Hi All,
I'm going to start a habit of sending out summary emails when we cut a
new FxA train for production. I'm hoping this will help us all keep
track of the wider picture as we get more moving pieces and more
projects depending on FxA throughout the year.
Feedback on the idea and execution always appreciated :-)
This week we'll be rolling train-30 to production with the following
highlights:
Auth Server:
* Database queries are now done using stored procedures rather than
raw SQL. This is the first step in a plan to increase db-level
security for the core account data.
* Forgotten-password tokens now expire after an hour, increased from
the previous value of 15 minutes. This will help them more easily
traverse email greylisting systems.
* We no longer forward missing/invalid Accept-Language headers to
the Basket API; instead we default them to "en-US".
OAuth Server:
* Reliers can now securely force the user to re-enter their password,
by specifying the `force_auth` request parameter and then checking
the `auth_at` response parameter.
* It's now possible to destroy an oauth token without providing the
client_secret, e.g. from client-side javascript code.
* Server endpoints now accept "application/x-form-urlencoded" formatted
data in addition to "application/json", for compatibility with
existing oauth relier libraries.
* Unknown request parameters will now trigger an error rather than
being silently ignored.
* We now have some basic database migration infrastructure in place
in production.
Content Server:
* Settings pages now accept a "uid" query parameter to specify the
active account. They also check whether the account is properly
verified to avoid offering features that the user cannot access.
* Reliers can now avoid displaying a partially-drawn UI by listening
for the new "loaded" message during page initialization.
* Azerbaijani [az] is now a supported locale.
* Several compatibility bugs in how XHR requests are performed have
been fixed.
* Client-side metrics have been added to track whether the user
customized their sync datatypes, and whether they changed visibility
in the password field.
As always, you can dig into the details of any of these changes through
the CHANGELOG files in each individual repo.
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
