[Bug]: Parental controls email endpoint is flawed

[jonbarrow]

Checked Existing

• I have checked the repository for duplicate issues.

What happened?

#99 implemented https://account.nintendo.net/v1/api/support/send_confirmation/pin/:email, but it makes several wrong assumptions which were not caught in review. Those being:

• A flawed PNID lookup
• Incorrect intention of the endpoint

The first assumption is that a PNID can be reliably looked up via an email address. This is not the case, as multiple PNIDs can share an email address. The PNID lookup is essentially useless in this case. This is also how Nintendo Network operates, NNIDs are not email-unique, and leads directly into the 2nd issue

The intention of the endpoint is incorrect. #99 assumes that the endpoint operates on a per-user level and that is not the case, it operates on a per-console level. Meaning the email itself and the lookup are not properly emulated here

What did you expect to happen?

Parental Controls are a system-wide feature, not account-wide. This endpoint should not be making any assumptions about an individual user

The PNID lookup should be removed. It uses the existing getPNIDByEmailAddress, which is used by our website API for password reset emails, so I can't blame Swirlz for this mistake. getPNIDByEmailAddress should really be removed entirely and the website/API updated to only accept usernames where it was used previously, since it's not reliable anyway

The email should be updated to reflect the real intention of the endpoint, which is to send you your Parental Controls master key for the console. Some example emails via @InternalLoss from the real servers:

Initial registration:

This email has been automatically sent from Nintendo because this email address was registered for Parental Controls.

This email address will be used with the Parental Controls feature on your Nintendo device (serial number: redacted).

If the PIN or answer to the secret question for Parental Controls has been forgotten, the PIN can be reset by requesting a master key. To do so, select I Forgot when prompted for the PIN in the Parental Controls application, and again when prompted for the answer to the secret question. The master key will be sent to this registered email address.

If you did not register this email address for Parental Controls, please ignore this email.

Master key resend:

This email has been automatically sent from Nintendo following a request to send a master key to this email address.

A master key has been temporarily issued to enable you to reset the Parental Controls feature on your Nintendo device (serial number: redacted).

Master key: redacted

The master key is valid for a period of 48 hours from the time this email was sent.
Use the master key within 48 hours to reset your PIN for Parental Controls.

If the 48-hour period has expired, repeat the procedure to be issued with a new master key.

Also from @InternalLoss on Discord:

should probably also store the email the 3ds sets for this, so we dont allow anyone with an authenticated 3ds (or wii u?) to spam numbers to people

I do not have dumps of the entire Parental Controls flow, but based on the emails and messages from Discord it seems clear that the correct course of action would be to:

• Check if the device has parental controls enabled
• If not, save the input email address to the device and send the "initial registration" email
• If so, compare the input email with the stored email on the device. If they do not match, reject the request, if they do match send the "master key resend" email
• Store the master key on the device

It should be noted that #111 has (currently unpushed, as I was told to wait) changes to our auth middleware that make device lookups across all NNAS endpoints more reliable. So the changes for Parental Controls should likely wait until after #111 has been merged, to make use of said changes

Steps to reproduce?

No response

Other relevant information. (OPTIONAL)

No response