feat(customs): Add custom rate limiting rules for sending and confirming sms

vbudhram · vbudhram · commit 794c4f0d476c · 2025-02-12T12:49:55.000-05:00
diff --git a/libs/accounts/recovery-phone/src/lib/recovery-phone.manager.in.spec.ts b/libs/accounts/recovery-phone/src/lib/recovery-phone.manager.in.spec.ts
@@ -9,7 +9,6 @@ import {
   RecoveryPhoneFactory,
 } from '@fxa/shared/db/mysql/account';
 import { Test } from '@nestjs/testing';
-import { RecoveryPhoneFactory } from '@fxa/shared/db/mysql/account';
 
 describe('RecoveryPhoneManager', () => {
   let recoveryPhoneManager: RecoveryPhoneManager;
diff --git a/libs/accounts/recovery-phone/src/lib/recovery-phone.service.spec.ts b/libs/accounts/recovery-phone/src/lib/recovery-phone.service.spec.ts
@@ -104,7 +104,7 @@ describe('RecoveryPhoneService', () => {
     expect(result).toBeTruthy();
   });
 
-  it('Should send new code for setup phone number ', async () => {
+  it('Should send new code for setup phone number', async () => {
     mockOtpManager.generateCode.mockReturnValue(code);
     mockRecoveryPhoneManager.getAllUnconfirmed.mockResolvedValue([
       'this:is:the:code123',
@@ -384,6 +384,48 @@ describe('RecoveryPhoneService', () => {
       mockRecoveryPhoneManager.getConfirmedPhoneNumber.mockRejectedValue(error);
       expect(service.sendCode(uid)).rejects.toThrow(error);
     });
+
+    it('Should send new code for setup phone number', async () => {
+      mockOtpManager.generateCode.mockReturnValue(code);
+      mockRecoveryPhoneManager.getAllUnconfirmed.mockResolvedValue([
+        'this:is:the:code123',
+        'this:is:the:code456',
+      ]);
+
+      mockRecoveryPhoneManager.getConfirmedPhoneNumber.mockResolvedValueOnce({
+        phoneNumber,
+      });
+      mockOtpManager.generateCode.mockResolvedValueOnce(code);
+      mockSmsManager.sendSMS.mockResolvedValue({ status: 'success' });
+
+      const result = await service.sendCode(uid);
+
+      expect(result).toBeTruthy();
+      expect(mockRecoveryPhoneManager.getConfirmedPhoneNumber).toBeCalledWith(
+        uid
+      );
+      expect(mockRecoveryPhoneManager.storeUnconfirmed).toBeCalledWith(
+        uid,
+        code,
+        phoneNumber,
+        false
+      );
+      expect(mockOtpManager.generateCode).toBeCalled();
+      expect(mockSmsManager.sendSMS).toBeCalledWith({
+        to: phoneNumber,
+        body: code,
+      });
+
+      expect(mockRecoveryPhoneManager.removeCode).toBeCalledWith(
+        uid,
+        'code123'
+      );
+      expect(mockRecoveryPhoneManager.removeCode).toBeCalledWith(
+        uid,
+        'code456'
+      );
+      expect(mockRecoveryPhoneManager.getAllUnconfirmed).toBeCalledWith(uid);
+    });
   });
 
   describe('available', () => {
diff --git a/libs/accounts/recovery-phone/src/lib/recovery-phone.service.ts b/libs/accounts/recovery-phone/src/lib/recovery-phone.service.ts
@@ -292,7 +292,8 @@ export class RecoveryPhoneService {
   }
 
   /**
-   * Sends an totp code to a user
+   * Sends a new totp code to a user and revokes any previous unconfirmed codes.
+   *
    * @param uid Account id
    * @returns True if message didn't fail to send.
    */
@@ -301,6 +302,17 @@ export class RecoveryPhoneService {
       throw new RecoveryPhoneNotEnabled();
     }
 
+    // Invalidate and remove any or all previous unconfirmed code entries
+    const unconfirmedKeys = await this.recoveryPhoneManager.getAllUnconfirmed(
+      uid
+    );
+    for (const key of unconfirmedKeys) {
+      const oldCode = key.split(':').pop();
+      if (oldCode) {
+        await this.recoveryPhoneManager.removeCode(uid, oldCode);
+      }
+    }
+
     const { phoneNumber } =
       await this.recoveryPhoneManager.getConfirmedPhoneNumber(uid);
     const code = await this.otpCode.generateCode();
