Hi Chris,
Sorry for the unexpected breakage here. We apply a number of checks to the
incoming /account/login authentication request, and reject any that seem
"unexpected" across a variety of measures. I'm not going to go into any
more detail here on the public list because I don't want to encourage any
new consumers of this API. The more consumers talking directly to this
API, the harder it is for us to make changes that improve overall system
security.
I'll reach out to you by private email to help get your existing app back
up and running.
Longer term, we are slowly but surely working on the ability to access sync
data via a standard OAuth-style API, which would avoid the need for you to
talk to the /account/login API directly and would insulate your app from
any future security-related changes. It's been a long time coming but I
think we may finally have a clear path to shipping it sometime this year.
Hopefully.
Cheers,
Ryan
On 26 June 2017 at 05:49, Richard Newman <[email protected]> wrote:
> Let's try dev-fxacct for this question.
>
> -R
>
> On Sun, Jun 25, 2017 at 10:34 AM, Chris Tybur <[email protected]> wrote:
>
>> Gabriel:
>>
>> Thanks for the suggestion. I was hoping to avoid having to incorporate an
>> entirely new way of doing the authentication, if possible.
>>
>> I should also mention that what I had working before April was to POST to
>> account/login, then I'd receive an email with a link asking to verify my
>> identity. I'd manually copy that link from the message into a page in my
>> app, then that page would POST to recovery_email/verify_code with the code
>> in the link, along with a token obtained earlier. And all was well. I just
>> need to know what is different about that process.
>>
>> Chris
>>
>> I have a web app that uses the Firefox Account login API to authenticate
>>> my
>>> account, obtain Sync storage encryption keys, then pull down my sync'ed
>>> bookmarks. Around April the login stopped working and started returning
>>> "The request was blocked for security reasons". I see at
>>> https://github.com/mozilla/fxa-auth-server/blob/master/
>>> docs/api.md#post-accountlogin that the login API seems to have some new
>>> query params and payload data.
>>>
>>> Is this new data and the process documented somewhere? I'd like to be
>>> able
>>> to adjust my code to call the API correctly.
>>>
>>> Chris
>>>
>>
> _______________________________________________
> Dev-fxacct mailing list
> [email protected]
> https://mail.mozilla.org/listinfo/dev-fxacct
>
>
_______________________________________________
Sync-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/sync-dev
