On every command, a new device is added and a "New sign-in to Firefox" email is sent

[twidi]

[Version 0.9.0.dev0 sha 5f5d2d9, py3.4]

Not sure it's related to the client, but... It will fast be annoying ;)

PS this happen once #26 and #27 are solved (did this locally)

[ghost]

Same here.

[rfk]

Yeah, this is pretty annoying, I hit this myself today while digging in to #30.

Unfortunately I don't think there's much we can do about it short-term - as far as the server can see, each time you run the script, it is in fact making a fresh login and looks basically like a Firefox gearing up to sync with the account.

What we probably need to do here, is to do the login once, save the generated Firefox Accounts session token, and then re-use that for each subsequent request. Not sure how big a refactor that would be of the current code...

[ghost]

Here I can read that browser id API is dead, is it in relation with browser id code in syncclient?
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/Firefox_Accounts/Introduction#Legacy_BrowserID_API

[ghost]

Ok, seems only Firefox Sync is always based on Browser Id code.

Another question: when looking at Epiphany source code, they are saving all this information, do you really think it's needed?

void
ephy_sync_secret_store_tokens (EphySyncService *service,
const char *email,
const char *uid,
const char *sessionToken,
const char *keyFetchToken,
const char *unwrapBKey,
const char *kA,
const char *kB)
{}

[rfk]

seems only Firefox Sync is always based on Browser Id code.

Unfortunately yes, access to sync still uses the BrowserID code. I'd like to move it to OAuth like everything else, but that's a pretty low-priority refactor because what's there now is working fine.

they are saving all this information, do you really think it's needed?

You will need sessionToken and kB in order to sync, and should probably store uid and email for display or diagnostic purposes. The other fields keyFetchToken and unwrapBKey are only needed during setup, in order to access the encryption keys, and should not be stored long-term.

@gnumdk does the current code talk directly to the auth-server API [1] to perform the login? If so, we should have a chat about moving it to use our "WebChannels" API which is sadly under-documented, but which provides much better decoupling between the browser and our backend server APIs.

[1] https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md

[ghost]

@rfk If you are talking about PyFxA, yes it seems to be using auth-server API.

[ghost]

For restoring session (and bypass this issue), I'm saving sessionToken and kB.
But to be able to get a bid_assertion, I need a FxASession so I tried replacing this:
fxaSession = FxAClient().login(args.login, args.password, keys=True)
by

session = FxASession(FxAClient(), "email@domain", quick_stretch_password("email@domain", "******"), "my_uid", previous_session.token)
bid_assertion_args = get_browserid_assertion(fxaSession)
client = SyncClient(*bid_assertion_args)

But I get a:
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://token.services.mozilla.com/1.0/sync/1.5

[rfk]

https://token.services.mozilla.com/1.0/sync/1.5

If you're getting as far as hitting that URL, then the saved sessionToken is working correctly. How are you restoring the value of kB from the saved session data? I would expect to see something like:

session = FxASession(<...what you have already...>)
session.keys = <...the saved values of session.keys from last time...>

[ghost]

I miss it from copy/paste but it was in my code.

[ghost]

I get it working by saving bid_assertion, is that wrong?

[rfk]

The bid_assertion is a short-lived token and will expire. I suggest saving the value of session.keys, but calling get_browserid_assertion afresh each time to ensure you have a fresh assertion.

[ghost]

Added session.check_session_status() and it works :-)

[schemacs]

For anyone wondering how this may work(NOTE pickle is not safe):

fxa_client = FxAClient()
if os.path.exists('session.pickle'):
    previous_session = pickle.load(open('session.pickle'))
    session = FxASession(fxa_client, args.login,
                            quick_stretch_password(args.login, args.password), previous_session.uid,
                            previous_session.token)
    session.keys = previous_session.keys
    session.check_session_status()
else:
    session = fxa_client.login(args.login, args.password, keys=True)
    session.fetch_keys()
    pickle.dump(session, open('session.pickle', 'w'))
bid_assertion_args = get_browserid_assertion(session)