Marketplace/FirefoxAccounts: Difference between revisions

General changes:

• Add in sniffing to detect if native Firefox Accounts is present, see https://bugzilla.mozilla.org/show_bug.cgi?id=1009849
• Alter the Firefox Account terms of service and privacy policy to include Marketplace information.
• Security review for OAuth flow of the marketplace.

For the web

Because Marketplace will have to work on Firefox OS 1.0 - 1.4, Android and Desktop, the primary Firefox Accounts flow will be the web based flow.

Documentation: https://github.com/mozilla/fxa-oauth-server/blob/master/docs/api.md

Sample application: https://123done-prod.dev.lcip.org/

• Set up a Marketplace account on the Firefox Account server, which contains all the account and redirect information.

• Login
  • Add Log in button, that calls /v1/authorization.
  • Add Sign up button, that calls the above URL slightly differently. Dependent bugs: https://github.com/mozilla/fxa-content-server/issues/980, https://github.com/mozilla/fxa-content-server/issues/1062, https://github.com/mozilla/fxa-oauth-server/issues/50
  • Add an interstitial page to complete the log in? Or just bounce back to the original page. Upon receiving the response it:
    • Calls POST /v1/token
    • Sends resulting call to the profile server (undocumented but on github)
    • Matches the email up with users account in zamboni, or creates an account and signs the user in, by creating a session.
    • [CK]: Don't forget to fetch user's UID from the profile server! The UID is guaranteed to be stable for a user, but the user may choose to change the email associated with the account.
    • Redirects the user back to the original page.
• Logout
  • Nuke the marketplace session, update any UI elements or reload.

For Firefox OS 2.0

On Firefox 2.0, we'll use the native Firefox Accounts.

• Developer walkthrough of the implementation: https://wiki.mozilla.org/Marketplace/FirefoxAccounts/FxOS_Control_Flow
• See also: https://github.com/mozilla-b2g/gaia/blob/master/dev_apps/uitest/js/API/fxa.js#L29

• Login
  • Call navigator.id, adding in: wantIssuer: 'firefox-accounts'
  • When firefox accounts returns, create or sync up with the existing account (we already do this)
  • Matches the email up with users account in zamboni, or creates an account and signs the user in, by creating a session.
• Logout
  • You cannot logout.

• See this etherpad: https://id.etherpad.mozilla.org/tracing-mozId-API

• Login
  • As above for Firefox Accounts for the web or Firefox OS 2.0 as appropriate.
• Reset PIN
  • Firefox Accounts for the web
    • Log the user out by nuking the local session, not logging them out of Firefox OS
    • Login as above for Firefox for the web or Firefox OS 2.0 as appropriate
    • When Firefox Accounts returns, assert the email addresses match (already done)
    • Restart the payment flow
  • Native Firefox Accounts
    • Call the force re-auth method: https://bugzilla.mozilla.org/show_bug.cgi?id=952347
    • When Firefox Accounts returns, assert the email addresses match (already done)
    • Restart the payment flow
• New First Purchase should get (and store) agreement to terms of service and privacy notice
  • When user makes his first purchase, he must agree to Terms of Service and Privacy Notice

1. Web integration
   1. Developer hub [done]
   2. Fireplace [done]
   3. Stats
   4. Comm badge
2. FFx 2.0 integration [in review]
3. Payments integration
4. Payments FFx 2.0 flow
5. Edge cases

Out of scope since this isn't directly related to Firefox Accounts, but a general user management tool.

Persona users allowed users to login with unverified emails, Firefox Accounts does not. If a user has an unverified email they will have to log in to Firefox Accounts with a new email. In this case the record of paid apps and listing of apps on My Apps on the server will be inaccurate. This will never really affect a user until they try to purchase a previously installed app.

Note: this currently affects users anyway, but Firefox OS accounts by forcing new accounts is more likely to trigger it.

• Add in a move account page to the admin lookup pages
  • Takes two user accounts, listing all purchases and installed records 1030462
  • Moves all app purchases and installed records from account A to account B 1030461

• Message users, let them know its going to happen.
• Then delete all the old persona code.

You must be logged into the Mozilla VPN to see these graphs. Each time a user is converted from Persona to Firefox Accounts, this chart should go up by one:

• Development

• Stage

• Production

Flow diagram of actions requiring a user login such as purchasing or adding a review. It illustrates the decision points for calling a login flow or account migration flow.

•  

  Firefox Accounts Login Flow

1. Marketplace App is Web Site is launched
2. User initiates an action that would require the user to be logged in to Marketplace such as a purchase or user review.
3. Decision point: is user currently logged in to Firefox Accounts?
   1. Yes - Go to (4) - check to see if first user has MP account using FxA.
   2. No - Go to (6) - see if user should use web login or device login (this may not make a difference to MP if it is the same API)
4. Does FxA Marketplace account exist yet?
   1. Yes - Go to (5) - all is cool, carry on
   2. No - Go to to (7) - Does a previous marketplace account exist with Persona?
5. Carry On with purchase or user review
6. Check to see if MP is using Firefox OS and version is >=0 (uses on device fxa for fxos). Note, as this is an API, this may be irrelevant to MP so this step wouldn’t exist and steps (8) and (9) would be combined as a simple FxA Login.
   1. Firefox OS and version is >= 2.0 - Go to (8) - login in using FxA on FxOS
   2. Is not Firefox OS version >= 2.0 - Go to (9) - login using FxA for Web
7. Check to see if user has an existing MP account that has the same email address. This is so that we can now associate an existing account with the FxA created. What isn’t covered here is whether the user has a non-matching email. This case will need to be handled by exception.
   1. Yes - Go to (10) - Associate MP account with FxA Account
   2. No - Go to (11) - set flag so that this is now complete.
8. Login to Fx Accounts on FxOS
   1. Success continue to (4)
   2. Failure - go back to purchase or review screen with error message or retry.
9. Login to Fx Accounts using Web Login
   1. Success continue to (4)
   2. Failure - go back to purchase or review screen with error message or retry.
10. Associate existing MP with a new FxA account - since a Marketplace account exists that uses the same email address, associate data with new FxA account (if needed). On completeion Go to (11).
11. Now that an account is migrated (or may need to create a MP account), this doesn’t need to be done again in the future. So migration is complete.

End to End User Stories and Tests

The document contains end to end stories for using Firefox Accounts for the first time in Marketplace and returning to Marketplace. Dependencies of user stories on:

1. Whether the user is already logged into FxAccount (and therefore has an account)
2. If not logged in, whether an account needs to logged into and status of verification of the FxAccount
3. Whether a previous Persona-based Marketplace account exists and whether the FxAccount is already associated with it.

End to End User Stories and Test Cases

Out of Scope Use Cases

1. User with unverified persona id, no real email who has also paid for apps will not be able to recover purchases with their new Fx Accounts ID
2. User with a verified persona id, and now a verified Fx Account email, who has previously downloaded paid apps will NOT have a way to associate the paid app with their new account (no migration tool)

Tracking/Test Bug for End-to-End Stories: 1017239

Tracking bug: 1007956.

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);