Thank you all for the very kind and informative answers. I do feel much
more at ease with the security scheme now that I have a glimpse of
enlightenment. You folks really did some great work here.
And yeah, I will stick around and help as best as I can.
best,
alex.
Am 06.05.2014 03:14, schrieb Ryan Kelly:
On 6/05/2014 4:03 AM, Toby Elliott wrote:
On May 5, 2014, at 3:26 AM, a. <[email protected]> wrote:
As Ryan suggested, I am posting my feature request/idea on here for
further discussion.
So I am currently running my own sync storage server. Thanks to recent
commits, the sync server now has a "allow_new_users" config option,
which restricts new user signup. While sufficient from a "just works"
perspective, it has the issue that unwanted requests to the storage
server push completely through to the server and only get rejected when
no already active token is found in the database.
Hi, thanks for your email!
I think there's a little misconception here - there is no database of active
tokens.
The sync server takes a presented token and sees if it has an unexpired
timestamp and a valid signature. If it doesn't, it rejects the request and asks
the user to return to the tokenserver to get another one. This is about as
low-touch an auth solution as possible - no lookups required. Adding more
authentication won't actually buy you anything and would make the lookup
substantially heavier.
The token itself comes from the token server. That also doesn't do an auth
lookup - it uses the cert provided by the browser. Whether that cert is issued
by the Mozilla FxA server or your own auth server is irrelevant to the
tokenserver (delta configurations that restrict this, of course), The
allow_new_users config option doesn't prevent registrations if it's off, it
just prevents users that haven't historically had an assignment in your install
from being allocated to a node, making getting a token impossible.
And for extra clarity, the "syncserver" project that is recommended when
hosting your own sync storage:
https://github.com/mozilla-services/syncserver
Provides both the "tokenserver" and "storage server" pieces in an
integrated server.
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
