Skip to content

chore(functional-tests): default test accounts to v2 key stretching#20556

Closed
dschom wants to merge 2 commits intomainfrom
chore/test-accounts-v2-default
Closed

chore(functional-tests): default test accounts to v2 key stretching#20556
dschom wants to merge 2 commits intomainfrom
chore/test-accounts-v2-default

Conversation

@dschom
Copy link
Copy Markdown
Contributor

@dschom dschom commented May 9, 2026

Summary

  • Default `BaseTarget`'s auth-client to `keyStretchVersion=2` (still overridable via `AUTH_CLIENT_KEY_STRETCH_VERSION`). Real new accounts have been created with v2 key stretching for a while; matching that in tests removes an unnecessary v1→v2 upgrade flow on every sign-in and makes the test setup line up with production.
  • Switch the two v1-specific tests in `authClientV2.spec.ts` (`it creates with v1 and signs in`, `it creates with v1 and upgrades to v2 on signin`) to use `target.createAuthClient(1)` explicitly, so they keep exercising the v1 path even though the shared client is now v2. The peer v2 test in the same file already uses `target.createAuthClient(2)`, so this matches the existing pattern.

Pre-work that's independent of, but related to, #20543 (the actual VPN-integration race fix).

Test plan

  • CI: `auth-client-tests` should still pass (both v1 and v2 cases)
  • CI: existing functional tests that use `testAccountTracker.signUp` continue passing — the auth-server accepts both v1 and v2 password hashes on `/account/create`, so any test that signs in with either still works.

🤖 Generated with Claude Code

dschom and others added 2 commits May 8, 2026 17:10
@dschom @claude
fix(functional-tests): default test accounts to v2 key stretching
6e63a42 
Because:
* The vpn integration "authorization flow" test was flaky with a 401 on
  the second /oauth/authorization call. testAccountTracker creates v1
  accounts, so the first sign-in triggers a v1→v2 upgrade
  (password/change/start + finish) that bumps account.verifierSetAt.
  The cached session still works for /account/profile and /session/status,
  but the assertion JWT used by /oauth/authorization fails validation
  and the OAuth code is never issued — so fxaOAuthLogin is never sent
  and the test times out.
* v2 is the state real new accounts are created in nowadays, so the
  test setup should match.

This commit:
* Defaults BaseTarget's auth-client to keyStretchVersion=2 (overridable
  via AUTH_CLIENT_KEY_STRETCH_VERSION). Accounts created via
  testAccountTracker.signUp now register both v1 and v2 password hashes,
  so the in-app upgrade branch is skipped and the cached session
  remains valid across consecutive OAuth flows.

closes FXA-13687

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dschom @claude
test(functional-tests): force v1 auth client in v1-specific tests
4cf65c5 
Because:
* The two authClientV2.spec.ts tests "it creates with v1 and signs in"
  and "it creates with v1 and upgrades to v2 on signin" were using
  target.authClient implicitly. With the previous commit defaulting
  the shared auth client to v2 key stretching, those tests would now
  create v2 accounts and their v1-only assertions would break.

This commit:
* Switches both tests to target.createAuthClient(1) explicitly. The
  peer test for v2 in the same file already uses
  target.createAuthClient(2), so this matches the existing pattern.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@dschom dschom requested a review from a team as a code owner May 9, 2026 00:11
@dschom dschom mentioned this pull request May 9, 2026
Draft
5 tasks
@dschom dschom closed this May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dschom