DEPRECATED - Migrated to https://github.com/mozilla/fxa
License: Mozilla Public License 2.0
Please file issues and open pull requests against https://github.com/mozilla/fxa
Per mozilla/fxa-auth-server#222 (comment)
- if a user attempts to login from an "irregular" country (ie: they always log in from US/Canada but start getting strange login attempts from Egypt or Brazil) then we force them to confirm the login by email challenge or something. This could be possibly inconvenient for a certain number of users who travel frequently.
Also infers we somehow track/log a user's login history/location.
(migrating from mozilla/fxa-auth-server#309)
E.g., on FxOS the user could create their FxA in Marketplace a flow, and then end up verifying their email on another device. FxOS team would like the ability for us to tell the user "what to do next" after completing verification. Thoughts on how to enable this? How about adding service= in the sign in or sign up flow so we know what service initiated the process? Google does something similar, FWIW: https://accounts.google.com/ServiceLogin?service=oz
Only users which have been verified to be over the age of 13 should be allowed to create a FxA. I don't think I can put our implementation strategy (yet) here due to liability/legal reasons. Contact me or @lloyd directly if you have any questions.
This used to be mozilla/fxa-auth-server#256.
Tests will run against phantomjs locally and against a suite of SauceLabs supported environments on TravisCI.
This will fix #97 .
Per mozilla/fxa-auth-server#222 (comment)
- notify users by email if there was an unsuccessful login attempt (I had about 12 failed GitHub login attempts but never knew there was even a problem because of the vast number of computers involved). Email could include links to report suspicious activity via a form or just a simple link at the bottom saying "This was not me, report login".
Thee package.json file lists awsbox (v0.4.5) both in dependencies and devDependencies .
We need to be able to specify environment settings that are available to the client side app. Right now that configuration includes:
Ideally these would be baked into the distributable JS file when it's built.
We'll need to proxy requests to the auth server to support older browsers that don't support CORS.
This bridge is a Persona IdP. One of the things it does is issue certificates.
What is a certificate? It is basically the user's public key, signed by this IdP's private key.
We have a repo with a stand-alone web service that does this. It needs to be integrated.
Example codebase - BigTent (Yahoo Bridge)
/.well-known/browserid https://github.com/mozilla/browserid-bigtent/blob/master/server/routes.js#L423Other IdPs to look at how they integrated:
This requirement is specified here: http://www.mozilla.org/MPL/2.0/FAQ.html#apply
I checked the dependencies using https://david-dm.org/mozilla/firefox-account-bridge and noticed there are 2-5 outdated dependencies (not including the devDependencies):
Most notably:
It looks like jwcrypto and nunjucks are only 0.0.1 off, and the browserid-certifier is pulling a specific revision in GitHub and can probably be ignored.
If you switch to the devDependencies tab, we se the following outdated dependencies:
I also ran the package.json file through http://package-json-validator.com/ and got the following errors/warnings output:
{
"valid": false,
"errors": [
"String not valid for author, expected format is Barney Rubble <[email protected]> (http://barnyrubble.tumblr.com/)"
],
"warnings": [
"Missing recommended field: keywords",
"Missing recommended field: bugs",
"Missing recommended field: contributors"
],
"recommendations": [
"Missing optional field: homepage",
"Missing optional field: engines"
]
}
We don't want people indexing our dev and stage environments. http://davidwalsh.name/robots-rerouting
For Android, it would be super if both the create account flow and the login flow provided the chrome wrapper with {email, uid, sessionToken, kA, kB}. At the moment, the create account flow does (via a separate verified message) but the login flow does not.
I think that the login flow should enter the verified flow after completion, because it is possible to login to an unverified account. No?
Per mozilla/fxa-auth-server#222 (comment)
- add a security history panel similar to GitHub's where we display recent successful and unsuccessful logins (or at least recent unsuccessful logins).
Per mozilla/fxa-auth-server#222 (comment)
- have the ability to force a user to change a possibly compromised password. Similar to how Facebook asked users to change passwords if their account was involved in the Adobe password breach.
Per mozilla/fxa-auth-server#222 (comment)
- lock a user's account after "x" total unsuccessful consecutive login attempts. By moving to X consecutive failed logins instead of resetting the quota after 1 hour, we may thwart attempts for attackers to throttle login requests to stay under suspicion. A fine line between "security" and mass inconvenience.
Steps to reproduce:
npm start).npm start).java -jar selenium-server-standalone-2.35.0.jar)npm test from the fxa-content-server directory.Results:
$ npm test
[email protected] test /Users/pdehaan/dev/fxa-content-server_pd/fxa-content-server
node node_modules/intern/runner.js config=tests/intern suites=tests/tddDefaulting to "runner" reporter
Listening on 0.0.0.0:9090
Error: The environment you requested was unavailable.
at Request._callback (/Users/pdehaan/dev/fxa-content-server_pd/fxa-content-server/node_modules/intern/node_modules/wd/lib/webdriver.js:310:15)
at Request.self.callback (/Users/pdehaan/dev/fxa-content-server_pd/fxa-content-server/node_modules/intern/node_modules/wd/node_modules/request/index.js:148:22)
at Request.EventEmitter.emit (events.js:98:17)
at Request. (/Users/pdehaan/dev/fxa-content-server_pd/fxa-content-server/node_modules/intern/node_modules/wd/node_modules/request/index.js:876:14)
at Request.EventEmitter.emit (events.js:117:20)
at IncomingMessage. (/Users/pdehaan/dev/fxa-content-server_pd/fxa-content-server/node_modules/intern/node_modules/wd/node_modules/request/index.js:827:12)
at IncomingMessage.EventEmitter.emit (events.js:117:20)
at _stream_readable.js:920:16
at process._tickCallback (node.js:415:13)
We need to decide which browsers we will support. Ideally, we need have at least the same level of browser support as our relying services.
Need to update the package.json file (both name and bad repo URL) and the scripts/awsbox/auto_update.sh files to the new repo name.
In the case of the package.json, we may need to rename the package in npm as well.
Function.prototype.bind doesn't work in older browsers. Since we'll likely want to support some of these older browsers (specifically IE8), we should replace it with something compatible. We're already using Underscore, so _.bind seems like the obvious choice.
This is effectively a dump of the mocks used in user testing of PiCL flows, but with gherkin.js integrated.
The browserified gherkin library overwrites the global require variable provided by require.js. This is not a problem when using uncompressed resources because require.config is called before gherkin is attached. When using optimized resources, require.config is called after all other JS is parsed and gherkin has overwritten require.
GET http://localhost:3030/ [HTTP/1.1 200 OK 1ms]
GET http://localhost:3030/styles/7981d257.main.css [HTTP/1.1 200 OK 2ms]
GET http://localhost:3030/scripts/vendor/d7100892.modernizr.js [HTTP/1.1 200 OK 1ms]
GET http://localhost:3030/bower_components/requirejs/require.js [HTTP/1.1 200 OK 2ms]
GET http://localhost:3030/scripts/eda9d80e.main.js [HTTP/1.1 304 Not Modified 2ms]
TypeError: require.config is not a function
STR
git checkout origin/grunt-start-servergrunt server:disthttp://localhost:3030 in a browser and look in the JS console.Possibly related to requirejs/requirejs#883, browserify/browserify#526, and mozilla/fxa-js-client#7
On Android, I am seeing in the jelly from about:accounts.
E GeckoConsole(16674) Security Error: Content at http://accounts.dev.lcip.org/ may not load data from https://accounts.dev.lcip.org/mobile.
Pretty sure this is a vanilla CORS issue. We might just need to bump the firefox.accounts.remoteUrl to point to https://.
Sometimes the login payload includes kA and kB, and sometimes it doesn't. We should split these two messages, since they clearly mean different things depending on where we are in the verification loop.
https://github.com/mozilla/fxa-content-server/search?q=jquery&source=cc&type=Code
We're rocking 1.7.1 (circa November 21, 2011) and 2.0.0 (circa April 18, 2013)
<script src="/js/vendor/jquery-1.7.1.min.js"></script><script src="/javascripts/jquery-2.0.0.min.js" type="text/javascript"></script><script src="/js/vendor/jquery-1.7.1.min.js"></script>This is the domain expected by the idp for forwarding emails, and the desktop/android builds for loading the remote about:accounts page.
After verification and fetching keys, we'll need jwcrypto to ultimately get an assertion to a storage server.
static/javascriptsDuration for the cert should be long (a year), likewise for assertion expire date.
Example of creating a key pair:
jwcrypto.generateKeypair({algorithm: "DS", keysize: KEY_LENGTH}, function(err, keypair) {
var pk = keypair.publicKey;
var sk = keypair.secretKey;
});
Example of creating an assertion:
jwcrypto.assertion.sign(
{}, {audience: audience, expiresAt: expirationDate},
secretKey,
function(err, signedAssertion) {
var assertion = jwcrypto.cert.bundle([cert], signedAssertion);
});
/cc @vladikoff
Per mozilla/fxa-auth-server#222 (comment)
- ability to blacklist (temporary or permanent) offending IPs that may be involved in a DDoS. Obviously not feasible for things like the 40k IP addresses involved in the recent GitHub attack (see mozilla/fxa-auth-server#222), but may be mildly effective if we're seeing big spikes from 4-5 IPs.
Put constants that depend on the environment like the FxA Account Server URI into an external file that can be generated at build time.
The README is currently out of date and in need of some love. We'll need to the ability to do some basic configuration (#106) and tests for it to be really useful.
The elm builds now support persisting the fxa session information, so we can query the browser and show the correct state.
Currently, if you have multiple about:accounts pages open and you sign out of your account in one, the other page will not update its state. A fix for this will depend on the browser chrome sending notifications to observers in the wrapper "donut".
Per mozilla/fxa-auth-server#222 (comment)
- Maintain a blacklist of common passwords and prevent users from using dumb stuff like "password" or "12345", etc. This may be slow and regex heavy as we may have to search passwords against common patterns like /password/i or /^\d+$/ as well as a dictionary.
(Copied from #100)
It looks like we're also seeing Travis build timeouts...
Build 103 (master) took about 4:06 and passed: https://travis-ci.org/mozilla/fxa-content-server/builds/14633332
Build 106 (develop) took about 4:26 and passed: https://travis-ci.org/mozilla/fxa-content-server/builds/14941401
Build 107 (remove_all_the_things) took about 50:03 and timed out: https://travis-ci.org/mozilla/fxa-content-server/builds/14941512
...
So it looks like something in 40aff58 is causing the Travis builds to stall.
Sauce Connect installed correctly
Opening local tunnel using Sauce Connect
19:36:00.769Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42848256, heapTotal=34235136, heapUsed=21285544)
19:36:15.770Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42848256, heapTotal=34235136, heapUsed=21295544)
19:36:30.772Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42848256, heapTotal=34235136, heapUsed=21305512)
19:36:45.774Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21319072)
Testing tunnel ready
Initialised firefox 23.0.1 on LINUX
19:37:00.775Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21329016)
Initialised firefox 23.0.1 on XP
19:37:15.775Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21338704)
19:37:30.775Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21348584)
19:37:45.777Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21358464)
19:38:00.777Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21368088)
19:38:15.777Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=42852352, heapTotal=34235136, heapUsed=21377744)
...
20:23:01.056Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=38551552, heapTotal=34235136, heapUsed=23365136)
20:23:16.057Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=38551552, heapTotal=34235136, heapUsed=23374600)
I'm sorry but your test run exceeded 50.0 minutes.
One possible solution is to split up your test run.
Sauce Connect installed correctly
Opening local tunnel using Sauce Connect
00:35:16.694Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=40558592, heapTotal=51012352, heapUsed=15866224)
00:35:31.694Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=40558592, heapTotal=51012352, heapUsed=15875952)
00:35:46.723Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=35119104, heapTotal=51012352, heapUsed=15889176)
00:36:01.726Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=35708928, heapTotal=51012352, heapUsed=15899168)
Testing tunnel ready
Initialised firefox 23.0.1 on LINUX
Initialised firefox 23.0.1 on XP
00:36:16.726Z TRACE fxa-auth-server: (op=stat, stat=mem, rss=35725312, heapTotal=51012352, heapUsed=15908904)
00:36:19.623Z INFO fxa-auth-server: (op=server.onRequest, rid=1385598979618-1589-28436, path=/v1/account/create)
00:36:19.625Z TRACE fxa-auth-server: (op=server.onPreHandler, rid=1385598979618-1589-28436, path=/v1/account/create, auth=false, uid=null, payload=null)
00:36:19.628Z TRACE fxa-auth-server: (op=server.onPreResponse, rid=1385598979618-1589-28436, path=/v1/account/create, response={})
00:36:19.641Z INFO fxa-auth-server: (op=server.response, rid=1385598979618-1589-28436, path=/v1/account/create, t=23)
00:36:20.361Z INFO fxa-auth-server: (op=server.onRequest, rid=1385598980361-1589-44196, path=/v1/account/create)
...
00:36:47.860Z INFO fxa-auth-server: (op=server.response, rid=1385599007856-1589-56241, path=/v1/recovery_email/status, t=4)
Removing Sauce-Connect-latest.zip
Shutting down
Closing Sauce Connect Tunnel
The command "node node_modules/intern/runner.js config=tests/intern_remote" exited with 0.
Done. Your build exited with 0.
It doesn't look like the recent fxa-content-server "remove postinstall" patch (2592731) resolves this issue since that build is at 50:00.
Currently we only send the email supplied during sign-in. We need to also send the userid (<uid>@lcip.org).
We should test all the flows using browser automation. Perhaps with dalek.
It's difficult to tell if you've hit the button since there's no feedback. On mobile, the browser janks hard for 8-12 seconds doing the crypto work, so we need to blur the button, or set up a spinner, or similar.
We need to ensure that frame busting doesn't break the remotely hosted auth flow on desktop/fennec, which use an iframe.
After we enter the blessed "foo@..." email address and press "Next", we get a series of HTTP requests culminating in (according to the web inspector):
the last is handled in browserid/lib/wsapi/auth_with_assertion.js:process(), which passes req.params.assertion to browserid/lib/primary.js:verifyAssertion(), which sends it along to jwcrypto.cert.verifyBundle(), which tries to base64 decode each of three items in an array, but the first item in our array is a nice clear JSON blob of the form:
{"success":true,"certificate":"eyJhbG ..."}
and the base64 decoding error bubbles all the way up to the browser. I am not sure where this should be handled, or whether it indicates some larger misuse of the API.
static/, test/, and unused server modules should be removed.
Tangentially related to #92.
The directory structure is making my heart a bit sad:
/js/ and /javascripts/ directory./js/vendor/** directory, whereas 2.0.0 is just in /javascripts/**. We should probably standardize on a vendor subdirectory.<script src="/js/vendor/jquery-1.7.1.min.js"></script>
<script src="/javascripts/jquery-2.0.0.min.js" type="text/javascript"></script>We should probably consider relocating the /static/js/** to /static/javascripts/** since it looks like javascripts has more "stuff" in it.
Per mozilla/fxa-auth-server#222 (comment)
- A user's password must be at least "x" characters long and include at least 1 character and letter and special character.
From https://travis-ci.org/mozilla/fxa-content-server/builds/14213645
Test main - create_account - create account form FAILED on firefox 23.0.1 on XP:
Error: Error response status: 7.
at webdriver._newError (/home/travis/build/mozilla/fxa-content-server/node_modules/intern/node_modules/wd/lib/webdriver.js:73:13)
at /home/travis/build/mozilla/fxa-content-server/node_modules/intern/node_modules/wd/lib/webdriver.js:149:25
at Request._callback (/home/travis/build/mozilla/fxa-content-server/node_modules/intern/node_modules/wd/lib/webdriver.js:364:5)
at Request.self.callback (/home/travis/build/mozilla/fxa-content-server/node_modules/intern/node_modules/wd/node_modules/request/index.js:148:22)
at Request.EventEmitter.emit (events.js:98:17)
at Request.<anonymous> (/home/travis/build/mozilla/fxa-content-server/node_modules/intern/node_modules/wd/node_modules/request/index.js:876:14)
at Request.EventEmitter.emit (events.js:117:20)
at IncomingMessage.<anonymous> (/home/travis/build/mozilla/fxa-content-server/node_modules/intern/node_modules/wd/node_modules/request/index.js:827:12)
at IncomingMessage.EventEmitter.emit (events.js:117:20)
at _stream_readable.js:910:16
No coverage report available
firefox 23.0.1 on XP: 1/7 tests failed
https://travis-ci.org/mozilla/fxa-content-server/builds/15053643
Soft error around line 1277:
make: *** [Release/obj.target/bigint/bigint.o] Error 1
make: Leaving directory `/home/travis/build/mozilla/fxa-content-server/node_modules/jwcrypto/node_modules/bigint/build'
gyp ERR! build error
gyp ERR! stack Error: `make` failed with exit code: 2
gyp ERR! stack at ChildProcess.onExit (/home/travis/.nvm/v0.10.22/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:267:23)
gyp ERR! stack at ChildProcess.EventEmitter.emit (events.js:98:17)
gyp ERR! stack at Process.ChildProcess._handle.onexit (child_process.js:789:12)
gyp ERR! System Linux 2.6.32-042stab079.5
gyp ERR! command "node" "/home/travis/.nvm/v0.10.22/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "configure" "build"
gyp ERR! cwd /home/travis/build/mozilla/fxa-content-server/node_modules/jwcrypto/node_modules/bigint
gyp ERR! node -v v0.10.22
gyp ERR! node-gyp -v v0.11.0
gyp ERR! not ok
npm WARN optional dep failed, continuing [email protected]
Hard error around line 1455:
> [email protected] postinstall /home/travis/build/mozilla/fxa-content-server
> node ./scripts/postinstall.js
module.js:340
throw err;
^
Error: Cannot find module '/home/travis/build/mozilla/fxa-content-server/scripts/postinstall.js'
at Function.Module._resolveFilename (module.js:338:15)
at Function.Module._load (module.js:280:25)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:901:3
npm ERR! [email protected] postinstall: `node ./scripts/postinstall.js`
npm ERR! Exit status 8
npm ERR!
npm ERR! Failed at the [email protected] postinstall script.
npm ERR! This is most likely a problem with the fxa-content-server package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node ./scripts/postinstall.js
npm ERR! You can get their info via:
npm ERR! npm owner ls fxa-content-server
npm ERR! There is likely additional logging output above.
npm ERR! System Linux 2.6.32-042stab079.5
npm ERR! command "/home/travis/.nvm/v0.10.22/bin/node" "/home/travis/.nvm/v0.10.22/bin/npm" "install" "--production"
npm ERR! cwd /home/travis/build/mozilla/fxa-content-server
npm ERR! node -v v0.10.22
npm ERR! npm -v 1.3.14
npm ERR! code ELIFECYCLE
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! /home/travis/build/mozilla/fxa-content-server/npm-debug.log
npm ERR! not ok code 0
The command "npm install --production" failed and exited with 1 during install.
Your build has been stopped.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.