Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands Playwright functional coverage for passkey sign-in flows (including Sync OAuth edge-cases) and adds an AMO-like “profile AAL2” enforcement mode to the 123done test relier to validate the FxA-side divert behavior for passkey-only accounts.
Changes:
- Add new functional tests for passkey sign-in across email-first, Sync OAuth fallback/set-password flows, and AAL2 + profile-AAL2 scenarios.
- Extend the passkey polyfill with a “corrupt assertion” mode to exercise invalid-signature server handling.
- Update 123done to support “Require Profile AAL2” (post-grant profile check + one-bounce behavior) and surface account-level AAL2 state in UI + test page object helpers.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/functional-tests/tests/passkeyAuth/passkeySetPassword.spec.ts | Adds Sync OAuth coverage for passwordless+passkey routing through /post_verify/passkey/set_password (with/without TOTP). |
| packages/functional-tests/tests/passkeyAuth/passkeyPasswordFallback.spec.ts | Reworks Sync passkey fallback test to be UI-driven and adds TOTP-enrolled “no re-prompt” coverage. |
| packages/functional-tests/tests/passkeyAuth/passkey-signin.spec.ts | Adds broad passkey sign-in functional coverage, including AAL2 and AMO-style profile-AAL2 scenarios. |
| packages/functional-tests/pages/relier.ts | Adds relier actions and badge checks for the new profile-AAL2 toggle and account/session AAL2 markers. |
| packages/functional-tests/lib/passkeyPolyfill.ts | Adds a “corrupt” mode that tampers with the assertion signature for negative-path testing. |
| packages/123done/static/js/123done.js | Displays account-level AAL2 marker and wires up the new “Require Profile AAL2” button. |
| packages/123done/static/index.html | Adds the “Sign In (Require Profile AAL2)” button. |
| packages/123done/server.js | Exposes account_aal2 via /api/auth_status for UI/tests. |
| packages/123done/oauth.js | Adds /api/profile_aal2 flow and profile-based post-grant bounce logic to mirror AMO-style enforcement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+410
to
+412
| await clearSession(page); | ||
| await page.goto(target.contentServerUrl); | ||
|
|
Comment on lines
70
to
72
| await clearSession(page); | ||
| await page.goto(target.contentServerUrl); | ||
|
|
vpomerleau
reviewed
May 27, 2026
vpomerleau
left a comment
vpomerleau
left a comment
Contributor
There was a problem hiding this comment.
Tests cases look good and thorough on first pass 💎 I'll have a closer look and do some manual testing after the weekly meeting, mainly for the 123done flows
vpomerleau
reviewed
May 28, 2026
vpomerleau
reviewed
May 28, 2026
vpomerleau
reviewed
May 28, 2026
vpomerleau
reviewed
May 28, 2026
vbudhram
force-pushed
the
fxa-13103
branch
2 times, most recently
from
11ff30c to
f8e1468
Compare
vpomerleau
reviewed
May 28, 2026
Because: - Passkey sign-in, including from the passwordless OTP code screen, and AMO-style profile-AAL2 enforcement had no end-to-end functional coverage, and the inline TOTP setup walk was duplicated across specs. This commit: - Adds passkey sign-in functional tests across email-first, /signin, non-AAL2 and AAL2 OAuth, and AMO-style profile-AAL2 scenarios in 123done. - Adds passwordless + 2FA-required and passwordless + passkey + profile-AAL2 tests verifying the divert to inline TOTP setup rather than a bounce loop. - Adds a "Require Profile AAL2" mode to the 123done relier, surfaces account-level AAL2 state, and relabels the AAL2 buttons so session-level and profile-level enforcement are distinguishable. - Extends the passkey polyfill with a corrupt-assertion mode for negative-path coverage. - Extracts the inline TOTP setup walk into a shared TotpPage helper that reads recovery-phone availability to decide whether the recovery-method chooser renders, removing duplicated walk and redundant per-test cleanup. - Corrects the passkey Sync set-password route assertion to /post_verify/set_password (standardized for all sign-in methods).
vpomerleau
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Because
This pull request
passkey-signin.spec.ts: email-first sign-in, /signin after submitting an email, error banners, non-AAL2 RPs, AAL2 RPs (with and without TOTP), and thepasskeySetPassword.spec.tspasswordless flow/inline_totp_setupbefore the OAuth grant, and a passkey+TOTP user completes straight to the RPSign In (Require Profile AAL2)toggle that mirrors AMO: checksprofile.twoFactorAuthenticationafter the grant and bounces back to FxA once if the account lacks TOTP. Surfaces both session-AAL2 (🔒) and account-AAL2 (🛡) on the post-auth pageIssue that this pull request solves
Closes: https://mozilla-hub.atlassian.net/browse/FXA-13103
Checklist
Other information
Depends on: FXA-13101 (PR #20635). The AMO profile-AAL2 tests rely on the FxA-side divert in
packages/fxa-settings/src/pages/Signin/utils.ts. This PR should land after that one.How to test locally: