Conversation
… accounts Because: - Dormant accounts signing in to Settings/Sync received two identical OTP verification emails. The auth-server sends one during `signInWithAuthPW`, and the shared `handleNavigation` sent a second via `sessionResendVerifyCode` (added in 2fce100 to fix a cached-flow duplicate, but it also fired in the password flow where the server already sent). This commit: - Gates the client-side `sessionResendVerifyCode` in `handleNavigation` behind a new optional `sendVerificationEmailFromClient` NavigationOptions flag. - Sets the flag only in the cached-signin paths (`SigninCached` and the prompt=none `Authorization` container), the only flows that perform no server-side login and therefore must send the OTP client-side. - Leaves the flag falsey for the password/unblock/reauth paths, which already send server-side, eliminating the duplicate email. - Adds regression tests covering both the gated (cached) and non-gated (server-login) paths so the duplicate cannot silently return. Closes #FXA-14109
dschom
marked this pull request as draft
July 14, 2026 20:58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Because:
signInWithAuthPW, and the sharedhandleNavigationsent a second viasessionResendVerifyCode(added in 2fce100 to fix a cached-flow duplicate, but it also fired in the password flow where the server already sent).This PR:
sessionResendVerifyCodeinhandleNavigationbehind a new optionalsendVerificationEmailFromClientNavigationOptions flag.SigninCachedand the prompt=noneAuthorizationcontainer), the only flows that perform no server-side login and therefore must send the OTP client-side.Issue that this pull request solves
Closes #FXA-14109
Checklist
Put an
xin the boxes that applyHow to review (Optional)
To test manually we must have an 'old' account that goes into the 'must_verify' state.
Screenshots (Optional)
Please attach the screenshots of the changes made in case of change in user interface.
Other information (Optional)
Any other information that is important to this pull request.