Nightly repeatedly creating and deleting FxA Oauth tokens

RESOLVED FIXED in Firefox 68

Status

()

defect
RESOLVED FIXED
Last month
Last month

People

(Reporter: jbuck, Assigned: glasserc)

Tracking

(Regression)

68 Branch
Firefox 68
Points:
---

Firefox Tracking Flags

(firefox68 fixed)

Details

Attachments

(3 attachments)

Reporter

Description

Last month

Several Nightly users have reported a bug starting today (2019-05-15) where their sync logs show Error: HTTP 401 Unauthorized: Missing Authorization Token (Please authenticate yourself to use this endpoint.) for Sync.Engine.Extension-Storage.

Looking at the fxa-oauth request logs there's been 25x more requests per hour in calls to /v1/authorize and /v1/destroy by Nightly users compared to 2019-05-14 and other release channels: https://docs.google.com/spreadsheets/d/1UgoCI6oqbah4ekPWwCfloiw65U4O0DsVW8yWAb8T38w/edit#gid=0 .

Regressed by: 1547995
17:12.06 INFO: No more inbound revisions, bisection finished.
17:12.06 INFO: Last good revision: b23f1b4655818d6d64517ddd7fa74fae1fbd9507
17:12.06 INFO: First bad revision: 8fb278dd620a5dab42e6ecc175ab7418ec62a72a
17:12.06 INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b23f1b4655818d6d64517ddd7fa74fae1fbd9507&tochange=8fb278dd620a5dab42e6ecc175ab7418ec62a72a```

I think the new request made in https://hg.mozilla.org/mozilla-central/rev/3840128adf0a6c129ef34650fdf4d5cc0a79db38 is not being passed the relevant options.

I've opened https://github.com/Kinto/kinto.js/pull/975 to address the issue. Once this is reviewed and landed, we can cut another release of kinto.js. Landing that new release in mozilla-central should be straightforward.

It's a bit surprising the (somewhat extensive) chrome.storage.sync tests didn't catch this. The mock server in toolkit/components/extensions/test/xpcshell/test_ext_storage_sync.js should have returned a 404 for this call. I would have expected this to be an exception.

This fixes the bug where the call to getData was not passing
authentication information.

I haven't figured out yet why the tests didn't catch it or written a test that would have, but here's a fix.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=c68610ac8d528e2ceba3123e52f248047eeed1c5

Ugh. OK I wrote a test that should catch it and it indicates that my fix was bad. So, don't merge this.

This doesn't apply to httpd requests, so give it a name that makes it
clear what applies to.

OK, so this test should catch it. I'm going to open another PR now that I think I fixed it.

https://github.com/Kinto/kinto.js/pull/977 is the next attempt at a fix.

Attachment #9065284 - Attachment description: Bug 1551952: Update kinto-offline-client.js to v12.4.1 → Bug 1551952: Update kinto-offline-client.js to v12.4.2

Comment 10

Last month
Pushed by eglassercamp@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7cc38bae1111
Rename assertAuthenticatedRequest r=leplatrem
https://hg.mozilla.org/integration/autoland/rev/14b42e8bd2b5
Check Authorization on all get requests r=leplatrem
https://hg.mozilla.org/integration/autoland/rev/20457619f22b
Update kinto-offline-client.js to v12.4.2 r=leplatrem
Assignee: nobody → eglassercamp
You need to log in before you can comment on or make changes to this bug.