Firefox Sync custom server integration

RESOLVED INVALID

Status

Cloud Services
Firefox Sync: Backend
RESOLVED INVALID
6 years ago
4 years ago

People

(Reporter: info, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Build ID: 20111120135848



Actual results:

When I set up a custom server, why the hell does Firefox still asks auth.services.mozilla.org if the username is taken, password correct etc. pp. When I choose "custom server" I HAVE A SERVER OF MY OWN! My server fully supports user API 1.0, but I have to say "I already have a Firefox Sync Account" and click on "have the device not here" to set up a custom server. It's not only me, see [1]. It's not even documented!

Next, I want to change my password. I'll quote User API 1.0: "400: 9 (Requested password not strong enough)". But as long as I type less than 8 characters Firefox is complaining, the password length is too short. How can Firefox know this? It's not part of User API 1.0. Firefox can send this password to the server and when Firefox is receiving status code 9 aka WEAVE_WEAK_PASSWORD or display X-Weave-Alert it can show the user, that the password is too short.

Another thing is, when I set up a custom server using this stupid "hack" to say I have an account and I typed my password wrong (server is sending 403) Firefox says my server is broken. It is not! Firefox doesn't understand, what 403 mean.

When I open `about:sync-log` I constantly get requests to "https://setup.services.mozilla.com/hy7s". Why? I don't want contact your server. Why did you even implement "use custom server" when everything is still bound to Mozillas' services?

[1]: https://support.mozilla.com/de/questions/712986


Expected results:

Be able to set up a custom sync server including user registration in the first pane or document how to set up a custom server if you want keep these.

Implement User API 1.0 as designed. Not interpreting unknown standards. The server can complain if something is not ok, but the server can behaive different than Mozillas' server-full assumes.

Entering a wrong password and using a custom server, the first call "GET /1.1/bob/info/collections HTTP/1.1" will result in 403, which does not mean, the server is badly configured.

Remove or explain what "https://setup.services.mozilla.com/hy7s" exactly do and why it is still there, even if you have a custom server.
Component: General → Firefox Sync: Backend
Product: Firefox → Mozilla Services
QA Contact: general → sync-backend
Version: 8 Branch → unspecified
(In reply to info from comment #0)

> When I set up a custom server, why the hell does Firefox still asks
> auth.services.mozilla.org if the username is taken, password correct etc.
> pp. When I choose "custom server" I HAVE A SERVER OF MY OWN! My server fully
> supports user API 1.0, but I have to say "I already have a Firefox Sync
> Account" and click on "have the device not here" to set up a custom server.
> It's not only me, see [1]. It's not even documented!

Validation will occur against the default server *if you haven't already entered a custom server URL*. If you enter the server URL first, a.s.m.c is not contacted. If you enter the custom server URL later, the other inputs will be re-validated.

The UI is optimized for the common case, which I'm afraid is not you.


> Next, I want to change my password. I'll quote User API 1.0: "400: 9
> (Requested password not strong enough)". But as long as I type less than 8
> characters Firefox is complaining, the password length is too short. How can
> Firefox know this? It's not part of User API 1.0. Firefox can send this
> password to the server and when Firefox is receiving status code 9 aka
> WEAVE_WEAK_PASSWORD or display X-Weave-Alert it can show the user, that the
> password is too short.

Sync does local password validation:

http://dxr.mozilla.org/mozilla-central/browser/base/content/sync/utils.js.html#l188


> Another thing is, when I set up a custom server using this stupid "hack" to
> say I have an account and I typed my password wrong (server is sending 403)
> Firefox says my server is broken. It is not! Firefox doesn't understand,
> what 403 mean.

Error code 403 is not part of the Sync Storage 1.1 protocol. So yes, your server is broken.

http://docs.services.mozilla.com/storage/apis-1.1.html#http-status-codes


> When I open `about:sync-log` I constantly get requests to
> "https://setup.services.mozilla.com/hy7s". Why? I don't want contact your
> server. Why did you even implement "use custom server" when everything is
> still bound to Mozillas' services?

That request is going to the J-PAKE keyexchange server. If you open the Sync setup dialog, a J-PAKE channel will be opened for credentials exchange, even if you don't end up using J-PAKE.

The whole point of credentials exchange is that you don't need to type anything on one machine to get it to talk to another; setup.smc is the secure channel used to get the two machines talking.

You can change this server URL in about:config if you wish, but by definition it's not a user-facing option.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
(Reporter)

Comment 2

5 years ago
I feel sorry for that bug report. I've talked with rfkelly afterwards and it was basically just that Firefox is not very verbose about certain things and my wrong server implementation at this point.

At least with API 2.0 the tests are way more complete than for the current 1.1 and I can fully understand that the focus is on 2.0 not fixing 1.1. Anyway, thank you for your response.
(In reply to info from comment #2)
> I feel sorry for that bug report. I've talked with rfkelly afterwards and it
> was basically just that Firefox is not very verbose about certain things and
> my wrong server implementation at this point.
> 
> At least with API 2.0 the tests are way more complete than for the current
> 1.1 and I can fully understand that the focus is on 2.0 not fixing 1.1.
> Anyway, thank you for your response.

Not a problem! Sorry it took so long to get around to -- dropped through a crack on first report, so now I'm pruning old bugs.

Comment 4

4 years ago
Can I somehow disable the warning that the password is too short with a custom server? If I have a server in my LAN, I do not care if the password is too short or insecure, because it will not be used outside my home.

I want to use Owncloud with the FF Sync Addon, but there the password is used from my Owncloud account, which is not 8 digits long.

Please set this warning as only a warning, but not as a requirement for custom servers.
(Reporter)

Comment 5

4 years ago
You can probably register a new account from the CLI using `weave-minimal` [1]. Then enter your account in `about:config` -> `services.sync.account = ...` and then you need to get your password somehow to the Firefox password manager.

It's not worth the effort actually. It's not a server restriction but a restriction in Firefox Sync. Instead you can use `password` as password ;)

[1] https://github.com/posativ/weave-minimal#using-a-custom-username
You need to log in before you can comment on or make changes to this bug.