1313731 - autoconfigured FxA auth URI is missing trailing /v1

Status: RESOLVED FIXED

(Firefox :: Sync, defect, P1)

Description

[Ethan Glasser-Camp (:glasserc)]

I tried using the autoconfig support today in nightly and everything seemed to work OK, but it wanted me to verify my email, and sending email verifications wasn't working. Instead I saw a stream of errors in the terminal like:

1477675336645	FirefoxAccounts	ERROR	error GETing /recovery_email/status?reason=timer: {"code":404,"errno":999,"error":"Not Found","message":"Unspecified error","info":"https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#response-format"}

:vladikoff suggested examining the value of identity.fxaccounts.auth.uri, which was https://stable.dev.lcip.org/auth. The default value is https://api.accounts.firefox.com/v1. Noticing that there is a trailing /v1 on the default value, I tried the value https://stable.dev.lcip.org/auth/v1. Once I restarted Firefox, it seemed fine -- it didn't even ask me to verify my email any more.

Comment 1

[Vlad Filippov (:vladikoff)]

Filed : https://github.com/mozilla/fxa-dev/issues/286

Comment 2

[Mark Hammond [:markh] [:mhammond]]

We will re-verify this after the github issue is closed.

Comment 3

[Ryan Kelly [:rfkelly]]

I seem to recall us deliberately *not* including the /v1, but I could be mis-remembering.  In that case, it would mean that the production config is wrong.  And indeed, if I examine the production config, only the auth-server includes the /v1 suffix:

  $ curl --silent https://accounts.firefox.com/.well-known/fxa-client-configuration | jq
  {
    "auth_server_base_url": "https://api.accounts.firefox.com/v1",
    "oauth_server_base_url": "https://oauth.accounts.firefox.com",
    "profile_server_base_url": "https://profile.accounts.firefox.com",
    "sync_tokenserver_base_url": "https://token.services.mozilla.com"
  }

This seems weird to me, they should all be consistent one way or another.

But, I take this issue to indicate that the client code is expecting the /v1 to be present, so we probably have to move forward with including it.

Comment 4

[Ryan Kelly [:rfkelly]]

Yep, the client expects the auth URL to contain the /v1 already, but adds it to the oauth and profile URLs:

  https://hg.mozilla.org/integration/autoland/rev/d08f86205057#l9.151

Comment 5

[Ryan Kelly [:rfkelly]]

It looks like we confused ourselves here, because the content-server's own config will accept an auth-server URL either with or without the /v1, and will add it as appropriate.  But it's echoing that config to the client, which expects the /v1 to be present.  I think the only path forward from here is to ensure we always include the /v1 in the response to the client:

  https://github.com/mozilla/fxa-content-server/pull/4356

Comment 6

[Ryan Kelly [:rfkelly]]

> I think the only path forward from here is to ensure we always include the /v1

After discussion with :markh, it makes more sense to fix the client so it has consistent expectations for all these URLs.  In practice that means:

1) Changing the client code here:

  https://dxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccountsConfig.jsm#147

So that it appends /v1 to the auth-server URL, like it already does for the other two.

2) Adding safeguards in content-server to ensure that we do *not* include the /v1 in the URL being reported to the client.

Comment 7

[Thom Chiovoloni [:tcsc] (ex-moco)]

Attachment: Bug 1313731 - Append /v1 to fxaccount's autoconfig's auth_server_base_url if not present

Currently the fxaccounts content server passes this through directly from its
configuration files, and accepts this as either containing the trailing /v1 or
not. On stage, it contains it, but on dev it does not.

In the near future, it should be possible to append the trailing /v1
unconditionally, as the FxA content server is being changed to never send it
down (which will be consistent with the other prefs), however it's done
conditionally as to not break autoconfig against stage in the mean time.

Review commit: https://reviewboard.mozilla.org/r/90092/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/90092/

Comment 8

[Thom Chiovoloni [:tcsc] (ex-moco)]

As explained in the commit message, this is done conditionally as to not break current stage. Let me know if I should open a bug to make this added unconditionally.

Comment 9

[Mark Hammond [:markh] [:mhammond]]

Comment on attachment 8806767 [details]
Bug 1313731 - Append /v1 to fxaccount's autoconfig's auth_server_base_url if not present

Ryan, do you mind taking this?

Comment 10

[Ryan Kelly [:rfkelly]]

Comment on attachment 8806767 [details]
Bug 1313731 - Append /v1 to fxaccount's autoconfig's auth_server_base_url if not present

https://reviewboard.mozilla.org/r/90092/#review89852

Looks good to me!  The conditional behaviour makes sense in order to smooth out the transition in the server-side behaviour.

Comment 11

[Pulsebot]

Pushed by tchiovoloni@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1459baf15694
Append /v1 to fxaccount's autoconfig's auth_server_base_url if not present r=rfkelly

Comment 12

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/1459baf15694