From 0f831fda16e7e3305471764791653fc34218cd7c Mon Sep 17 00:00:00 2001
From: joerger <bjoerger@goteleport.com>
Date: Mon, 9 Dec 2024 17:58:06 -0800
Subject: [PATCH] Address todos; Update e ref.

---
 e                                             |  2 +-
 .../wizards/AddAuthDeviceWizard.tsx           |  7 ---
 .../teleport/src/services/auth/auth.ts        | 59 -------------------
 3 files changed, 1 insertion(+), 67 deletions(-)

diff --git a/e b/e
index c5e5b12cbb737..62a53a7170836 160000
--- a/e
+++ b/e
@@ -1 +1 @@
-Subproject commit c5e5b12cbb73703c7f0bab68f45a901c2ebf2b04
+Subproject commit 62a53a71708366f1c314a8b32d99e09bc5c9b894
diff --git a/web/packages/teleport/src/Account/ManageDevices/wizards/AddAuthDeviceWizard.tsx b/web/packages/teleport/src/Account/ManageDevices/wizards/AddAuthDeviceWizard.tsx
index be291c660f55a..d161d8db54b93 100644
--- a/web/packages/teleport/src/Account/ManageDevices/wizards/AddAuthDeviceWizard.tsx
+++ b/web/packages/teleport/src/Account/ManageDevices/wizards/AddAuthDeviceWizard.tsx
@@ -73,12 +73,6 @@ export function AddAuthDeviceWizard({
   const reauthState = useReAuthenticate({
     challengeScope: MfaChallengeScope.MANAGE_DEVICES,
     onMfaResponse: mfaResponse =>
-      // TODO(Joerger): Instead of getting a privilege token, we should get
-      //   // a register challenge with the mfa response directly. For good UX, this would
-      //   // require some refactoring to the flow so the user can choose a device type before
-      //   // completing an mfa check and getting an otp/webauthn register challenge, or
-      //   // allowing the backend to return a flexible register challenge
-      //   await auth.createPrivilegeToken(mfaResponse).then(setPrivilegeToken);
       auth.createPrivilegeToken(mfaResponse).then(setPrivilegeToken),
   });
 
@@ -188,7 +182,6 @@ export function CreateDeviceStep({
     if (usage === 'passwordless' || newMfaDeviceType === 'webauthn') {
       createPasskeyAttempt.run(async () => {
         const credential = await auth.createNewWebAuthnDevice({
-          // TODO(Joerger): Skip privilege token step, just pass in mfa response.
           tokenId: privilegeToken,
           deviceUsage: usage,
         });
diff --git a/web/packages/teleport/src/services/auth/auth.ts b/web/packages/teleport/src/services/auth/auth.ts
index 3e58e9f5f5f4b..4d1e978f2f64c 100644
--- a/web/packages/teleport/src/services/auth/auth.ts
+++ b/web/packages/teleport/src/services/auth/auth.ts
@@ -341,7 +341,6 @@ const auth = {
     });
   },
 
-  // TODO(Joerger): Delete once no longer used by /e
   async getSsoChallengeResponse(
     challenge: SsoChallenge
   ): Promise<MfaChallengeResponse> {
@@ -386,63 +385,10 @@ const auth = {
     };
   },
 
-  // TODO(Joerger): Delete once no longer used by /e
-  createPrivilegeTokenWithWebauthn() {
-    return auth
-      .getMfaChallenge({ scope: MfaChallengeScope.MANAGE_DEVICES })
-      .then(auth.getMfaChallengeResponse)
-      .then(mfaResp => auth.createPrivilegeToken(mfaResp));
-  },
-
-  // TODO(Joerger): Delete once no longer used by /e
-  createPrivilegeTokenWithTotp(secondFactorToken: string) {
-    return api.post(cfg.api.createPrivilegeTokenPath, { secondFactorToken });
-  },
-
   createRestrictedPrivilegeToken() {
     return api.post(cfg.api.createPrivilegeTokenPath, {});
   },
 
-  // TODO(Joerger): Remove once /e is no longer using it.
-  async getWebauthnResponse(
-    scope: MfaChallengeScope,
-    allowReuse?: boolean,
-    isMfaRequiredRequest?: IsMfaRequiredRequest,
-    abortSignal?: AbortSignal
-  ) {
-    // TODO(Joerger): DELETE IN 16.0.0
-    // the create mfa challenge endpoint below supports
-    // MFARequired requests without the extra roundtrip.
-    if (isMfaRequiredRequest) {
-      try {
-        const isMFARequired = await checkMfaRequired(
-          isMfaRequiredRequest,
-          abortSignal
-        );
-        if (!isMFARequired.required) {
-          return;
-        }
-      } catch (err) {
-        if (
-          err?.response?.status === 400 &&
-          err?.message.includes('missing target for MFA check')
-        ) {
-          // checking MFA requirement for admin actions is not supported by old
-          // auth servers, we expect an error instead. In this case, assume MFA is
-          // not required. Callers should fallback to retrying with MFA if needed.
-          return;
-        }
-
-        throw err;
-      }
-    }
-
-    return auth
-      .getMfaChallenge({ scope, allowReuse, isMfaRequiredRequest }, abortSignal)
-      .then(challenge => auth.getMfaChallengeResponse(challenge, 'webauthn'))
-      .then(res => res.webauthn_response);
-  },
-
   getMfaChallengeResponseForAdminAction(allowReuse?: boolean) {
     // If the client is checking if MFA is required for an admin action,
     // but we know admin action MFA is not enforced, return early.
@@ -460,11 +406,6 @@ const auth = {
       })
       .then(auth.getMfaChallengeResponse);
   },
-
-  // TODO(Joerger): Delete in favor of getMfaChallengeResponseForAdminAction once /e is updated.
-  getWebauthnResponseForAdminAction(allowReuse?: boolean) {
-    return auth.getMfaChallengeResponseForAdminAction(allowReuse);
-  },
 };
 
 function checkMfaRequired(