From 6e63a423224d6615a17b5c4d2a55a98bad1204c2 Mon Sep 17 00:00:00 2001 From: Dan Schomburg Date: Thu, 7 May 2026 17:00:34 -0700 Subject: [PATCH 1/2] fix(functional-tests): default test accounts to v2 key stretching MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Because: * The vpn integration "authorization flow" test was flaky with a 401 on the second /oauth/authorization call. testAccountTracker creates v1 accounts, so the first sign-in triggers a v1→v2 upgrade (password/change/start + finish) that bumps account.verifierSetAt. The cached session still works for /account/profile and /session/status, but the assertion JWT used by /oauth/authorization fails validation and the OAuth code is never issued — so fxaOAuthLogin is never sent and the test times out. * v2 is the state real new accounts are created in nowadays, so the test setup should match. This commit: * Defaults BaseTarget's auth-client to keyStretchVersion=2 (overridable via AUTH_CLIENT_KEY_STRETCH_VERSION). Accounts created via testAccountTracker.signUp now register both v1 and v2 password hashes, so the in-app upgrade branch is skipped and the cached session remains valid across consecutive OAuth flows. closes FXA-13687 Co-Authored-By: Claude Opus 4.7 (1M context) --- packages/functional-tests/lib/targets/base.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/packages/functional-tests/lib/targets/base.ts b/packages/functional-tests/lib/targets/base.ts index 8748fa27a35..586b35876a8 100644 --- a/packages/functional-tests/lib/targets/base.ts +++ b/packages/functional-tests/lib/targets/base.ts @@ -52,14 +52,19 @@ export abstract class BaseTarget { readonly authServerUrl: string, emailUrl?: string ) { + // Default to v2 key stretching — that's the state new accounts are + // created in nowadays. Creating accounts as v1 here means the first + // sign-in triggers a v1→v2 upgrade (password/change/start + finish) + // that bumps account.verifierSetAt; subsequent OAuth /authorization + // calls reusing the cached session then 401 on assertion validation. const keyStretchVersion = parseInt( - process.env.AUTH_CLIENT_KEY_STRETCH_VERSION || '1' + process.env.AUTH_CLIENT_KEY_STRETCH_VERSION || '2' ); this.authClient = this.createAuthClient(keyStretchVersion); this.emailClient = new EmailClient(emailUrl); } - createAuthClient(keyStretchVersion = 1): AuthClient { + createAuthClient(keyStretchVersion = 2): AuthClient { if (![1, 2].includes(keyStretchVersion)) { throw new Error( `Invalid keyStretchVersion =${keyStretchVersion}. The` + From 4cf65c58ce91d384ae0d878051b63b95669b7b3f Mon Sep 17 00:00:00 2001 From: Dan Schomburg Date: Fri, 8 May 2026 17:11:26 -0700 Subject: [PATCH 2/2] test(functional-tests): force v1 auth client in v1-specific tests Because: * The two authClientV2.spec.ts tests "it creates with v1 and signs in" and "it creates with v1 and upgrades to v2 on signin" were using target.authClient implicitly. With the previous commit defaulting the shared auth client to v2 key stretching, those tests would now create v2 accounts and their v1-only assertions would break. This commit: * Switches both tests to target.createAuthClient(1) explicitly. The peer test for v2 in the same file already uses target.createAuthClient(2), so this matches the existing pattern. Co-Authored-By: Claude Opus 4.7 (1M context) --- packages/functional-tests/tests/misc/authClientV2.spec.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/functional-tests/tests/misc/authClientV2.spec.ts b/packages/functional-tests/tests/misc/authClientV2.spec.ts index 60217a782fd..536ac620b04 100644 --- a/packages/functional-tests/tests/misc/authClientV2.spec.ts +++ b/packages/functional-tests/tests/misc/authClientV2.spec.ts @@ -51,7 +51,8 @@ test.describe('auth-client-tests', () => { target, testAccountTracker, }) => { - const client = target.authClient; + // target.authClient defaults to v2 now; force v1 for this test. + const client = target.createAuthClient(1); const { email, password } = testAccountTracker.generateAccountDetails(); await signUp(client, email, password, target); @@ -127,7 +128,8 @@ test.describe('auth-client-tests', () => { target, testAccountTracker, }) => { - const client = target.authClient; + // target.authClient defaults to v2 now; force v1 for this test. + const client = target.createAuthClient(1); const { email, password } = testAccountTracker.generateAccountDetails(); await signUp(client, email, password, target);