Closed Bug 1052883 Opened 10 years ago Closed 10 years ago

Use the pre-verified API

Categories

(Marketplace Graveyard :: Integration, defect, P2)

Product:
Marketplace Graveyard
Component:
Integration
Version:
2014-Q3
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: andy+bugzilla, Assigned: ashort)

References

Details

Firefox Accounts is adding in a pre-verified API. Let's hook that up. In the case where:

* a user is logged into the Marketplace (dev or consumer pages) with Persona
* the persona account is verified

We can then ping firefox accounts and let them know that the account does not need that extra email verification step. The API is here:

https://github.com/mozilla/fxa-auth-server/issues/780

It's important that only accounts logged in with Persona use this as otherwise we've got an account take over vector.
No longer blocks: 1052876
Blocks: 1007956
Priority: -- → P3
Discussion about this is at https://mail.mozilla.org/pipermail/dev-fxacct/2014-August/001064.html

I think they are waiting for #1 and #2 (confirmation from the Marketplace)
Flags: needinfo?(amckay)
Priority: P3 → --
dbialer said he'd sign off on this approach today.
Flags: needinfo?(amckay)
David: please confirm
Flags: needinfo?(dbialer)
We've been moving forward without confirmation, but it would still be nice to get product level confirmation that this preVerified API is a desired and a go.
confirmed (though too late :)
Flags: needinfo?(dbialer)
Priority: -- → P2
Assignee: nobody → ashort
There are two places in the flow we plan to use the pre-verified API:

* if the user is logged into the marketplace and has a verified persona account
* emails we'll send to developers containing the pre-verified key (bug 1059561)

The primary purpose of this bug is to get the pre-verified API working so that we can hook it into these spots.
https://github.com/mozilla/zamboni/commit/6a9d2d4
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
:ashort, we need to URL at which your signing key will be hosted for (both in dev and in prod) for this work.
Flags: needinfo?(ashort)
This config change should into our train-22 release. It's currently in stage: bug 1071309.
The production URL is 404.

$ curl -D - 'https://marketplace.firefox.com/api/v1/account/fxa-preverify-key/'
HTTP/1.1 404 NOT FOUND
Server: nginx
Date: Tue, 30 Sep 2014 00:27:02 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
API-Filter: carrier=&lang=en-US&pro=&region=restofworld
Access-Control-Expose-Headers: API-Filter, API-Status, API-Version
Strict-Transport-Security: max-age=31536000
Vary: API-Filter, Accept-Language, Cookie
API-Pinned: False
ETag: "d41d8cd98f00b204e9800998ecf8427e"
API-Version: 1
Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type
I noticed the key from the dev url doesn't include a "kid" field. Although the preVerifyToken *should* work without one, I strongly recommend we use them.
next push to production is 7 Oct, this key url will be live then.

'kid' field added: https://github.com/mozilla/zamboni/commit/223ecb5
Please add STR here or mark it with [qa-] if no QA is needed.
Flags: needinfo?(ashort)
Flags: needinfo?(ashort)
You need to log in before you can comment on or make changes to this bug.