Conversation
|
|
||
| /// An authentication token as parsed from the `Authorization` header. | ||
| /// OAuth tokens are opaque to Tokenserver and must be verified via FxA. | ||
| /// Signed JWTs can be verified locally or via FxA. |
There was a problem hiding this comment.
I did some renaming in numerous spots since JWTs can be used outside of an OAuth context.
| pub init_node_capacity: i32, | ||
| /// Whether to enable the FxA webhook endpoint. | ||
| /// Defaults to false. | ||
| pub fxa_webhook_enabled: bool, |
There was a problem hiding this comment.
I'll update the config.md to add this.
chenba
force-pushed
the
feat/fxa-event-webhook-stor-128
branch
3 times, most recently
from
361d156 to
6715c01
Compare
| pub fn with_capture() -> (Self, Arc<Mutex<Vec<params::PutUser>>>) { | ||
| let pool = MockDbPool::default(); | ||
| let put_user_calls = Arc::clone(&pool.put_user_calls); | ||
| (pool, put_user_calls) |
There was a problem hiding this comment.
Maybe we should consider using mockall instead. But I'll leave that to another PR, if we want to make that change.
chenba
force-pushed
the
feat/fxa-event-webhook-stor-128
branch
from
6715c01 to
3dee63c
Compare
| let events = match claims.events.as_object() { | ||
| Some(map) => map.clone(), | ||
| None => return Ok(HttpResponse::Ok().finish()), | ||
| }; |
There was a problem hiding this comment.
looks like the clone isn't needed either
| let events = match claims.events.as_object() { | |
| Some(map) => map.clone(), | |
| None => return Ok(HttpResponse::Ok().finish()), | |
| }; | |
| let Some(events) = claims.events.as_object() else { | |
| return Ok(HttpResponse::Ok().finish()); | |
| }; |
| Self::InvalidKey => "oauth.error.invalid_key", | ||
| Self::InvalidSignature => "oauth.error.invalid_signature", | ||
| Self::DecodingError => "oauth.error.decoding_error", | ||
| Self::ExpiredSignature => "jwt.error.expired_signature", |
There was a problem hiding this comment.
I'll note we don't seem to graph any of these in our dashboards so 👍 to renaming
| pub fn new(jwk: &Jwk, client_id: &str) -> Result<Self, JWTVerifyError> { | ||
| let decoding_key = DecodingKey::from_jwk(jwk).map_err(|_| JWTVerifyError::InvalidKey)?; | ||
| let mut validation = Validation::new(Algorithm::RS256); | ||
| validation.set_audience(&[client_id]); |
There was a problem hiding this comment.
Maybe we should verify iss as well?
| validation.set_audience(&[client_id]); | |
| validation.set_audience(&[client_id]); | |
| validation.set_issuer(&[<SYNC_TOKENSERVER__FXA_OAUTH_SERVER_URL?>]); |
| for event_type in events.keys() { | ||
| match event_type.as_str() { | ||
| "https://schemas.accounts.firefox.com/event/delete-user" => { | ||
| db.put_user(tokenserver_db::params::PutUser { |
There was a problem hiding this comment.
We need a new Db::retire_user here like the one in database.py called by process_account_events.py, which sets a replaced_at on the record
| .get("changeTime") | ||
| .and_then(|t| t.as_i64()) | ||
| { | ||
| db.put_user(tokenserver_db::params::PutUser { |
There was a problem hiding this comment.
I think we also need a new Db::update_user_generation for this (see my comment in https://mozilla-hub.atlassian.net/browse/STOR-128?focusedCommentId=1281438)
2 participants
Add webhook endpoint to handle a couple of events from https://github.com/mozilla/fxa/tree/main/packages/fxa-event-broker. It will succeed https://github.com/mozilla-services/syncstorage-rs/blob/HEAD/tools/tokenserver/process_account_events.py.
Closes STOR-128