Skip to content

bug(settings): Stop duplicate sign-in verification emails for dormant accounts#20865

Draft
dschom wants to merge 1 commit into
mainfrom
FXA-14109
Draft

bug(settings): Stop duplicate sign-in verification emails for dormant accounts#20865
dschom wants to merge 1 commit into
mainfrom
FXA-14109

Conversation

@dschom

@dschom dschom commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Because:

  • Dormant accounts signing in to Settings/Sync received two identical OTP verification emails. The auth-server sends one during signInWithAuthPW, and the shared handleNavigation sent a second via sessionResendVerifyCode (added in 2fce100 to fix a cached-flow duplicate, but it also fired in the password flow where the server already sent).

This PR:

  • Gates the client-side sessionResendVerifyCode in handleNavigation behind a new optional sendVerificationEmailFromClient NavigationOptions flag.
  • Sets the flag only in the cached-signin paths (SigninCached and the prompt=none Authorization container), the only flows that perform no server-side login and therefore must send the OTP client-side.
  • Leaves the flag falsey for the password/unblock/reauth paths, which already send server-side, eliminating the duplicate email.
  • Adds regression tests covering both the gated (cached) and non-gated (server-login) paths so the duplicate cannot silently return.

Issue that this pull request solves

Closes #FXA-14109

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

How to review (Optional)

To test manually we must have an 'old' account that goes into the 'must_verify' state.

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

… accounts

Because:
- Dormant accounts signing in to Settings/Sync received two identical OTP
  verification emails. The auth-server sends one during `signInWithAuthPW`,
  and the shared `handleNavigation` sent a second via `sessionResendVerifyCode`
  (added in 2fce100 to fix a cached-flow duplicate, but it also fired in the
  password flow where the server already sent).

This commit:
- Gates the client-side `sessionResendVerifyCode` in `handleNavigation` behind
  a new optional `sendVerificationEmailFromClient` NavigationOptions flag.
- Sets the flag only in the cached-signin paths (`SigninCached` and the
  prompt=none `Authorization` container), the only flows that perform no
  server-side login and therefore must send the OTP client-side.
- Leaves the flag falsey for the password/unblock/reauth paths, which already
  send server-side, eliminating the duplicate email.
- Adds regression tests covering both the gated (cached) and non-gated
  (server-login) paths so the duplicate cannot silently return.

Closes #FXA-14109
@dschom
dschom requested a review from a team as a code owner July 14, 2026 20:58
@dschom
dschom marked this pull request as draft July 14, 2026 20:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant