Hi All, This week we have deployed FxA train-67 to production, and it brings with it the following highlights:
* Device push notifications are now rate-limited, to avoid bugs causing a notification loop and grinding down the entire system; thanks to our Outreachy intern Larissa for her work on this feature! * Sign-in notification emails now include an IP address and geographic information, so users can more easily tell whether the login was legitimate; thanks to our summar intern Sai for his work on this feature! * We've removed support for http:// gravatar URLs, all avatar images must now be hosted on a secure URL. Fortunately no-one was actually using such URLs in production. * The "show password" button now only shows the password while it's held down, which avoids some weird edge-cases with the browser storing session data. * Several styling fixes for the devices view have been landed, as we pick up on the thread of enabling it by default. * All outbound links in our emails now include utm_* metrics parameters, and we can now track them in datadog. This will give us much improved visibility into the usefulness of our various emails. * Push notifications about password change/reset now actually make it to the devices that need to know; previously we would disconnect all devices before sending the notification, meaning we couldn't actually send them the notification. * We fixed a subtle bug with password-reset tokens, where they could be created with expiry timestamps that had already passed. * We fixed an edge-case in the new sign-in confirmation flow, where sessions that did not request keys were handled incorrectly. * The "devices view" will now include older sync clients that do not register themselves explicitly as a device; the server now creates a placeholder device record on their behalf. While it's not a code change, we're now also running with the sign-in confirmation feature enabled for 100% of users on compatible devices. So far it seems to have had a minimal impact on the sign-in success rate, which is reassuring. As usual, you can dive into all the details in the changelog files for each individual repo: https://github.com/mozilla/fxa-profile-server/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-content-server/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-auth-server/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-auth-db-mysql/blob/master/CHANGELOG.md https://github.com/mozilla/fxa-auth-mailer/blob/master/CHANGELOG.md Cheers, Ryan _______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
