Hi All, This week we'll be rolling FxA train-66 to production, with the following highlights:
* The content-server codebase can now use some ES6 features, thanks to the inclusion of babel in the build process. Fat arrow functions FTW! * Users who attempt to sign up with very commonly used passwords, will now receive a warning message about the security implications of doing so. * The "account lockout" feature has been removed; it was never properly enabled in production, and is subsumed by new and more general security features. * Support for logging in via third-party OpenID providers has been removed; this was speculative partner-supporting code that was never enabled in production. * The customs-server can now flag requests as "suspicious", triggering additional authentication measures rather than outright blocking them. The precise rules for suspiciousness are private and will almost certainly remain so. * The sign-in confirmation feature is now enabled for even more users, and for all requests that the above feature flags as "suspicious". * The content-server now checks sessionToken freshness when focus returns to the page, eliminating some edge-cases where cached state could make it appear that a logout was not properly processed. * Several improvements have been made to the "show password" button, in order to cooperate better with Firefox's password and session management. * Several compatibility fixes for FxOS 1.x and Fennec < 25 have landed, to work around not-quite-standard interpretations of web security features. * There's a new endpoint at which clients can discover all the necessary server URLs, instead of setting lots of URLs in about:config. None of our clients actually support it yet, but it's a start! When live, see https://accounts.firefox.com/.well-known/fxa-client-configuration * There's a new development server specifically designed to work with the CORS, CSP etc configuration of a local fxa-content-server repo. This should greatly simplify development in this repo and is live right now - see https://content.dev.lcip.org/ * There's a new experimental auth-server endpoint through which devices can send webpush messages to each other: /v1/account/devices/notify * We now always send a webchannel message to the browser when the user changes their password, to help maintain consistent state between web content and the browser. As always, you can dig into the details in the changelogs for each repo: https://github.com/mozilla/fxa-oauth-server/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-content-server/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-auth-server/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-customs-server/blob/master/CHANGELOG Cheers, Ryan _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
