[Native Auth] Update the logic for detecting phone blocked errors (#8087)

Author: shenj

change/@azure-msal-browser-3440d747-cc9e-4b83-8bdc-b0b326c93e80.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Update the logic for detecting phone blocked error #8087",
+  "packageName": "@azure/msal-browser",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/src/custom_auth/core/auth_flow/AuthFlowErrorBase.ts

@@ -153,11 +153,9 @@ export abstract class AuthFlowErrorBase {
     protected isVerificationContactBlockedError(): boolean {
         return (
             this.errorData instanceof CustomAuthApiError &&
-            this.errorData.error === CustomAuthApiErrorCode.INVALID_REQUEST &&
-            this.errorData.errorCodes?.includes(550024) === true &&
-            this.errorData.errorDescription?.includes(
-                "multi-factor authentication method is blocked"
-            ) === true
+            this.errorData.error === CustomAuthApiErrorCode.ACCESS_DENIED &&
+            this.errorData.subError ===
+                CustomAuthApiSuberror.PROVIDER_BLOCKED_BY_REPUTATION
         );
     }
 }

lib/msal-browser/src/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.ts

@@ -24,3 +24,4 @@ export const PASSWORD_CHANGE_FAILED = "password_change_failed";
 export const PASSWORD_RESET_TIMEOUT = "password_reset_timeout";
 export const CLIENT_INFO_MISSING = "client_info_missing";
 export const EXPIRED_TOKEN = "expired_token";
+export const ACCESS_DENIED = "access_denied";

lib/msal-browser/src/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.ts

@@ -14,3 +14,4 @@ export const ATTRIBUTE_VALIATION_FAILED = "attribute_validation_failed";
 export const NATIVEAUTHAPI_DISABLED = "nativeauthapi_disabled";
 export const REGISTRATION_REQUIRED = "registration_required";
 export const MFA_REQUIRED = "mfa_required";
+export const PROVIDER_BLOCKED_BY_REPUTATION = "provider_blocked_by_rep";

lib/msal-browser/test/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.spec.ts

@@ -95,12 +95,13 @@ describe("JitError", () => {
             expect(error.isInvalidInput()).toBe(false);
         });
 
-        it("should return true for isVerificationContactBlocked when API error with error code 550024 and correct description", () => {
+        it("should return true for isVerificationContactBlocked when ACCESS_DENIED with PROVIDER_BLOCKED_BY_REPUTATION subError", () => {
             const apiError = new CustomAuthApiError(
-                CustomAuthApiErrorCode.INVALID_REQUEST,
-                "multi-factor authentication method is blocked",
+                CustomAuthApiErrorCode.ACCESS_DENIED,
+                "Verification contact blocked by reputation system",
                 "correlation-id",
-                [550024]
+                [],
+                CustomAuthApiSuberror.PROVIDER_BLOCKED_BY_REPUTATION
             );
             const error = new AuthMethodRegistrationChallengeMethodError(
                 apiError
@@ -109,12 +110,13 @@ describe("JitError", () => {
             expect(error.isVerificationContactBlocked()).toBe(true);
         });
 
-        it("should return false for isVerificationContactBlocked when API error with error code 550024 but wrong description", () => {
+        it("should return false for isVerificationContactBlocked when ACCESS_DENIED but different subError", () => {
             const apiError = new CustomAuthApiError(
-                CustomAuthApiErrorCode.INVALID_REQUEST,
-                "Some other error description",
+                CustomAuthApiErrorCode.ACCESS_DENIED,
+                "Other access denied scenario",
                 "correlation-id",
-                [550024]
+                [],
+                CustomAuthApiSuberror.INVALID_OOB_VALUE
             );
             const error = new AuthMethodRegistrationChallengeMethodError(
                 apiError
@@ -123,12 +125,13 @@ describe("JitError", () => {
             expect(error.isVerificationContactBlocked()).toBe(false);
         });
 
-        it("should return false for isVerificationContactBlocked when different error code", () => {
+        it("should return false for isVerificationContactBlocked when subError matches but error != ACCESS_DENIED", () => {
             const apiError = new CustomAuthApiError(
-                CustomAuthApiErrorCode.INVALID_GRANT,
-                "multi-factor authentication method is blocked",
+                CustomAuthApiErrorCode.INVALID_REQUEST,
+                "Verification contact blocked by reputation system",
                 "correlation-id",
-                [901001]
+                [],
+                CustomAuthApiSuberror.PROVIDER_BLOCKED_BY_REPUTATION
             );
             const error = new AuthMethodRegistrationChallengeMethodError(
                 apiError

lib/msal-browser/test/custom_auth/core/auth_flow/mfa/error_type/MfaError.spec.ts

@@ -73,45 +73,37 @@ describe("MfaRequestChallengeError", () => {
     });
 
     describe("isVerificationContactBlocked", () => {
-        it("returns true when invalid_request with code 550024 and matching description substring", () => {
+        it("returns true when error is ACCESS_DENIED with subError PROVIDER_BLOCKED_BY_REPUTATION", () => {
             const apiError = new CustomAuthApiError(
-                "invalid_request",
-                "The multi-factor authentication method is blocked due to too many attempts.",
+                "access_denied",
+                "Verification contact blocked by reputation system",
                 "correlation-id",
-                [550024]
+                [],
+                CustomAuthApiSuberror.PROVIDER_BLOCKED_BY_REPUTATION
             );
             const mfaError = new MfaRequestChallengeError(apiError);
             expect(mfaError.isVerificationContactBlocked()).toBe(true);
         });
 
-        it("returns false when code 550024 present but description does not contain required phrase", () => {
+        it("returns false when error is ACCESS_DENIED but subError different", () => {
             const apiError = new CustomAuthApiError(
-                "invalid_request",
-                "MFA method temporarily disabled.",
+                "access_denied",
+                "Some other access denied error",
                 "correlation-id",
-                [550024]
+                [],
+                CustomAuthApiSuberror.INVALID_OOB_VALUE
             );
             const mfaError = new MfaRequestChallengeError(apiError);
             expect(mfaError.isVerificationContactBlocked()).toBe(false);
         });
 
-        it("returns false when description contains phrase but error code 550024 missing", () => {
+        it("returns false when subError matches but error code not ACCESS_DENIED", () => {
             const apiError = new CustomAuthApiError(
                 "invalid_request",
-                "The multi-factor authentication method is blocked at this time.",
+                "Verification contact blocked by reputation system",
                 "correlation-id",
-                [901001]
-            );
-            const mfaError = new MfaRequestChallengeError(apiError);
-            expect(mfaError.isVerificationContactBlocked()).toBe(false);
-        });
-
-        it("returns false when different error type even if code and description match", () => {
-            const apiError = new CustomAuthApiError(
-                "server_error",
-                "The multi-factor authentication method is blocked by policy.",
-                "correlation-id",
-                [550024]
+                [],
+                CustomAuthApiSuberror.PROVIDER_BLOCKED_BY_REPUTATION
             );
             const mfaError = new MfaRequestChallengeError(apiError);
             expect(mfaError.isVerificationContactBlocked()).toBe(false);