merged 1 commit into from
Nov 8, 2024

Conversation

LZoog
Copy link
Contributor

@LZoog LZoog commented Nov 8, 2024

Because:

  • It's better practice to store these in memory, and this causes a problem on session restart in oauth desktop

This commit:

  • Moves keyFetchToken and unwrapBKey off of location state and into sensitiveDataClient

closes FXA-10709, closes FXA-10529

dschom
dschom reviewed Nov 8, 2024
View reviewed changes
packages/fxa-settings/src/pages/InlineRecoveryKeySetup/container.tsx
(sensitiveData as unknown as { emailForAuth: string; authPW: string }) ||
{};
const { authPW, emailForAuth, unwrapBKey } =
(sensitiveData as {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we reuse the sensitive data client type?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'm just going to punt this to that same follow up mentioned. There are files I didn't touch in this PR that are doing something similar to this as well and I think it makes sense to look at this in a non-dot release scenario.

vpomerleau
vpomerleau reviewed Nov 8, 2024
View reviewed changes
packages/fxa-settings/src/pages/InlineRecoveryKeySetup/container.tsx Outdated
@@ -112,7 +117,8 @@ export const InlineRecoveryKeySetupContainer = (_: RouteComponentProps) => {
!unwrapBKey ||
!email ||
!emailForAuth ||
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is !emailForAuth duplicated here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the catch. Weird that our linter doesn't complain about this, lol.

vpomerleau
vpomerleau reviewed Nov 8, 2024
View reviewed changes
packages/fxa-settings/src/pages/InlineRecoverySetup/container.tsx
@@ -125,6 +149,11 @@ export const InlineRecoverySetupContainer = ({
if (oAuthDataError) {
return <OAuthDataError error={oAuthDataError} />;
}
// Note that we don't currently need this check on this page right now since AMO is the only
// RP requiring 2FA and it doesn't require keys. However it's here for consistency.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very much appreciate the comments you've sprinkled throughout 🫶

vpomerleau
vpomerleau reviewed Nov 8, 2024
View reviewed changes
packages/fxa-settings/src/lib/oauth/hooks.tsx Outdated
* password in a browser session restart/crash because the browser stores the flow state in
* memory and the query params won't match after a browser session is restored.
*
* TODO: Can we check session storage for if the user refreshed so we can redirect them
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have we had input from UX on how to display this error? Or have a ticket filed to review UX? I know it's a edge case, but I don't love that we display a screen with nothing but an error message and no path forward.

Copy link
Contributor Author

@LZoog LZoog Nov 8, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mark and I agreed on this for now, and also agreed it wasn't the best. I did note that reset PW refresh ticket in a comment here because I'm thinking we can bump up the points to a 3 and use that ticket to handle refreshes better here as well (if there's a refresh and not a browser crash we can redirect to /signin), but if a browser crash happens, the user really needs to just restart the flow from the profile menu.

@LZoog LZoog force-pushed the FXA-10709 branch 4 times, most recently from ff1ab74 to 1df5bb2 Compare November 8, 2024 18:34
@LZoog LZoog marked this pull request as ready for review November 8, 2024 18:34
@LZoog LZoog requested a review from a team as a code owner November 8, 2024 18:34
@LZoog
fix(oauth): Move keyFetchToken and unwrapBKey to sensitiveDataClient
2e84bf0 
Because:
* It's better practice to store these in memory, and this causes a problem on session restart in oauth desktop

This commit:
* Moves keyFetchToken and unwrapBKey off of location state and into sensitiveDataClient

closes FXA-10709, closes FXA-10529
@LZoog LZoog merged commit 8fef45f into main Nov 8, 2024
25 checks passed
@LZoog LZoog deleted the FXA-10709 branch November 8, 2024 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dschom dschom dschom left review comments

@vpomerleau vpomerleau vpomerleau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LZoog @vpomerleau @dschom