diff --git a/packages/fxa-auth-client/lib/client.ts b/packages/fxa-auth-client/lib/client.ts index 8efb03b7962..683ff03f61c 100644 --- a/packages/fxa-auth-client/lib/client.ts +++ b/packages/fxa-auth-client/lib/client.ts @@ -732,9 +732,13 @@ export default class AuthClient { ); } } catch (err) { - Sentry.captureMessage( - 'Failure to complete v2 key stretch upgrade.' - ); + Sentry.captureException(err, { + tags: { + errno: err?.errno, + endpoint: 'passwordChange', + source: 'v2-upgrade', + }, + }); } } else if (credentials.v2) { // Already using V2! Just sign in. @@ -1484,40 +1488,25 @@ export default class AuthClient { options: SessionReauthOptions = {}, headers?: Headers ): Promise { - const credentials = await crypto.getCredentials(email, password); - try { - const accountData = await this.sessionReauthWithAuthPW( - sessionToken, - email, - credentials.authPW, - options, - headers - ); - if (options.keys) { - accountData.unwrapBKey = credentials.unwrapBKey; - } - return accountData; - } catch (error: any) { - if ( - error && - error.email && - error.errno === ERRORS.INCORRECT_EMAIL_CASE && - !options.skipCaseError - ) { - options.skipCaseError = true; - options.originalLoginEmail = email; - - return this.sessionReauth( - sessionToken, - error.email, - password, - options, - headers - ); - } else { - throw error; - } + // v1 stretching salts using the accounts initial singup email, which + // can differ from the user's current primary email. Fetch the original + // account email up-front so we derive the correct authPW the first time. + const { email: derivationEmail } = await this.fetchVerifierEmail( + sessionToken, + headers + ); + const credentials = await crypto.getCredentials(derivationEmail, password); + const accountData = await this.sessionReauthWithAuthPW( + sessionToken, + derivationEmail, + credentials.authPW, + options, + headers + ); + if (options.keys) { + accountData.unwrapBKey = credentials.unwrapBKey; } + return accountData; } async sessionReauthWithAuthPW( @@ -1552,8 +1541,15 @@ export default class AuthClient { } = {}, headers?: Headers ): Promise { + // v1 stretching salts using the accounts initial singup email, which + // can differ from the user's current primary email. Fetch the original + // account email up-front so we derive the correct authPW the first time. + const { email: derivationEmail } = await this.fetchVerifierEmail( + sessionToken, + headers + ); const oldCredentials = await this.passwordChangeStart( - email, + derivationEmail, oldPassword, sessionToken, undefined, @@ -1586,7 +1582,7 @@ export default class AuthClient { let unwrapBKeyVersion2: string | undefined; if (this.keyStretchVersion === 2) { const v2Payload = await this.createPasswordChangeV2Payload( - email, + derivationEmail, newPassword, keys, newCredentials, @@ -1817,16 +1813,27 @@ export default class AuthClient { } = {}, headers?: Headers ): Promise { + // Both the old v1 credentials and the new v1 credentials are salted by + // the account's original signup email, which can differ from the + // user's current primary. Fetch the original account email up-front so + // every derivation below matches the stored verifier on the first try. + const { email: derivationEmail } = await this.fetchVerifierEmail( + sessionToken, + headers + ); const oldCredentials = await this.sessionReauth( sessionToken, - options.reauthEmail || email, + derivationEmail, oldPassword, { keys: true, }, headers ); - const oldCredentialsAuth = await crypto.getCredentials(email, oldPassword); + const oldCredentialsAuth = await crypto.getCredentials( + derivationEmail, + oldPassword + ); const oldAuthPW = oldCredentialsAuth.authPW; const keys = await this.accountKeys( @@ -1835,7 +1842,10 @@ export default class AuthClient { headers ); - const newCredentials = await crypto.getCredentials(email, newPassword); + const newCredentials = await crypto.getCredentials( + derivationEmail, + newPassword + ); const wrapKb = crypto.unwrapKB(keys.kB, newCredentials.unwrapBKey); const authPW = newCredentials.authPW; @@ -1849,7 +1859,7 @@ export default class AuthClient { wrapKbVersion2?: string; clientSalt?: string; } = { - email, + email: derivationEmail, oldAuthPW, authPW, wrapKb, @@ -1857,7 +1867,7 @@ export default class AuthClient { if (this.keyStretchVersion === 2) { const v2Payload = await this.createPasswordChangeV2Payload( - email, + derivationEmail, newPassword, keys, newCredentials, @@ -1872,37 +1882,7 @@ export default class AuthClient { }; } - try { - const accountData = await this.jwtPost( - '/mfa/password/change', - jwt, - payload, - headers - ); - - return accountData; - } catch (error: any) { - if ( - error && - error.email && - error.errno === ERRORS.INCORRECT_EMAIL_CASE && - !options.skipCaseError - ) { - options.skipCaseError = true; - options.reauthEmail = email; - return await this.passwordChangeWithJWT( - jwt, - error.email, - oldPassword, - newPassword, - sessionToken, - options, - headers - ); - } else { - throw error; - } - } + return this.jwtPost('/mfa/password/change', jwt, payload, headers); } async createPassword( @@ -3651,4 +3631,17 @@ export default class AuthClient { throw error; } } + + // Returns the account's signup email — the immutable PBKDF2 salt for v1 + // password derivation. Callers must use this email (not the user's current + // primary) when deriving v1 credentials so the resulting authPW matches + // the stored verifier on accounts whose primary email has been swapped. + // v2 accounts derive from `clientSalt` and don't need this — callers can + // short-circuit when verifierVersion === 2. + public async fetchVerifierEmail( + sessionToken: hexstring, + headers?: Headers + ): Promise<{ email: string; }> { + return this.sessionGet('/session/verifier-email', sessionToken, headers); + } } diff --git a/packages/fxa-auth-client/test/client.ts b/packages/fxa-auth-client/test/client.ts index 5ee2722d7ed..7e21094d79d 100644 --- a/packages/fxa-auth-client/test/client.ts +++ b/packages/fxa-auth-client/test/client.ts @@ -86,4 +86,87 @@ describe('lib/client', () => { assert.notEqual(lastInit?.credentials, 'include'); }); }); + + describe('use original account email for derivation for v1 password flows', () => { + let testClient: AuthClient; + let originalFetch: typeof globalThis.fetch; + const SESSION_TOKEN = '00'.repeat(32); + const SIGNUP_EMAIL = 'signup@example.com'; + const TYPED_EMAIL = 'primary-now@example.com'; + + let requests: Array<{ url: string; init: RequestInit | undefined }>; + let respondWith: ( + url: string, + init: RequestInit | undefined + ) => Response | Promise; + + before(() => { + testClient = new AuthClient('http://localhost:9000'); + }); + + beforeEach(() => { + originalFetch = globalThis.fetch; + requests = []; + // Default: respond with empty JSON for any path the test doesn't + // explicitly handle. Tests override `respondWith` to assert paths. + respondWith = () => + new Response('{}', { + status: 200, + headers: { 'Content-Type': 'application/json' }, + }); + globalThis.fetch = (async (url: string, init?: RequestInit) => { + requests.push({ url, init }); + return respondWith(url, init); + }) as typeof globalThis.fetch; + }); + + afterEach(() => { + globalThis.fetch = originalFetch; + }); + + it('fetchVerifierEmail GETs /session/verifier-email', async () => { + respondWith = () => + new Response( + JSON.stringify({ email: SIGNUP_EMAIL }), + { + status: 200, + headers: { 'Content-Type': 'application/json' }, + } + ); + const result = await testClient.fetchVerifierEmail(SESSION_TOKEN); + assert.deepEqual(result, { email: SIGNUP_EMAIL }); + assert.equal(requests.length, 1); + assert.ok(requests[0].url.endsWith('/session/verifier-email')); + assert.equal(requests[0].init?.method, 'GET'); + }); + + it('sessionReauth derives authPW from the original account email', async () => { + // First request must be /session/verifier-email returning the signup + // email; subsequent /session/reauth call should carry that email. + respondWith = (url) => { + if (url.includes('/session/verifier-email')) { + return new Response( + JSON.stringify({ email: SIGNUP_EMAIL }), + { + status: 200, + headers: { 'Content-Type': 'application/json' }, + } + ); + } + return new Response('{}', { + status: 200, + headers: { 'Content-Type': 'application/json' }, + }); + }; + // Caller passes the user's CURRENT primary; auth-client should + // ignore it and use the signup email server-side returns. + await testClient.sessionReauth(SESSION_TOKEN, TYPED_EMAIL, 'pw'); + assert.equal(requests[0].init?.method, 'GET'); + assert.ok(requests[0].url.includes('/session/verifier-email')); + const reauthReq = requests.find((r) => r.url.includes('/session/reauth')); + assert.ok(reauthReq, '/session/reauth should be called'); + const body = JSON.parse(reauthReq!.init?.body as string); + assert.equal(body.email, SIGNUP_EMAIL); + }); + }); }); diff --git a/packages/fxa-auth-server/docs/swagger/session-api.ts b/packages/fxa-auth-server/docs/swagger/session-api.ts index 60a2cfdc841..dbe65a910fe 100644 --- a/packages/fxa-auth-server/docs/swagger/session-api.ts +++ b/packages/fxa-auth-server/docs/swagger/session-api.ts @@ -154,6 +154,21 @@ const SESSION_VERIFY_PUSH_POST = { ], }; +const SESSION_VERIFIER_EMAIL_GET = { + ...TAGS_SESSION, + description: '/session/verifier-email', + notes: [ + dedent` + 🔒 Authenticated with session token + + Returns the account's signup email — the value used as the salt for v1 password derivation. Clients deriving v1 credentials must use this email (not the user's current primary email) so that the resulting authPW matches the stored verifier. Self-deprecating: v2 accounts derive from \`clientSalt\` and don't need this call; the endpoint can be removed once v1 is fully phased out. + + **Response object:** + - \`email\`: The account's signup email (\`accounts.email\`). + `, + ], +}; + const API_DOCS = { SESSION_DESTROY_POST, SESSION_DUPLICATE_POST, @@ -163,6 +178,7 @@ const API_DOCS = { SESSION_VERIFY_CODE_POST, SESSION_SEND_PUSH_POST, SESSION_VERIFY_PUSH_POST, + SESSION_VERIFIER_EMAIL_GET, }; export default API_DOCS; diff --git a/packages/fxa-auth-server/lib/routes/password.spec.ts b/packages/fxa-auth-server/lib/routes/password.spec.ts index 4cf0ef13c18..b4b83bd3746 100644 --- a/packages/fxa-auth-server/lib/routes/password.spec.ts +++ b/packages/fxa-auth-server/lib/routes/password.spec.ts @@ -559,7 +559,7 @@ describe('/password', () => { TEST_EMAIL, 'authenticatedPasswordChange' ); - expect(mockDB.accountRecord).toHaveBeenCalledWith(TEST_EMAIL); + expect(mockDB.account).toHaveBeenCalledWith(uid); expect(mockDB.createKeyFetchToken).toHaveBeenCalledTimes(1); expect(mockDB.createPasswordChangeToken).toHaveBeenCalledWith({ uid }); @@ -623,13 +623,54 @@ describe('/password', () => { TEST_EMAIL, 'authenticatedPasswordChange' ); - expect(mockDB.accountRecord).toHaveBeenCalledWith(TEST_EMAIL); + expect(mockDB.account).toHaveBeenCalledWith(uid); expect(mockDB.createKeyFetchToken).toHaveBeenCalledTimes(1); expect(mockDB.createPasswordChangeToken).toHaveBeenCalledWith({ uid }); expect(response.keyFetchToken).toBeTruthy(); expect(response.passwordChangeToken).toBeTruthy(); }); + + it('fails fast with INCORRECT_EMAIL_CASE when payload email does not match account.email', async () => { + const uid = uuid.v4({}, Buffer.alloc(16)).toString('hex'); + // Account's signup email is the canonical v1 PBKDF2 salt. + const mockDB = mocks.mockDB({ + email: 'signup@example.com', + uid, + emailVerified: true, + }); + const mockSession = await mockDB.createSessionToken({}); + const mockRequest = mocks.mockRequest({ + credentials: mockSession, + payload: { + // Client deriving with the current primary instead of the + // signup email — the FXA-13627 case. Server must surface the + // canonical email back via errno 120. + email: 'primary-now@example.com', + oldAuthPW: crypto.randomBytes(32).toString('hex'), + }, + log: mocks.mockLog(), + }); + const passwordRoutes = makeRoutes({ + db: mockDB, + push: mocks.mockPush(), + mailer: mocks.mockMailer(), + log: mocks.mockLog(), + customs: mocks.mockCustoms(), + statsd: mocks.mockStatsd(), + }); + + let err: any; + try { + await runRoute(passwordRoutes, '/password/change/start', mockRequest); + } catch (e) { + err = e; + } + expect(err).toBeDefined(); + expect(err.errno).toBe(error.ERRNO.INCORRECT_EMAIL_CASE); + expect(err.output.payload.email).toBe('signup@example.com'); + expect(mockDB.account).toHaveBeenCalledWith(uid); + }); }); describe('/change/finish', () => { @@ -1078,8 +1119,12 @@ describe('/password', () => { expect(response.authAt).toBeTruthy(); expect(response.keyFetchToken).toBeTruthy(); - // Verify database calls - expect(mockDB.account).toHaveBeenCalledTimes(1); + // Verify database calls. db.account is called twice now: once at + // the top of the handler to identify the account by sessionToken.uid + // (replaces the old `accountRecord(email)` lookup), and once inside + // changePassword to load the row for the reset. + expect(mockDB.account).toHaveBeenCalledTimes(2); + expect(mockDB.account).toHaveBeenNthCalledWith(1, uid); expect(mockDB.resetAccount).toHaveBeenCalledTimes(1); expect(mockDB.resetAccount).toHaveBeenCalledWith( expect.objectContaining({ uid }), @@ -1299,5 +1344,66 @@ describe('/password', () => { // verified (deprecated compat field) should remain present and consistent expect(response.verified).toBe(true); }); + + it('fails fast with INCORRECT_EMAIL_CASE when payload email does not match account.email', async () => { + const oldAuthPW = crypto.randomBytes(32).toString('hex'); + const authPW = crypto.randomBytes(32).toString('hex'); + const wrapKb = crypto.randomBytes(32).toString('hex'); + + // Account's signup email is the canonical v1 PBKDF2 salt. + mockDB = mocks.mockDB({ + email: 'signup@example.com', + uid, + emailVerified: true, + isPasswordMatchV1: true, + }); + + const mockRequest = mocks.mockRequest({ + log: mockLog, + auth: { + credentials: { + uid, + email: 'signup@example.com', + emailVerified: true, + tokenVerified: true, + authenticatorAssuranceLevel: 2, + lastAuthAt: () => Date.now(), + data: crypto.randomBytes(32).toString('hex'), + }, + }, + payload: { + // Client deriving with the current primary instead of the + // signup email — the FXA-13627 case. Server must surface the + // canonical email back via errno 120 instead of silently + // failing the password verification. + email: 'primary-now@example.com', + oldAuthPW, + authPW, + wrapKb, + }, + query: { keys: 'true' }, + }); + + const passwordRoutes = makeRoutes({ + db: mockDB, + mailer: mockMailer, + push: mockPush, + log: mockLog, + statsd: mockStatsd, + customs: mockCustoms, + }); + + let err: any; + try { + await runRoute(passwordRoutes, '/mfa/password/change', mockRequest); + } catch (e) { + err = e; + } + expect(err).toBeDefined(); + expect(err.errno).toBe(error.ERRNO.INCORRECT_EMAIL_CASE); + expect(err.output.payload.email).toBe('signup@example.com'); + // Reset must not be invoked when the email mismatch is rejected. + expect(mockDB.resetAccount).not.toHaveBeenCalled(); + }); }); }); diff --git a/packages/fxa-auth-server/lib/routes/password.ts b/packages/fxa-auth-server/lib/routes/password.ts index 7b46b929ce7..4cba3c50cdb 100644 --- a/packages/fxa-auth-server/lib/routes/password.ts +++ b/packages/fxa-auth-server/lib/routes/password.ts @@ -125,10 +125,10 @@ module.exports = function ( let passwordChangeToken: any | undefined = undefined; try { - const emailRecord = await db.accountRecord(email); + const emailRecord = await db.account(sessionToken.uid); - if (sessionToken.uid !== emailRecord.uid) { - throw error.invalidToken('Invalid session token'); + if (!emailsMatch(email, emailRecord.email)) { + throw error.incorrectPassword(emailRecord.email, form.email); } const password = new Password( @@ -661,7 +661,11 @@ module.exports = function ( clientSalt?: string; }; - const emailRecord = await db.accountRecord(email); + const emailRecord = await db.account(uid); + + if (!emailsMatch(email, emailRecord.email)) { + throw error.incorrectPassword(emailRecord.email, email); + } const password = new Password( oldAuthPW, diff --git a/packages/fxa-auth-server/lib/routes/session.js b/packages/fxa-auth-server/lib/routes/session.js index 55e12d83edb..756d14dada2 100644 --- a/packages/fxa-auth-server/lib/routes/session.js +++ b/packages/fxa-auth-server/lib/routes/session.js @@ -5,6 +5,7 @@ 'use strict'; const { AppError: error } = require('@fxa/accounts/errors'); +const { emailsMatch } = require('fxa-shared/email/helpers'); const isA = require('joi'); const requestHelper = require('../routes/utils/request_helper'); const METRICS_CONTEXT_SCHEMA = require('../metrics/context').schema; @@ -176,19 +177,19 @@ module.exports = function ( throw error.disabledClientId(service); } - const account = await db.accountRecord(email); - if (account.uid !== sessionToken.uid) { - throw error.unknownAccount(email); + const account = await db.account(sessionToken.uid); + if (!emailsMatch(email, account.email)) { + throw error.incorrectPassword(account.email, email); } - const { accountRecord } = await signinUtils.checkCustomsAndLoadAccount( + await signinUtils.checkCustomsAndLoadAccount( request, email, sessionToken.uid ); // Start temporary metrics section - if (!account?.primaryEmail?.isVerified) { + if (!account.primaryEmail?.isVerified) { statsd.increment( 'session_reauth.primary_email_not_verified', getClientServiceTags(request) @@ -211,29 +212,29 @@ module.exports = function ( // End temporary metrics section await signinUtils.checkEmailAddress( - accountRecord, + account, email, originalLoginEmail ); const password = new Password( authPW, - accountRecord.authSalt, - accountRecord.verifierVersion + account.authSalt, + account.verifierVersion ); const match = await signinUtils.checkPassword( - accountRecord, + account, password, request ); if (!match) { - throw error.incorrectPassword(accountRecord.email, email); + throw error.incorrectPassword(account.email, email); } // Check to see if the user has a TOTP token and it is verified and // enabled, if so then the verification method is automatically forced so that // they have to verify the token. - const hasTotpToken = await otpUtils.hasTotpToken(accountRecord); + const hasTotpToken = await otpUtils.hasTotpToken(account); if (hasTotpToken) { // User has enabled TOTP, no way around it, they must verify TOTP token verificationMethod = 'totp-2fa'; @@ -264,7 +265,7 @@ module.exports = function ( await signinUtils.sendSigninNotifications( request, - accountRecord, + account, sessionToken, verificationMethod ); @@ -272,14 +273,14 @@ module.exports = function ( const response = { uid: sessionToken.uid, authAt: sessionToken.lastAuthAt(), - metricsEnabled: !accountRecord.metricsOptOut, + metricsEnabled: !account.metricsOptOut, emailVerified: sessionToken.emailVerified, }; if (requestHelper.wantsKeys(request)) { const keyFetchToken = await signinUtils.createKeyFetchToken( request, - accountRecord, + account, password, sessionToken ); @@ -367,6 +368,29 @@ module.exports = function ( }; }, }, + { + method: 'GET', + path: '/session/verifier-email', + options: { + ...SESSION_DOCS.SESSION_VERIFIER_EMAIL_GET, + auth: { + strategy: 'sessionToken', + }, + response: { + schema: isA.object({ + email: isA.string().required(), + }), + }, + }, + handler: async function (request) { + log.begin('Session.verifierEmail', request); + const sessionToken = request.auth.credentials; + const account = await db.account(sessionToken.uid); + return { + email: account.email + }; + }, + }, { method: 'POST', path: '/session/duplicate', diff --git a/packages/fxa-auth-server/lib/routes/session.spec.ts b/packages/fxa-auth-server/lib/routes/session.spec.ts index 697d8766b73..c5ae99ffbd3 100644 --- a/packages/fxa-auth-server/lib/routes/session.spec.ts +++ b/packages/fxa-auth-server/lib/routes/session.spec.ts @@ -430,6 +430,37 @@ describe('/session/status', () => { }); }); +describe('/session/verifier-email', () => { + let log: any, db: any, config: any, routes: any, route: any; + + beforeEach(() => { + jest.clearAllMocks(); + log = mocks.mockLog(); + mocks.mockFxaMailer(); + mocks.mockOAuthClientInfo(); + db = { + account: jest.fn().mockResolvedValue({ + uid: 'account-123', + email: 'signup@example.com', + }), + }; + config = {}; + routes = makeRoutes({ log, db, config }); + route = getRoute(routes, '/session/verifier-email'); + }); + + it('returns the signup email for the session uid', async () => { + const request = mocks.mockRequest({ + credentials: { uid: 'account-123' }, + }); + const resp = await runTest(route, request); + expect(db.account).toHaveBeenCalledWith('account-123'); + expect(resp).toEqual({ + email: 'signup@example.com', + }); + }); +}); + describe('/session/reauth', () => { const TEST_EMAIL = 'foo@example.com'; const TEST_UID = 'abcdef123456'; @@ -527,8 +558,10 @@ describe('/session/reauth', () => { expect(checkCustomsArgs[0]).toBe(request); expect(checkCustomsArgs[1]).toBe(TEST_EMAIL); - expect(db.accountRecord).toHaveBeenCalledTimes(2); - expect(db.accountRecord).toHaveBeenNthCalledWith(1, TEST_EMAIL); + + expect(db.account).toHaveBeenCalledTimes(1); + expect(db.account).toHaveBeenNthCalledWith(1, TEST_UID); + expect(db.accountRecord).toHaveBeenCalledTimes(1); expect(signinUtils.checkEmailAddress).toHaveBeenCalledTimes(1); const checkEmailArgs = signinUtils.checkEmailAddress.mock.calls[0]; @@ -583,10 +616,10 @@ describe('/session/reauth', () => { }); }); - it('erorrs when session uid and email account uid mismatch', () => { + it('errors with INCORRECT_EMAIL_CASE when payload email does not match account.email', () => { db = mocks.mockDB({ - email: 'hello@bs.gg', - uid: 'quux', + email: 'signup@example.com', + uid: TEST_UID, }); const routes = makeRoutes({ log, @@ -599,15 +632,20 @@ describe('/session/reauth', () => { const route = getRoute(routes, '/session/reauth'); const req = { ...request, - payload: { ...request.payload, email: 'hello@bs.gg' }, + // Client sends current primary instead of the signup email — has been a + // common issue with client side implementations. Server must surface + // the original account email back so the client can derive the correct + // V1 authPW. + payload: { ...request.payload, email: 'primary-now@example.com' }, }; return runTest(route, req).then( () => { throw new Error('request should have been rejected'); }, (err: any) => { - expect(db.accountRecord).toHaveBeenCalledTimes(1); - expect(err.errno).toBe(error.ERRNO.ACCOUNT_UNKNOWN); + expect(db.account).toHaveBeenCalledTimes(1); + expect(err.errno).toBe(error.ERRNO.INCORRECT_EMAIL_CASE); + expect(err.output.payload.email).toBe('signup@example.com'); } ); }); diff --git a/packages/fxa-auth-server/test/mocks.js b/packages/fxa-auth-server/test/mocks.js index bca6e9bf994..c86084b5a35 100644 --- a/packages/fxa-auth-server/test/mocks.js +++ b/packages/fxa-auth-server/test/mocks.js @@ -420,7 +420,11 @@ function mockDB(data, errors) { ], uid: uid || data.uid, // Prefer the uid parameter, fall back to data.uid verifierSetAt: data.verifierSetAt ?? Date.now(), - wrapWrapKb: data.wrapWrapKb, + // Match `accountRecord` so flows that switched from + // `accountRecord(email)` to `account(uid)` get a usable record. + kA: data.kA || crypto.randomBytes(32), + wrapWrapKb: data.wrapWrapKb || crypto.randomBytes(32), + verifierVersion: data.verifierVersion ?? 1, metricsOptOutAt: data.metricsOptOutAt || null, }); }), diff --git a/packages/fxa-auth-server/test/remote/password_change.in.spec.ts b/packages/fxa-auth-server/test/remote/password_change.in.spec.ts index 215973189e2..4795ab36530 100644 --- a/packages/fxa-auth-server/test/remote/password_change.in.spec.ts +++ b/packages/fxa-auth-server/test/remote/password_change.in.spec.ts @@ -508,7 +508,7 @@ describe.each(testVersions)( ); fail('Should have failed.'); } catch (err: any) { - expect(err.message).toBe('Invalid session token'); + expect(err.message).toBe('Incorrect email case'); } });