1840414 - Verify FxA accounts by launching content server instead of requesting a new verification link

Status: RESOLVED DUPLICATE of bug 1855513

(Firefox :: Sync, enhancement, P3)

Description

[Tarik Eshaq [:teshaq]]

Currently, if a user did not verify their account when sign up/signing in, they have the ability to request a verification email by going to about:preferences#sync.

The flow is as follows:

• User goes to about:preferences#sync, either directly or through the account menu
• User clicks "Resend Verification"
• Firefox sends an HTTP request to the FxA auth server to issue a new code
• The auth server then generates a URL that would verify the user and sends it to the user's email
• Once the user clicks on the URL, a push notification is sent to the user's Firefox that the account is now verified
• Firefox then can derive its sync keys

An alternative flow (Which I'm proposing, this doesn't exist but is trivial to change to)

• User goes to about:preferences#sync, either directly or through the account menu
• User clicks "Verify Account"
• User is directed to the FxA sign-up/in page, with the user's email inputted,
• The user inputs their password (we might be able to get away without this step, the browser should still have a valid authenticated session)
• A new code is sent to the user's email and the user completes the verification process as if they verified it the first time.

A couple of high-level notes:

• This only impacts users who signed up/in without verifying directly on the content page
• If a user shuts down Firefox in between signing up and verifying, they undergo the alternative flow anyways see Bug 1840403
• The alternative flow unblocks moving Firefox Desktop to the OAuth flow as the content server would need to run and pass the oauth code back to the browser after verification, whereas in the current flow, the content server won't be launched in the same context