Skip to content

Remove routes that have mfa variants, update routes to use verifiedSessionToken as needed #19845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vbudhram wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Remove routes that have mfa variants, update routes to use verifiedSessionToken as needed #19845

vbudhram wants to merge 2 commits into from
+199 −2,454

Conversation

@vbudhram
Copy link
Contributor

@vbudhram vbudhram commented Dec 30, 2025

Because

  • Endpoints with /mfa variants were deprecated but still existed in the codebase, causing confusion and maintenance burden
  • Session and account verification checks were duplicated in both auth strategies and route handlers
  • Auth strategies now handle session verification, making handler-level checks redundant

This pull request

Removes deprecated endpoints (replaced with /mfa variants):

  • POST /recovery_email
  • POST /recovery_email/destroy
  • POST /recovery_email/set_primary
  • POST /recovery_email/secondary/verify_code
  • POST /recovery_email/secondary/resend_code
  • POST /totp/destroy
  • POST /totp/replace/start
  • POST /totp/replace/confirm
  • POST /recovery_phone/change
  • POST /password/forgot/send_code
  • POST /password/forgot/resend_code
  • GET /password/forgot/status

Updates auth strategies to verifiedSessionToken:

  • POST /totp/setup/verify
  • POST /totp/setup/complete
  • POST /recoveryKey/verify
  • POST /password/create

Removes redundant session verification checks:

  • Removes unverifiedAccount() and unverifiedSession() checks from handlers in totp.js, emails.js, recovery-key.js, and password.ts (now handled by auth strategies)

Deletes corresponding tests for all removed endpoints and outdated verification checks

Issue that this pull request solves

Closes: https://mozilla-hub.atlassian.net/browse/FXA-12420

Checklist

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).

Other information (Optional)

This is a breaking change for any clients still using the deprecated endpoints. All affected endpoints have /mfa variants that should be used instead. The inline setup flows (setup recovery key, setup TOTP) continue to use their non-/mfa endpoints as those are still needed.

@vbudhram vbudhram requested a review from a team as a code owner December 30, 2025 17:33
@vbudhram vbudhram changed the title Fxa 12420 Remove routes that have mfa variants, update routes to use verifiedSessionToken as needed Dec 30, 2025
@vbudhram vbudhram force-pushed the fxa-12420 branch 2 times, most recently from e86b183 to 46fb97d Compare January 2, 2026 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vbudhram