We were too busy munching on breakfast and I didn't write down notes of our
meeting. Here's a recap of what hasn't slipped out of my dome.
*Background*
Firefox Monitor is a service that allows users to see if their email
address has been involved in a data breach. Monitor can email breach alerts
whenever the user's address is involved in a new breach, doing so requires
the user to verify their email address using a flow that is very similar to
what FxA does. To remove the redundancy, Monitor is integrating with FxA
(integrate, integrate, integrate!). This was a chat about deepening that
integration.
*WHO*: Luke Crouch, Lesley Norton, Vijay Budhram, Shane Tomlinson
*Questions and comments*
Is it possible for a user to add more than one secondary email address to
Firefox Accounts?
- The idea is that Monitor will fetch all of a user's email addresses
associated with FxA and give the user the option to monitor them all. Many
users have more than 1 primary and 1 secondary address, tracking all of
these in FxA would make setting up Monitor simpler.
- This is not available currently, though this is a front end
restriction, the backend is already set up for it.
- If a user adds an email address to Monitor that is unknown by FxA,
should that address be added to FxA?
Is it possible to integrate Monitor into the FxA settings page?
- Allow users to sign up to Monitor or view breaches from within the
settings page.
- This will need UX work, our settings page is already pretty panel
heavy.
If a user verifies their address as part of the Monitor signup, can a
Firefox Account be created automatically as part of that process?
- We can't automatically create an account because we need a password
for the user. FxA needs to be involved in that flow at some point.
- We might be able to skip email verification, but this alters the trust
boundary we currently have of how much we trust an email address.
- Ryan Kelly reminded me after the meeting we used to do this for
Firefox Marketplace, we had the notion of a "preVerifyToken" which was a
JWT from trusted sources that indicated the email address has
already been
verified. We removed all of that code because it was gross.
Monitor will need some production OAuth creds.
- The bug is at [1].
- Going to be a trusted client, requesting the profile scope and a
refresh token.
*Action items*
- stomlinson to open a bug requesting production OAuth creds [1]
- stomlinson to open a bug about allowing multiple secondary email
addresses [2]
- stomlinson to talk to rfeeley and jgruen about the future of the
settings page (started with Ryan Feeley on Saturday)
Is there anything that's missing from here?
Shane
[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=1513060
[2] - https://github.com/mozilla/fxa-content-server/issues/6748
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
