Nightly repeatedly creating and deleting FxA Oauth tokens
Categories
(Firefox :: Sync, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox68 | --- | fixed |
People
(Reporter: jbuck, Assigned: glasserc)
References
(Regression)
Details
(Keywords: regression)
Attachments
(3 files)
Several Nightly users have reported a bug starting today (2019-05-15) where their sync logs show Error: HTTP 401 Unauthorized: Missing Authorization Token (Please authenticate yourself to use this endpoint.)
for Sync.Engine.Extension-Storage
.
Looking at the fxa-oauth request logs there's been 25x more requests per hour in calls to /v1/authorize and /v1/destroy by Nightly users compared to 2019-05-14 and other release channels: https://docs.google.com/spreadsheets/d/1UgoCI6oqbah4ekPWwCfloiw65U4O0DsVW8yWAb8T38w/edit#gid=0 .
Updated•5 years ago
|
Comment 1•5 years ago
|
||
17:12.06 INFO: No more inbound revisions, bisection finished.
17:12.06 INFO: Last good revision: b23f1b4655818d6d64517ddd7fa74fae1fbd9507
17:12.06 INFO: First bad revision: 8fb278dd620a5dab42e6ecc175ab7418ec62a72a
17:12.06 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b23f1b4655818d6d64517ddd7fa74fae1fbd9507&tochange=8fb278dd620a5dab42e6ecc175ab7418ec62a72a```
Assignee | ||
Comment 2•5 years ago
|
||
I think the new request made in https://hg.mozilla.org/mozilla-central/rev/3840128adf0a6c129ef34650fdf4d5cc0a79db38 is not being passed the relevant options.
I've opened https://github.com/Kinto/kinto.js/pull/975 to address the issue. Once this is reviewed and landed, we can cut another release of kinto.js. Landing that new release in mozilla-central should be straightforward.
It's a bit surprising the (somewhat extensive) chrome.storage.sync tests didn't catch this. The mock server in toolkit/components/extensions/test/xpcshell/test_ext_storage_sync.js
should have returned a 404 for this call. I would have expected this to be an exception.
Assignee | ||
Comment 3•5 years ago
|
||
This fixes the bug where the call to getData was not passing
authentication information.
Assignee | ||
Comment 4•5 years ago
|
||
I haven't figured out yet why the tests didn't catch it or written a test that would have, but here's a fix.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=c68610ac8d528e2ceba3123e52f248047eeed1c5
Assignee | ||
Comment 5•5 years ago
|
||
Ugh. OK I wrote a test that should catch it and it indicates that my fix was bad. So, don't merge this.
Assignee | ||
Comment 6•5 years ago
|
||
This doesn't apply to httpd requests, so give it a name that makes it
clear what applies to.
Assignee | ||
Comment 7•5 years ago
|
||
Depends on D31378
Assignee | ||
Comment 8•5 years ago
|
||
OK, so this test should catch it. I'm going to open another PR now that I think I fixed it.
Assignee | ||
Comment 9•5 years ago
|
||
https://github.com/Kinto/kinto.js/pull/977 is the next attempt at a fix.
Updated•5 years ago
|
Comment 10•5 years ago
|
||
Pushed by eglassercamp@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7cc38bae1111 Rename assertAuthenticatedRequest r=leplatrem https://hg.mozilla.org/integration/autoland/rev/14b42e8bd2b5 Check Authorization on all get requests r=leplatrem https://hg.mozilla.org/integration/autoland/rev/20457619f22b Update kinto-offline-client.js to v12.4.2 r=leplatrem
Comment 11•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7cc38bae1111
https://hg.mozilla.org/mozilla-central/rev/14b42e8bd2b5
https://hg.mozilla.org/mozilla-central/rev/20457619f22b
Updated•5 years ago
|
Updated•2 years ago
|
Description
•