CloudServices/WheresMyFox: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 105: Line 105:
<i>$id</i> - Globally unique ID for a device
<i>$id</i> - Globally unique ID for a device


Unless otherwise specified, all exchanged JSON blocks are signed using [https://github.com/hueniverse/hawk HAWK] (not shown here for simplicity).
Unless otherwise specified, all exchanged JSON blocks are signed using  
[https://github.com/hueniverse/hawk HAWK] (not shown here for simplicity).
Standard HTTP responses apply (401, 500, 301)


==== POST /<i>$v</i>/login ====
==== POST /$v/register ====
Post the Init JSON block from a device to the WMF server.
from device:
    {'userid':$uuid,
    'pushurl':$simplePushURL,
    'deviceid':$deviceUniqueId,
    'secret':$HawkSecretHashKey}


Auth: cert?
arguments:<br>
<b>$uuid</b> - this is the Firefox Accounts user UUID taken from the
verified assertion response.<br>
<b>$SimplePushURL</b> - this is the SimplePush registration URL. If this
changes the device must call register again, specifying the device_id. <br>
<b>$deviceUniqeId</b> - the existing $deviceUniqueId returned by previous
registration. If this is the first time the device is registering, no
value should be set. If the $deviceUniqueId is not recognized by the server
as belonging to the $UUID, it is ignored and a new $deviceUniqueId is
returned.<br>
<b>$HawkSecretHashKey</b> - a HAWK valid secret hash key for the device.<br>


if server has no secret, notify back to client and have it generate a new secret?
reply from server:
    {'id':$deviceUniqueId}


From Client (not wrapped in JWS):
arguments:<br>
<b>$deviceUniqueId</b> - A unique designator for the device. All


    {"cert":<i>FirefoxAccounts Certificate</i>,
After device registration, a device should immediately call
    "secret":<i>bin64encoded 128b value</i>}
POST /$v/cmd/$deviceUniqueId as if it had just received the following
command:


Server Reply:
    {"t":{"p":1,"d":1}}


    200    {"id": $id}
This should return the devices current location.


==== POST /<i>$v</i>/slogin ====


<i>UI</i>: Log a commanding user into the WMF server.
==== POST /$v/cmd/$deviceUniqueId====
A device may acknowledge the last commands received and additional
information as appropriate. See <i>Device commands</i> for
details about these commands.


    {"cert":<i>FirefoxAccounts Certificate</i>}
<b>Replies for the "l", "r", "m", or "e" command:</b><br>
the device shall return an object containg a "status" and optionally an
"error" string.<br>
For example, a successful lock and ring would return:
    {"l":{"ok":true},"r":{"ok":true}}
In the case of an error with the ringer:
    {"l":{"ok":true},"r":{"ok":false,"error":"no ringtone found"}}


Server Reply:
<b>For the "t" command:</b><br>
the device shall return an object that includes the "ok" status, <b>la</b>titude,
<b>lo</b>ongitude, device <b>ti</b>me as UTC and other related positional
information.<br>
If the tracking information is not available, it will also report "ok" as
false and optionally include an "error" string.<br>
For example, a successful tracking request would return:
    {"t":{"ok":true, "la":37.388017, "lo":-122.0833, "ti":1234567890}}
Periodic updates for "t" commands do not need to include other commands.


    200  {}
The body of the POST reply shall optionally contain further commands from the
server. The following section describes these commands.


==== GET /<i>$v</i>/status/(<i>$deviceId</i>)====
===== Device commands =====


<i>UI</i>: If no $deviceID is specified, return the status of all known devices for the logged in user. If $deviceID is specified, only return status for that device.
<b>Commands</b> consist of a JSON object containing zero or more of the following:


Only devices registered to a user are displayed or can return information.
    {"<i>command</i>": {<i>arguments</i>},... }


Devices will be queried for current status. Any device that does not respond within 30s will be considered "offline". Devices will report if a lock <b>k</b>ey code is present on the device (true indicating a lock has been set by the user, false indicating that one has not been set).
an example status response:
  {<i>$deviceId</i>: {"k": (True/False),
                "t": {"lat": <i>$lastKnownLatitude</i>,
                      "lon": <i>$lastKnownLongitude</i>,
                      ...},
                },
    <i>$deviceId</i>: {},  // <i>No information is available</i>
    ...}
==== GET /<i>$v</i>/cmd/<i>$id</i> ====
GET the next command from the Server. This call is triggered by a SimplePush version update.
From Server:
    {"c":<i>COMMAND</i>,
    <i>ARGS</i>}
where COMMAND is:
<dl>
<dl>
<dt><b>l</b>ock
<dd>Specify the lock <b>c</b>ode to use, if no device lock code is present.
If a lock code already exists on the device, lock the device with the
device's lock code.<br>
Example:<br>
    {"l":{"c":1234}}
<dt><b>r</b>ing
<dt><b>r</b>ing
<dd>cause the phone to ring constantly for <b>d</b>uration seconds.<br>
<dd>Cause the device to ring every <b>p</b>eriod seconds for a
for example, the following will cause the device to ring for 60 seconds
<b>d</b>uration of seconds. Specifying a duration of "0" stops the device
     {"c":"r","d":60}
from ringing.<br>
</dd>
Example:<br>
     {"r":{"p":10,"d":60}}
<dt><b>m</b>essage
<dd>Display a message on the device consisting of a contact <b>n</b>umber
and text <b>m</b>essage. <br>
contact numbers may only consist of the following: <code>0123456789 +-()</code>,
and is limited to 25 characters.<br>
message text may only be 100 or less standard ASCII, non-control
characters.<br>
Example:<br>
    {"m":{"n":"+1 (408) 555-555", "m":"Help, I'm lost. Please return me!"}}
<dt><b>t</b>rack
<dt><b>t</b>rack
<dd>Have the phone report back it's location every <b>p</b>eriod seconds for a <b>d</b>uration of seconds<br>
<dd>Begin active location tracking on the device, reporting the devices
e.g. <code>{"c":"t","p":20,"d":300}</code> will cause the phone to POST to <code>/<i>$v</i>/cmd/<i>$id</i></code> every period it's <b>status</b> for 300 seconds (5 minutes)
position every <b>p</b>eriod second for a <b>d</b>uration of seconds.
<dt><b>c</b>ancel
See POST /$v/cmd/$deviceUniqueId for how the device reports this
<dd>Cancel the current <b>a</b>ctivity ("ring" or "track").
information. Specifying a duration of 0 stops the device from reporting
    {"c":"c", "a":"t"}
its location.<br>
<dt><b>l</b>ost
Example:<br>
<dd>Set a phone into "lost" mode. This may include a number of items, optionally displaying a callback <b>n</b>umber and message, lock a device to the provided <b>k</b>ey.
     {"t":{"p":10,"d":300}}
* Key codes are limited to 4 numerals.
* Contact Number can only consist of numerals plus "()- ".
* Messages must be less than 100 non-control, UTF8 characters. <br>
<i>Note</i>: this needs to be stripped and scrubbed like nobody's business. It's potentially an attack vector.
<br>  
     {"c":"l", "k":1234, "m":"If found, please email reward@example.com", "n":"555-123-4567"}
<dt><b>m</b>essage
<dd>Set a brief message on the lock screen of the phone. Messages must be less than 100 non control, UTF8 characters.
    {"c":"m", "m":"If found, please email reward@example.com" }
<i>Note</i>: this needs to be stripped and scrubbed like nobody's business. It's potentially an attack vector.
<dt><b>e</b>rase
<dt><b>e</b>rase
<dd>Factory Reset your device.
<dd>Erase the device. This performs a factory reset.<br>
Optional fields may include a contact <b>n</b>umber, <b>m</b>essage, and lock <b>k</b>ey. This information will be displayed on the device prior and during device erasure.
Example:<br>
* Key codes are limited to 4 numerals.
     {"e":{}}
* Contact Number can only consist of numerals plus "()- ".
* Messages must be less than 100 non-control, UTF8 characters. <br>
<i>Note</i>: this needs to be stripped and scrubbed like nobody's business. It's potentially an attack vector.
<br>  
<i><b>Question</b></i>: They go away after a factory reset, right? Otherwise you've either bricked or you're maintaining data across a formatting (bad idea).
     {"c":"e", "m":"commencing device termination"}
<dt><b>a</b>cknowledge
<dd>A client may optionally reply to any GET command with a POSTed "ack", specifying the <b>a</b>ction taken, and fetching any further commands from the server.
 
e.g. for a <b>track</b> command:
    {"c":"a", "a":"t"}
which may then pick up a <b>ring</b> command from the server:
    {"c":"r", "d":60}
if no command is available, an empty object is returned.
    {}
</dl>
</dl>
==== POST /<i>$v</i>/state/<i>$id</i> ====
A device will return it's status information as a POST.
<dl>
<dt><b>s</b>tate
<dd>request a device to return the current status information.


format consists of:
Any of the above commands may be combined into a single command. For
* is the lock <b>k</b>ey present? True or False
example, to lock a phone, display a message with contact number and cause
* the current <b>t</b>racking location information for the device.
the device to ring ever 30 seconds for 5 minutes:
    {"c":"s", "k":True, "t":{"la":37.388017, "lo":-122.0833, "ti":1234567890}}


The server may reply to the POST with a further COMMAND.
    {"l":{"c":1111},
</dl>
    "m":{"n":"555-555-5555","m":"Please return me!"},
    "r":{"p":30,"d":300}}


==Platform Requirements==
==Platform Requirements==

Revision as of 01:17, 14 November 2013

Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

Where's My Fox

Overview

To provide a means for users to locate, track and purge devices remotely.

Project Contacts

Principal Point of Contact - Doug Turner dougt@mozilla.com

Product - vishy@, elancaster@

IRC - #services-dev

Group Email - TBD

Goals

  • Be able to provide a simple, secure means for FirefoxOS users to remotely locate, track and purge their devices.

Use Cases

1) Albert can't remember the location of his phone. Going to a nearby computer, he logs into WheresMyFox and requests the phone to report it's location. The phone reports that it is nearby, so Albert requests the device to ring. Albert quickly finds that his phone is in his coat pocket.

2) Bea discovers that her phone is missing. Using a friends phone, she logs into WheresMyFox and requests the phone to report it's location. She discovers that the phone is currently headed down Broadway, and realizes she has left it in the cab. Realizing that she may never see her phone again, she requests the phone to remotely wipe itself, before calling the cab agency to see if she can recover her device.

Requirements

  1. The user must use a secure credentialing and authorization system to identify self and associate to a device.
    1. The login system is currently Out of Scope of these requirements, but should be or substantially similar to Firefox Accounts.
    2. A user may have one or more devices.
    3. A device shall have a Globally Unique Identifier (WTFID).
    4. A device shall be associated with a single user.
  2. Data exchanged between client and server shall be via JSON Web Signature format
    1. The secret shall be generated and stored on the client, and sent to the server ONLY on initialization.
      1. The secret shall be a 128bit value.
      2. The secret shall be stored on the device as long as the WTFID remains unchanged.
      3. A new WTFID shall require a new secret to be generated and the device to reconnect as if new.
      4. No data shall be preserved in the case of a WTFID changing.
    2. Data signatures shall use HMAC SHA-256 or any more secure signing method for any exchange EXCEPT for Initialization.
  3. A remote wipe operation will format any additional storage (e.g. SD card) on the phone and reset the phone to initial Factory conditions.
  • Only allow registered user to display and remotely control devices.
    • login page?
    • secured by session cookie
  • Securely send commands to:
    • report location on a regular interval (for motion tracking)
      • record tracking information keeping latest location for device
      • older records expired after ? period ?
    • play a default audio alarm.
      • For known period? Forever? What happens if multiple of these commands sent?
    • lock a device
      • to a key code (if not present? Override?)
      • display an optional message
    • remove all user information from a device
      • Factory reset
      • Display message and contact phone
      • lock to a key code
  • Securely display UI for phone including
    • current location
    • previous recent locations
  • store user & device information (multiple devices)
    • How long to store data?
    • How reliable does storage need to be?

Get Involved

Call to action for folks who want to help.

Design

Points of Contact

Engineer - Name jr@

Discussions

https://etherpad.mozilla.org/wheresmyfox-2013-10-28

Client API Reference/Documentation

Client UX was presented by Epic:

https://www.dropbox.com/sh/uaxlhzz211br438/rH2UA0Tf6_/WIMF_3.0.pdf

Server API Reference/Documentation

API calls will be a combination of REST calls and BOSH where possible. This avoids some of the issues with the fragility of websockets in areas where connectivity is sub-optimal or sporadic.

In addition, packet identifiers have been reduced as much as possible. This is to both reduce bandwidth costs as well as require less time to exchange data.

To reduce risk of injection attacks, calls will use Hawk to sign requests (unless otherwise specified).

Data Schema

Since each server system will be unique, it does not make sense to strictly specify the data storage method. Instead an example storage mechanism will be offered to illustrate how the server would manage data.

A simple storage object would be keyed off of the ID returned in the /$v/init call. 

   key => {"lastPosition":{"lat":lat,             // The last position reported by track
                           "lon":lon, 
                           "alt":altitude?,       // Optional "altitude", if provided
                           "tim":UTC},            // UTC Timestamp
           "previousPositions":[{position},...],  // the last 5? position reports for the device
           "state":"(rtn)",                       // the state the server thinks the device is in
           "lockable"1:True|False,                // does the device have a user supplied key code1
           "lastExchange":UTC                     // last time an exchange happened.
           "pendingCommand": {outboundCommand}
           }
   
    user => ["key:name",...]               // A list of known keys & user friendly names for devices

1Note: this should be queried on device. User might set a passcode while the device is active or between updates.

API

For this API discussion:

$v - API Version (currently 1)

$id - Globally unique ID for a device

Unless otherwise specified, all exchanged JSON blocks are signed using HAWK (not shown here for simplicity). Standard HTTP responses apply (401, 500, 301)

POST /$v/register

from device: 

   {'userid':$uuid,
    'pushurl':$simplePushURL,
    'deviceid':$deviceUniqueId,
    'secret':$HawkSecretHashKey}

arguments:
$uuid - this is the Firefox Accounts user UUID taken from the verified assertion response.
$SimplePushURL - this is the SimplePush registration URL. If this changes the device must call register again, specifying the device_id.
$deviceUniqeId - the existing $deviceUniqueId returned by previous registration. If this is the first time the device is registering, no value should be set. If the $deviceUniqueId is not recognized by the server as belonging to the $UUID, it is ignored and a new $deviceUniqueId is returned.
$HawkSecretHashKey - a HAWK valid secret hash key for the device.

reply from server: 

   {'id':$deviceUniqueId}

arguments:
$deviceUniqueId - A unique designator for the device. All

After device registration, a device should immediately call POST /$v/cmd/$deviceUniqueId as if it had just received the following command: 

   {"t":{"p":1,"d":1}}

This should return the devices current location.


POST /$v/cmd/$deviceUniqueId

A device may acknowledge the last commands received and additional information as appropriate. See Device commands for details about these commands.

Replies for the "l", "r", "m", or "e" command:
the device shall return an object containg a "status" and optionally an "error" string.
For example, a successful lock and ring would return: 

   {"l":{"ok":true},"r":{"ok":true}}

In the case of an error with the ringer: 

   {"l":{"ok":true},"r":{"ok":false,"error":"no ringtone found"}}

For the "t" command:
the device shall return an object that includes the "ok" status, latitude, loongitude, device time as UTC and other related positional information.
If the tracking information is not available, it will also report "ok" as false and optionally include an "error" string.
For example, a successful tracking request would return: 

   {"t":{"ok":true, "la":37.388017, "lo":-122.0833, "ti":1234567890}}

Periodic updates for "t" commands do not need to include other commands.

The body of the POST reply shall optionally contain further commands from the server. The following section describes these commands.

Device commands

Commands consist of a JSON object containing zero or more of the following: 

   {"command": {arguments},... }
lock
Specify the lock code to use, if no device lock code is present. If a lock code already exists on the device, lock the device with the device's lock code.
Example:
{"l":{"c":1234}}
ring
Cause the device to ring every period seconds for a duration of seconds. Specifying a duration of "0" stops the device from ringing.
Example:
{"r":{"p":10,"d":60}}
message
Display a message on the device consisting of a contact number and text message.
contact numbers may only consist of the following: 0123456789 +-(), and is limited to 25 characters.
message text may only be 100 or less standard ASCII, non-control characters.
Example:
{"m":{"n":"+1 (408) 555-555", "m":"Help, I'm lost. Please return me!"}}
track
Begin active location tracking on the device, reporting the devices position every period second for a duration of seconds. See POST /$v/cmd/$deviceUniqueId for how the device reports this information. Specifying a duration of 0 stops the device from reporting its location.
Example:
{"t":{"p":10,"d":300}}
erase
Erase the device. This performs a factory reset.
Example:
{"e":{}}

Any of the above commands may be combined into a single command. For example, to lock a phone, display a message with contact number and cause the device to ring ever 30 seconds for 5 minutes: 

   {"l":{"c":1111},
    "m":{"n":"555-555-5555","m":"Please return me!"},
    "r":{"p":30,"d":300}}

Platform Requirements

What are the things this needs (OS, language, databases, etc.)?

Libraries Required

List of external project dependencies. (Stuff that's not pulled in via the installation script)

Code Repository

Links to the published code bases

Release Schedule

Predicted code delivery dates

QA

Points of Contact

Engineer - Ed Wong edwong@

Test Framework

Security and Privacy

Tracking bug: 935724

  • Bug 935725 - Security Review: Where's My Fox
  • Bug 935726 - Legal Review: Where's My Fox
  • Bug 935727 - Privacy-Technical Review: Where's My Fox
  • Bug 935728 - Privacy-Policy Review: Where's My Fox

Points of Contact

Legal - udevi@


Questionnaire Answers

1.1 Goal of Feature

2. Potential Threat Vectors and Mitigation Points

Review Status

https://bugzilla.mozilla.org/show_bug.cgi?id=935725

see https://wiki.mozilla.org/Security/Reviews

Issues and Resolutions

Operations

Points of Contact

Deployment Architecture

Bugzilla Tracking # -

Escalation Paths

Lifespan Support Plans

Logging and Metrics

Points of Contact

Tracking Element Definitions

Data Retention Plans

Dashboard URL

Customer Support

Points of Contact

Sumo Tags

Review Meeting

Retrieved from "https://wiki.allizom.org/index.php?title=CloudServices/WheresMyFox&oldid=761104"