mozilla-iam · gdestuynder · Mar 29, 2018 · Feb 15, 2018 · Mar 28, 2018 · Mar 28, 2018
diff --git a/manual/social-fxa.js b/manual/social-fxa.js
@@ -4,12 +4,6 @@
 // Token endpoint: https://oauth-latest.dev.lcip.org/v1/token
 // scopes: openid profile
 function(accessToken, ctx, cb) {
-  // An Fxa profile looks like:
-  //     {
-  //      "email": "[email protected]",
-  //      "uid": "14e701f4bfd647ce925c0239a2065665",
-  //      "sub": "14e701f4bfd647ce925c0239a2065665"
-  //  }
   // See docs at https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction
   request.get('https://latest.dev.lcip.org/profile/v1/profile', {
     'headers': {
@@ -23,11 +17,17 @@ function(accessToken, ctx, cb) {
     }
 
     var p = JSON.parse(b);
+    // If you need to debug FxA's reply, un-comment this and look at the webtask logs
+    // console.log('FxA profile output: '+p);
     return cb(null, {
       user_id: p.uid,
+      picture: p.avatar,
+      preferredLanguage: p.locale,
       email: p.email,
       email_verified: true,
-      fxa_sub: p.sub
+      fxa_sub: p.sub,
+      fxa_amrValues: p.amrValues,
+      fxa_twoFactorAuthentication: p.twoFactorAuthentication
     });
 
   });

diff --git a/rules/Force-MFA-setup-for-GitHub-logins.js b/rules/Force-MFA-setup-for-GitHub-logins.js
diff --git a/rules/Force-MFA-setup-for-social-logins.js b/rules/Force-MFA-setup-for-social-logins.js
@@ -0,0 +1,18 @@
+function (user, context, callback) {
+  if ((context.connection === 'github') && (!user.two_factor_authentication)) {
+    // Force MFA for GitHub logins
+    console.log('GitHub user not allowed to log in because 2FA was disabled on the account: '+user.user_id);
+    return callback(null, user, global.postError('githubrequiremfa', context));
+  } else if ((context.connection === 'firefoxaccounts') && (!user.fxa_twoFactorAuthentication)) {
+    // Force MFA for Firefox Accounts (FxA) logins
+    // Note FxA also provides the standard amrValues which can be used to specify which 2FA we want to allow.
+    // Right now we trust FxA to make this choice for us (which is, require TOTP for user.fxa_twoFactorAuthentication to
+    // be set to True
+    console.log('Firefox Accounts user not allowed to log in because 2FA was disabled on the account: '+user.user_id);
+    return callback(null, user, global.postError('fxarequiremfa', context));
+
+    // Forcing MFA for Google accounts is not currently supported
+  } else {
+    return callback(null, user, context);
+  }
+}
diff --git a/rules/Force-MFA-setup-for-GitHub-logins.json → rules/Force-MFA-setup-for-social-logins.json b/rules/Force-MFA-setup-for-GitHub-logins.json → rules/Force-MFA-setup-for-social-logins.json
diff --git a/rules/default-deny-for-maintenance.js b/rules/default-deny-for-maintenance.js
@@ -0,0 +1,6 @@
+function (user, context, callback) {
+    // Denies all users from logging in
+    // Only use for maintenance purposes
+
+    return callback(null, user, global.postError('maintenancemode', context));
+}
diff --git a/rules/default-deny-for-maintenance.json b/rules/default-deny-for-maintenance.json
@@ -0,0 +1,4 @@
+{
+    "enabled": false,
+    "order": 999
+}
diff --git a/rules/force-users-login-most-secure-method.js b/rules/force-users-login-most-secure-method.js
@@ -48,6 +48,7 @@ var WHITELIST = ['HvN5D3R64YNNhvcHKuMKny1O0KJZOOwH', // mozillians.org account v
   // Lower is better
   var matchOrder = {'ad': 0,
                     'github': 1,
+                    'firefoxaccounts': 1,
                     'google-oauth2': 2,
                     'email': 3
                    };