Skip to content

fix(auth): Address keystretch upgrade failure#20533

Draft
dschom wants to merge 1 commit into
mainfrom
FXA-13627
Draft

fix(auth): Address keystretch upgrade failure#20533
dschom wants to merge 1 commit into
mainfrom
FXA-13627

Conversation

@dschom

@dschom dschom commented May 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Because

  • We were getting a strong signal in Sentry that some accounts were experiencing v1->v2 key stretching upgrade failures.

This pull request

  • Makes the process more reliable by fetching the original account email before starting the key-stretching upgrade process.
  • This is simpler and less error prone than starting the upgrade process, waiting for an incorrectPassword to provide the correct email to use as a salt, and then having to try again.

Issue that this pull request solves

Closes: FXA-13627

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

@dschom dschom force-pushed the FXA-13627 branch 3 times, most recently from 8fca746 to 9ef88dd Compare May 7, 2026 23:01
@dschom dschom changed the title wip WIP - Fix keystretch upgrade failure May 14, 2026
@dschom dschom marked this pull request as ready for review May 15, 2026 23:17
@dschom dschom requested a review from a team as a code owner May 15, 2026 23:17
@dschom dschom force-pushed the FXA-13627 branch 2 times, most recently from 3a9e392 to b989dd5 Compare May 15, 2026 23:29
dschom
dschom commented May 19, 2026
View reviewed changes
Comment thread packages/fxa-auth-server/lib/routes/password.ts

if (sessionToken.uid !== emailRecord.uid) {
throw error.invalidToken('Invalid session token');
if (!emailsMatch(email, emailRecord.email)) {

@dschom dschom May 19, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can go ahead and do this check here. There's not point in going further if we know the salt is wrong.

@dschom dschom changed the title WIP - Fix keystretch upgrade failure fix(auth): Address keystretch upgrade failure May 19, 2026
dschom
dschom commented May 27, 2026
View reviewed changes
Comment thread packages/fxa-auth-client/lib/client.ts
const credentials = await crypto.getCredentials(email, password);
try {
const accountData = await this.sessionReauthWithAuthPW(
// v1 stretching salts using the account's initial signup email, which can

@dschom dschom May 27, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was recommended after working through the issue with Claude. The end result was that despite adding an extra call, this is a much more reliable way to conduct the upgrade, see my comment a little bit further down about some confusing semantics and the source of this error...

dschom
dschom commented May 27, 2026
View reviewed changes
Comment thread packages/fxa-auth-client/lib/client.ts
// via checkEmailAddress). Map the helper's args onto the wire format.
const accountData = await this.sessionReauthWithAuthPW(
sessionToken,
derivationEmail,

@dschom dschom May 27, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No more catching the incorrect email case error and retrying. This should just work now...

@dschom dschom marked this pull request as draft May 27, 2026 23:37
@dschom
bug(auth,settings): Ensure original email is used for password change…
e73e34d 
…s and session reauths

Because:
- v1 password stretching salts using the account's original signup
  email, which can differ from the user's current primary. Clients that
  used the typed/current primary computed the wrong authPW on the first
  try, forcing email-case retry logic and brittle lookahead in the
  password-change and reauth flows.

This commit:
- Adds GET /session/original-account-email returning the account's
  signup email for the authenticated session, with swagger docs.
- Adds AuthClient.fetchOriginalAccountEmail and uses it in
  sessionReauth, passwordChange, and passwordChangeWithAuthPW so v1
  derivations match the stored verifier on the first attempt.
- Threads originalLoginEmail through SessionReauthOptions so callers
  that already fetched the email (e.g. passwordChangeWithAuthPW) avoid
  a redundant round-trip.
- Updates auth-server route, password.ts, and remote tests to the new
  flow; renames the sessionReauth parameter email -> primaryEmail to
  disambiguate from the derivation email.
- Replaces a Sentry.captureMessage with captureException(err, { tags })
  on the v2-upgrade failure path so stacks are preserved.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dschom