Update password policy cache in sign-in flow when the password does not meet the backend requirements (#7435)

ch5zzy · web-flow · commit 153201210394 · 2023-07-17T13:26:02.000-07:00
* Update signInWithEmailAndPassword to handle updating password policy cache

* Remove await on calls recachePasswordPolicy

* Throw errors instead of rejecting promises
diff --git a/packages/auth/src/core/strategies/email_and_password.test.ts b/packages/auth/src/core/strategies/email_and_password.test.ts
@@ -59,6 +59,9 @@ const TEST_REFRESH_TOKEN = 'refresh-token';
 const TEST_TOKEN_EXPIRY_TIME = '1234';
 
 const TEST_LOCAL_ID = 'local-id';
+const TEST_SERVER_USER: APIUserInfo = {
+  localId: TEST_LOCAL_ID
+};
 
 const TEST_EMAIL = 'foo@bar.com';
 const TEST_PASSWORD = 'some-password';
@@ -543,9 +546,7 @@ describe('core/strategies/verifyPasswordResetCode', () => {
 
 describe('core/strategies/email_and_password/createUserWithEmailAndPassword', () => {
   let auth: TestAuth;
-  const serverUser: APIUserInfo = {
-    localId: TEST_LOCAL_ID
-  };
+  const serverUser: APIUserInfo = TEST_SERVER_USER;
 
   beforeEach(async () => {
     auth = await testAuth();
@@ -758,9 +759,7 @@ describe('core/strategies/email_and_password/createUserWithEmailAndPassword', ()
 
 describe('core/strategies/email_and_password/signInWithEmailAndPassword', () => {
   let auth: TestAuth;
-  const serverUser: APIUserInfo = {
-    localId: TEST_LOCAL_ID
-  };
+  const serverUser: APIUserInfo = TEST_SERVER_USER;
 
   beforeEach(async () => {
     auth = await testAuth();
@@ -842,6 +841,17 @@ describe('password policy cache is updated in auth flows upon error', () => {
   let policyEndpointMockWithTenant: mockFetch.Route;
   let policyEndpointMockWithOtherTenant: mockFetch.Route;
 
+  /**
+   * Wait for 50ms to allow the password policy to be fetched and recached.
+   */
+  async function waitForRecachePasswordPolicy(): Promise<void> {
+    await new Promise<void>(resolve => {
+      setTimeout(() => {
+        resolve();
+      }, 50);
+    });
+  }
+
   beforeEach(async () => {
     auth = await testAuth();
     mockFetch.setUp();
@@ -868,10 +878,6 @@ describe('password policy cache is updated in auth flows upon error', () => {
   afterEach(mockFetch.tearDown);
 
   context('#createUserWithEmailAndPassword', () => {
-    const TEST_SERVER_USER: APIUserInfo = {
-      localId: TEST_LOCAL_ID
-    };
-
     beforeEach(() => {
       mockEndpoint(Endpoint.SIGN_UP, {
         idToken: TEST_ID_TOKEN,
@@ -889,6 +895,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
         createUserWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
       ).to.be.fulfilled;
 
+      // Wait to ensure the password policy is not fetched and recached.
+      await waitForRecachePasswordPolicy();
+
       expect(policyEndpointMock.calls.length).to.eq(0);
       expect(auth._getPasswordPolicyInternal()).to.be.null;
     });
@@ -900,6 +909,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
         createUserWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
       ).to.be.fulfilled;
 
+      // Wait to ensure the password policy is not fetched and recached.
+      await waitForRecachePasswordPolicy();
+
       expect(policyEndpointMock.calls.length).to.eq(1);
       expect(auth._getPasswordPolicyInternal()).to.eql(CACHED_PASSWORD_POLICY);
     });
@@ -931,6 +943,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
           createUserWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
 
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMock.calls.length).to.eq(2);
         expect(auth._getPasswordPolicyInternal()).to.eql(
           CACHED_PASSWORD_POLICY_REQUIRE_NUMERIC
@@ -952,6 +967,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
           createUserWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
 
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMockWithTenant.calls.length).to.eq(2);
         expect(auth._getPasswordPolicyInternal()).to.eql(
           CACHED_PASSWORD_POLICY_REQUIRE_NUMERIC
@@ -965,6 +983,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
           createUserWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
 
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMock.calls.length).to.eq(0);
         expect(auth._getPasswordPolicyInternal()).to.be.null;
       });
@@ -981,6 +1002,10 @@ describe('password policy cache is updated in auth flows upon error', () => {
         await expect(
           createUserWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
+
+        // Wait to ensure the password policy is not fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMockWithOtherTenant.calls.length).to.eq(0);
         expect(auth._getPasswordPolicyInternal()).to.be.undefined;
       });
@@ -1000,6 +1025,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
       await expect(confirmPasswordReset(auth, TEST_OOB_CODE, TEST_PASSWORD)).to
         .be.fulfilled;
 
+      // Wait to ensure the password policy is not fetched and recached.
+      await waitForRecachePasswordPolicy();
+
       expect(policyEndpointMock.calls.length).to.eq(0);
       expect(auth._getPasswordPolicyInternal()).to.be.null;
     });
@@ -1010,6 +1038,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
       await expect(confirmPasswordReset(auth, TEST_OOB_CODE, TEST_PASSWORD)).to
         .be.fulfilled;
 
+      // Wait to ensure the password policy is not fetched and recached.
+      await waitForRecachePasswordPolicy();
+
       expect(policyEndpointMock.calls.length).to.eq(1);
       expect(auth._getPasswordPolicyInternal()).to.eql(CACHED_PASSWORD_POLICY);
     });
@@ -1041,6 +1072,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
           confirmPasswordReset(auth, TEST_OOB_CODE, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
 
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMock.calls.length).to.eq(2);
         expect(auth._getPasswordPolicyInternal()).to.eql(
           CACHED_PASSWORD_POLICY_REQUIRE_NUMERIC
@@ -1062,6 +1096,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
           confirmPasswordReset(auth, TEST_OOB_CODE, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
 
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMockWithTenant.calls.length).to.eq(2);
         expect(auth._getPasswordPolicyInternal()).to.eql(
           CACHED_PASSWORD_POLICY_REQUIRE_NUMERIC
@@ -1075,6 +1112,9 @@ describe('password policy cache is updated in auth flows upon error', () => {
           confirmPasswordReset(auth, TEST_OOB_CODE, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
 
+        // Wait to ensure the password policy is not fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMock.calls.length).to.eq(0);
         expect(auth._getPasswordPolicyInternal()).to.be.null;
       });
@@ -1091,6 +1131,143 @@ describe('password policy cache is updated in auth flows upon error', () => {
         await expect(
           confirmPasswordReset(auth, TEST_OOB_CODE, TEST_PASSWORD)
         ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
+
+        // Wait to ensure the password policy is not fetched and recached.
+        await waitForRecachePasswordPolicy();
+
+        expect(policyEndpointMockWithOtherTenant.calls.length).to.eq(0);
+        expect(auth._getPasswordPolicyInternal()).to.be.undefined;
+      });
+    });
+  });
+
+  context('#signInWithEmailAndPassword', () => {
+    beforeEach(() => {
+      mockEndpoint(Endpoint.SIGN_IN_WITH_PASSWORD, {
+        idToken: TEST_ID_TOKEN,
+        refreshToken: TEST_REFRESH_TOKEN,
+        expiresIn: TEST_TOKEN_EXPIRY_TIME,
+        localId: TEST_SERVER_USER.localId!
+      });
+      mockEndpoint(Endpoint.GET_ACCOUNT_INFO, {
+        users: [TEST_SERVER_USER]
+      });
+    });
+
+    it('does not update the cached password policy upon successful sign-in when there is no existing policy cache', async () => {
+      await expect(signInWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD))
+        .to.be.fulfilled;
+
+      // Wait to ensure the password policy is not fetched and recached.
+      await waitForRecachePasswordPolicy();
+
+      expect(policyEndpointMock.calls.length).to.eq(0);
+      expect(auth._getPasswordPolicyInternal()).to.be.null;
+    });
+
+    it('does not update the cached password policy upon successful sign-in when there is an existing policy cache', async () => {
+      await auth._updatePasswordPolicy();
+
+      await expect(signInWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD))
+        .to.be.fulfilled;
+
+      // Wait to ensure the password policy is not fetched and recached.
+      await waitForRecachePasswordPolicy();
+
+      expect(policyEndpointMock.calls.length).to.eq(1);
+      expect(auth._getPasswordPolicyInternal()).to.eql(CACHED_PASSWORD_POLICY);
+    });
+
+    context('handles password validation errors', () => {
+      beforeEach(() => {
+        mockEndpoint(
+          Endpoint.SIGN_IN_WITH_PASSWORD,
+          {
+            error: {
+              code: 400,
+              message: ServerError.PASSWORD_DOES_NOT_MEET_REQUIREMENTS
+            }
+          },
+          400
+        );
+      });
+
+      it('updates the cached password policy when password does not meet backend requirements for the project', async () => {
+        await auth._updatePasswordPolicy();
+        expect(policyEndpointMock.calls.length).to.eq(1);
+        expect(auth._getPasswordPolicyInternal()).to.eql(
+          CACHED_PASSWORD_POLICY
+        );
+
+        // Password policy changed after previous fetch.
+        policyEndpointMock.response = PASSWORD_POLICY_RESPONSE_REQUIRE_NUMERIC;
+        await expect(
+          signInWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
+        ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
+
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
+        expect(policyEndpointMock.calls.length).to.eq(2);
+        expect(auth._getPasswordPolicyInternal()).to.eql(
+          CACHED_PASSWORD_POLICY_REQUIRE_NUMERIC
+        );
+      });
+
+      it('updates the cached password policy when password does not meet backend requirements for the tenant', async () => {
+        auth.tenantId = TEST_TENANT_ID;
+        await auth._updatePasswordPolicy();
+        expect(policyEndpointMockWithTenant.calls.length).to.eq(1);
+        expect(auth._getPasswordPolicyInternal()).to.eql(
+          CACHED_PASSWORD_POLICY
+        );
+
+        // Password policy changed after previous fetch.
+        policyEndpointMockWithTenant.response =
+          PASSWORD_POLICY_RESPONSE_REQUIRE_NUMERIC;
+        await expect(
+          signInWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
+        ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
+
+        // Wait for the password policy to be fetched and recached.
+        await waitForRecachePasswordPolicy();
+
+        expect(policyEndpointMockWithTenant.calls.length).to.eq(2);
+        expect(auth._getPasswordPolicyInternal()).to.eql(
+          CACHED_PASSWORD_POLICY_REQUIRE_NUMERIC
+        );
+      });
+
+      it('does not update the cached password policy upon error if policy has not previously been fetched', async () => {
+        expect(auth._getPasswordPolicyInternal()).to.be.null;
+
+        await expect(
+          signInWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
+        ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
+
+        // Wait to ensure the password policy is not fetched and recached.
+        await waitForRecachePasswordPolicy();
+
+        expect(policyEndpointMock.calls.length).to.eq(0);
+        expect(auth._getPasswordPolicyInternal()).to.be.null;
+      });
+
+      it('does not update the cached password policy upon error if tenant changes and policy has not previously been fetched', async () => {
+        auth.tenantId = TEST_TENANT_ID;
+        await auth._updatePasswordPolicy();
+        expect(policyEndpointMockWithTenant.calls.length).to.eq(1);
+        expect(auth._getPasswordPolicyInternal()).to.eql(
+          CACHED_PASSWORD_POLICY
+        );
+
+        auth.tenantId = TEST_TENANT_ID_REQUIRE_NUMERIC;
+        await expect(
+          signInWithEmailAndPassword(auth, TEST_EMAIL, TEST_PASSWORD)
+        ).to.be.rejectedWith(FirebaseError, PASSWORD_ERROR_MSG);
+
+        // Wait to ensure the password policy is not fetched and recached.
+        await waitForRecachePasswordPolicy();
+
         expect(policyEndpointMockWithOtherTenant.calls.length).to.eq(0);
         expect(auth._getPasswordPolicyInternal()).to.be.undefined;
       });
diff --git a/packages/auth/src/core/strategies/email_and_password.ts b/packages/auth/src/core/strategies/email_and_password.ts
@@ -184,10 +184,10 @@ export async function confirmPasswordReset(
         error.code ===
         `auth/${AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS}`
       ) {
-        await recachePasswordPolicy(auth);
+        void recachePasswordPolicy(auth);
       }
 
-      return Promise.reject(error);
+      throw error;
     });
   // Do not return the email.
 }
@@ -343,10 +343,10 @@ export async function createUserWithEmailAndPassword(
           error.code ===
           `auth/${AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS}`
         ) {
-          await recachePasswordPolicy(auth);
+          void recachePasswordPolicy(auth);
         }
 
-        return Promise.reject(error);
+        throw error;
       }
     });
   }
@@ -389,5 +389,13 @@ export function signInWithEmailAndPassword(
   return signInWithCredential(
     getModularInstance(auth),
     EmailAuthProvider.credential(email, password)
-  );
+  ).catch(async error => {
+    if (
+      error.code === `auth/${AuthErrorCode.PASSWORD_DOES_NOT_MEET_REQUIREMENTS}`
+    ) {
+      void recachePasswordPolicy(auth);
+    }
+
+    throw error;
+  });
 }
