Hi All,
Several of the features we've worked on recently have seemed, to use a
very vague and hand-wavy term, "harder than they should be".
I suspect we're starting to bump up against points where the
architecture of our system is no longer a good fit for the way our
use-cases have evolved. It's nothing to worry about, yet, but it's
definitely something for us to keep an eye on.
So I wanted to get a more precise sense of where these rough edges and
pain-points might be. Here are some concrete examples of things that
I've noticed lately that seemed harder than they should be:
* It's hard to know what a login session will be used for.
You can send e.g. "reason" and "service" parameters to the /login
endpoint, but they're purely informational and don't effect the final
state of the corresponding session. I can claim to be logging in to
Pocket, but use that same sessionToken to turn around and log in to sync.
This makes is difficult for us to implement e.g. enhanced security
features that are specific to logging in to sync.
* It's hard to change the shape of our authentication process.
Legacy clients like FirefoxOS obviously manage the entire authentication
flow themselves, but even devices that use the webchannel flow don't
give us end-to-end control over it. They still expect to be able to
pick up the tail end of the flow themselves (e.g. fetching keys,
querying verification status).
This has made it hard to add additional steps like 2FA and sign-in
confirmation without jumping through a lot of strange
backwards-compatibility hoops.
* It's hard to re-authenticate an existing session.
Actually it's impossible; you have to destroy the existing sessionToken
and create a new one. But doing so in a way that ensures the new
sessionToken replaces the old all the places it should, is not trivial.
I'm curious, for other folks on the team - what else have you noticed
lately that has seemed to be harder than it should be?
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
