Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

task(auth): Remove recoveryPhoneAvailable customs check #18241

Merged
merged 1 commit into from
Jan 22, 2025
Merged

task(auth): Remove recoveryPhoneAvailable customs check #18241

merged 1 commit into from
Jan 22, 2025

Conversation

dschom
Copy link
Contributor

@dschom dschom commented Jan 17, 2025
edited
Loading

Because

  • We were reviewing customs rules and deemed this recoveryPhoneAvailable check wasn't necessary.
  • We also decided to change the default custom rate limits here.

This pull request

  • Removes the recoveryPhoneAvailable check.
  • Removes the action from customs.
  • Leaving isTwilioAction, however. We might need it later.
  • Changes default config to 9 sms per 24 hour period
  • Fixes remote test to be inline with updated customs rate limits

Issue that this pull request solves

Closes: FXA-11006, FXA-11005

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

We are leaving isTwilioAction and the TWILIO_ACTION group set in customs. Pretty sure we will need it at some point soon, but with different actions.

@dschom dschom requested a review from a team as a code owner January 17, 2025 01:00
@dschom dschom requested a review from vpomerleau January 17, 2025 01:00
@dschom dschom force-pushed the remove-recoveryPhoneAvailable-customs-check branch 2 times, most recently from d318576 to f4c88dd Compare January 17, 2025 20:18
vbudhram
vbudhram approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@vbudhram vbudhram left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dschom Seems reasonble to me 👍🏽

packages/fxa-auth-server/lib/routes/recovery-phone.ts
@@ -227,8 +227,6 @@ class RecoveryPhoneHandler {
throw AppError.invalidToken();
}

await this.customs.check(request, email, 'recoveryPhoneAvailable');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we want to add rate limiting for some authenticated endpoints, we could use checkAuthenticated api. This will only check the uid and not ip or email address record.

The rate limit is more generous though (100 checks every 15mins) per action.

vpomerleau
vpomerleau reviewed Jan 17, 2025
View reviewed changes
packages/fxa-customs-server/lib/config/config.js Outdated
format: 'nat',
env: 'SMS_RATE_LIMIT_INTERVAL_SECONDS',
},
maxSms: {
doc: 'Number of sms sent within rateLimitIntervalSeconds before throttling',
default: 3,
default: 9,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we want to set this to 6 based on Slack conversation:
https://mozilla.slack.com/archives/C07T1GHL46S/p1736963075491979?thread_ts=1736960348.342549&cid=C07T1GHL46S

In theory there were notes to set the limit to 9/day for recovery phone setup, and 6/day for using the recovery phone during sign-in, but that might be overly complicated considering the current customs setup.

Suggested change
default: 9,
default: 6,

Copy link
Contributor Author

@dschom dschom Jan 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah gotcha, I didn't see the lower limit. I'll change the default.

vpomerleau
vpomerleau approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@vpomerleau vpomerleau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My comment about the the default sms limit is non-blocking considering we can discuss with the team and change the value with env var config later on.

@dschom
task(auth): Remove recoveryPhoneAvailable customs check and update sm…
e2fd3e0 
…s rate limit defaults

Because:
- We deemed this check wasn't necessary.

This Commit:
- Removes the recoveryPhoneAvailable check.
- Removes the action from customs.
- Leaving isTwilioAction, however. We might need it later.
- Changes default config to 9 sms per 24 hour period
- Fixes remote test to be inline with updated customs rate limits
@dschom dschom force-pushed the remove-recoveryPhoneAvailable-customs-check branch from f4c88dd to e2fd3e0 Compare January 22, 2025 02:31
@dschom dschom merged commit 8c256fe into main Jan 22, 2025
25 checks passed
@dschom dschom deleted the remove-recoveryPhoneAvailable-customs-check branch January 22, 2025 23:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vpomerleau vpomerleau vpomerleau approved these changes

@vbudhram vbudhram vbudhram approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dschom @vbudhram @vpomerleau