Hi All,
We recently rolled FxA train-60 to production, with the following
highlights:
* The force_auth flow no longer skips the initial "reset password"
screen and its important message about the implications of the reset.
* Iframed OAuth flows are no longer supported, which allowed us to
remove quite a lot of hairy security-related code.
* We now send an email notification when a new device connects to your
Firefox Account; the copy is much improved since the last time we
tried this feature, and user response seems much more positive so far.
* Interstitial error messages now disappear when the user starts
typing to correct them.
* We now show a spinner on startup while waiting for resources to
load
* Input arguments to the force_auth flow are now strictly validated.
* We now have the ability to put accounts into a "must reset" state
in response to e.g. a suspected account compromise. The user must
reset their account password in order to continue using the service.
* Several major enhancements to our rate-limiting and fraud detection
framework aka "customs server":
* All password-checking actions are now counted towards rate-limiting.
* We now track and limit security-sensitive operations performed on
different accounts from the same IP address, as a guard again
"slow-drip" style guessing attacks.
* Rate-limiting config can now be set dynamically in memcached, rather
requiring a stack re-deploy to update the config files.
* We've added support for an allowlist of IPs known to belong to e.g.
Mozilla and our QA testing partners.
As usual, you can dig into all the details and smaller changes in the
changelog:
https://github.com/mozilla/fxa-content-server/blob/master/CHANGELOG.md
https://github.com/mozilla/fxa-auth-server/blob/master/CHANGELOG.md
https://github.com/mozilla/fxa-customs-server/blob/master/CHANGELOG
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
