On 1/09/2016 14:43, Chris Tybur wrote: > On Tue, Aug 30, 2016 at 12:17 AM, <[email protected] > <mailto:[email protected]>> wrote: > > It's sparse, because it re-uses the existing account verification > end-points. The flow goes like this: > > * Submit credentials to /v1/account/login [1]. > > * For whatever reason, the server decides the request needs > additional verification. It sends the email and includes the > following fields in the response body: > > { > "verified": false, > "verificationReason": "login", > "verificationMethod": "email", > [...other existing login response fields here...] > } > > * The email includes a link with a verification code, in exactly > the same way as the existing account-verification email. > > * When clicked, this link loads a page that submits the code > to /v1/recovery_email/verify_code [2] > > I'm not sure how this makes it possible for me to use the Sync API like > I had previously. My app POSTs to account/login and gets back enough > info for me to retrieve the key needed to decrypt my bookmark data. I > get that key by accessing the crypto/keys storage object using the > current Storage APIs. The process all happens synchronously, and is > non-interactive from the moment I click a button on a web page to when > the decrypted bookmark data gets rendered to a web page. I read the > above links but it's not clear how they will allow me to get to my > bookmark data. And it's only bookmark data I care about. > > How can I use this new security framework in my app to achieve the same > thing? Is it even possible given the flow I described?
I see what you mean - no, it doesn't let you get to the bookmark data in a no-interaction-required manner, it requires you to get a verification code out of your email in order to confirm the login. We're working on an additional feature that will help here, by remembering devices that you've successfully logged-in from in the past, and skipping the confirmation step on those devices. But that's not ready to ship yet. Ryan _______________________________________________ Sync-dev mailing list [email protected] https://mail.mozilla.org/listinfo/sync-dev
