Session tokens that have no device record and are older than 4 weeks old
(by default) will now be rejected as expired by all auth server endpoints.
Additionally, the `/account/sessions` endpoint will filter out expired session
tokens on the same basis.
https://github.com/mozilla/fxa-auth-server/pull/1996
r=vbudhram
* feat(signin): Skip signin confirmation for new accounts by default
fixes#1991
* fix(test): Fix the tests broken by the config change.
Disabling signin confirmation caused a lot of test failures.
Tests that called `loginAndVerify` to get a verified
session have been updated to call `login`.
Tests that work with both unverified and verified sessions
are handled differently. So that it's possible to generate
unverified sessions, config in these tests override
signinConfirmation.skipForNewAccounts.enabled to false.
Adds optional `marketingOptIn` payload parameter to `/account/create`.
If set, a flag is set in memcached that the user opted in to marketing.
The `/recovery_email/verify_code` route will check memcached for this
flag, and if found, will set `marketingOptIn` to the message sent to
attached services (SNS).
Closes#1973
* fix(push): Don't notify the originating device about pwd change.
The originating device should already know about the pwd change
thanks to a local WebChannel message from the content-server.
Avoid sending it a push notification as well, since this could
race with the WebChannel message and produce confusion.
* fix(docs): adjust doc string for password.js
This settles our dance of `Buffer` vs `String` down to simply this:
> You have a `String`. You should (almost) never have a `Buffer`.
Buffers are useful for talking about a specific set of bytes, without an
encoding. In our app, the places where this is useful are:
- crypto
- mysql
We don't actually speak MySQL in this repo anywhere, so that leaves us
with only crypto. Instead of requiring the mental overhead of "Do I have
a buffer or a string?" throughout all our code base, we can just push
that completely into the crypto code.
This *should* reduce bugs where we aren't sure if we have a `Buffer` or
a `String`. If you're not in crypto, you should just have a `String`.
vladikoff
Udara Weerasinghege
Vijay Budhram
Vijay Budhram
Phil Booth
Shane Tomlinson
Sean McArthur
John Morrison
Ryan Kelly