feat(auth): allow prompt=none without hint

Because: * Allow prompt=none signin even if login_hint or id_token_hint is not provided, as the current spec has these as optional parameters. This commit: * For prompt=none signin, if login_hint or id_token_hint is not provided it allows successful signin. * For prompt=none signin, if login_hint or id_token_hint are provided it keeps the current checks as is. Closes #FXA-9035
2024-02-15 10:36:34 -05:00 · 2024-02-15 10:36:34 -05:00 · 7ebc865705
--- a/apps/payments/next/tsconfig.json
+++ b/apps/payments/next/tsconfig.json
@ -9,8 +9,15 @@
        "name": "next"
      }
    ],
-    "types": ["jest", "node"],
-    "lib": ["dom", "dom.iterable", "esnext"]
+    "types": [
+      "jest",
+      "node"
+    ],
+    "lib": [
+      "dom",
+      "dom.iterable",
+      "esnext"
+    ]
  },
  "include": [
    "**/*.ts",
@ -19,7 +26,8 @@
    "**/*.jsx",
    "../../../apps/payments/next/.next/types/**/*.ts",
    "../../../dist/apps/payments/next/.next/types/**/*.ts",
-    "next-env.d.ts"
+    "next-env.d.ts",
+    ".next/types/**/*.ts"
  ],
  "exclude": [
    "node_modules",
--- a/packages/functional-tests/tests/oauth/oauthPromptNone.spec.ts
+++ b/packages/functional-tests/tests/oauth/oauthPromptNone.spec.ts
@ -165,36 +165,6 @@ test.describe('severity-1 #smoke', () => {
      }
    });

-    test('fails if no login_hint', async ({
-      page,
-      target,
-      pages: { relier, login },
-    }) => {
-      await target.auth.signUp(email, password, {
-        lang: 'en',
-        preVerified: 'true',
-      });
-      await page.goto(target.contentServerUrl, {
-        waitUntil: 'load',
-      });
-      await login.fillOutEmailFirstSignIn(email, password);
-
-      //Verify logged in on Settings page
-      expect(await login.isUserLoggedIn()).toBe(true);
-
-      const query = new URLSearchParams({
-        return_on_error: 'false',
-      });
-      await page.goto(`${target.relierUrl}/?${query.toString()}`);
-
-      await relier.signInPromptNone();
-
-      //Verify error message
-      expect(await relier.promptNoneError()).toContain(
-        'Missing OAuth parameter: login_hint'
-      );
-    });
-
    test('fails if login_hint is different to logged in user', async ({
      page,
      target,
@ -254,5 +224,33 @@ test.describe('severity-1 #smoke', () => {
      //Verify logged in to relier
      expect(await relier.isLoggedIn()).toBe(true);
    });
+
+    test('succeeds if no login_hint is provided', async ({
+      page,
+      target,
+      pages: { relier, login },
+    }) => {
+      await target.auth.signUp(email, password, {
+        lang: 'en',
+        preVerified: 'true',
+      });
+      await page.goto(target.contentServerUrl, {
+        waitUntil: 'load',
+      });
+      await login.fillOutEmailFirstSignIn(email, password);
+
+      //Verify logged in on Settings page
+      expect(await login.isUserLoggedIn()).toBe(true);
+
+      const query = new URLSearchParams({
+        return_on_error: 'false',
+      });
+      await page.goto(`${target.relierUrl}/?${query.toString()}`);
+
+      await relier.signInPromptNone();
+
+      //Verify logged in to relier
+      expect(await relier.isLoggedIn()).toBe(true);
+    });
  });
 });
--- a/packages/fxa-content-server/app/scripts/models/reliers/oauth.js
+++ b/packages/fxa-content-server/app/scripts/models/reliers/oauth.js
@ -449,23 +449,13 @@ var OAuthRelier = Relier.extend({
                );
              }
            });
-        } else {
-          if (!requestedEmail) {
-            // yeah yeah, it's a bit strange to look at `email`
-            // and then say `login_hint` is missing. `login_hint`
-            // is the OIDC spec compliant name, we supported `email` first
-            // and don't want to break backwards compatibility.
-            // `login_hint` is copied to the `email` field if no `email`
-            // is specified. If neither is available, throw an error
-            // about `login_hint` since it's spec compliant.
-            throw OAuthErrors.toMissingParameterError('login_hint');
-          }
-
-          if (requestedEmail !== account.get('email')) {
-            throw OAuthErrors.toError('PROMPT_NONE_DIFFERENT_USER_SIGNED_IN');
-          }
-          return Promise.resolve();
        }
+
+        if (requestedEmail && requestedEmail !== account.get('email')) {
+          throw OAuthErrors.toError('PROMPT_NONE_DIFFERENT_USER_SIGNED_IN');
+        }
+
+        return Promise.resolve();
      })
      .then(() => {
        // account has all the right bits associated with it,
--- a/packages/fxa-content-server/app/tests/spec/models/reliers/oauth.js
+++ b/packages/fxa-content-server/app/tests/spec/models/reliers/oauth.js
@ -871,9 +871,14 @@ describe('models/reliers/oauth', () => {
        });
    });

-    it('rejects if the client does not specify an email or id_token_hint', () => {
+    it('allow if the client does not specify an email or id_token_hint', () => {
      relier.unset('email');
      relier.unset('idTokenHint');
+      sinon.stub(account, 'sessionVerificationStatus').callsFake(() => {
+        return Promise.resolve({
+          verified: true,
+        });
+      });
      account.set({
        email: 'testuser@testuser.com',
        sessionToken: 'token',
@ -881,10 +886,7 @@ describe('models/reliers/oauth', () => {
      });
      return relier
        .validatePromptNoneRequest(account)
-        .then(assert.fail, (err) => {
-          assert.isTrue(OAuthErrors.is(err, 'MISSING_PARAMETER'));
-          assert.equal(err.param, 'login_hint');
-        });
+        .then(assert.true, assert.fail);
    });

    it('rejects if no user is signed in', () => {