<div dir="ltr"><div><br></div><div>Hi Chris,</div><div><br></div><div>Sorry for the unexpected breakage here. We apply a number of checks to the incoming /account/login authentication request, and reject any that seem "unexpected" across a variety of measures. I'm not going to go into any more detail here on the public list because I don't want to encourage any new consumers of this API. The more consumers talking directly to this API, the harder it is for us to make changes that improve overall system security.<br></div><div><br></div><div>I'll reach out to you by private email to help get your existing app back up and running.</div><div><br></div><div>Longer term, we are slowly but surely working on the ability to access sync data via a standard OAuth-style API, which would avoid the need for you to talk to the /account/login API directly and would insulate your app from any future security-related changes. It's been a long time coming but I think we may finally have a clear path to shipping it sometime this year. Hopefully.</div><div><br></div><div> Cheers,</div><div><br></div><div> Ryan<br></div><div> <br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 26 June 2017 at 05:49, Richard Newman <span dir="ltr"><<a href="mailto:rnewman@mozilla.com" target="_blank">rnewman@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Let's try dev-fxacct for this question.<span class="HOEnZb"><font color="#888888"><br><div class="gmail_extra"><br></div><div class="gmail_extra">-R<br></div></font></span><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Sun, Jun 25, 2017 at 10:34 AM, Chris Tybur <span dir="ltr"><<a href="mailto:thisiscmt@gmail.com" target="_blank">thisiscmt@gmail.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><div dir="ltr"><div><div><div>Gabriel:<br><br></div>Thanks for the suggestion. I was hoping to avoid having to incorporate an entirely new way of doing the
authentication, if possible.<br><br></div>I should also mention
that what I had working before April was to POST to account/login, then
I'd receive an email with a link asking to verify my identity. I'd manually
copy that link from the message into a page in my app, then that page
would POST to recovery_email/verify_code with the code in the link,
along with a token obtained earlier. And all was well. I just need to
know what is different about that process.<br><br></div>Chris</div></span><div class="gmail_extra"><br><span class=""><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have a web app that uses the Firefox Account login API to authenticate my<br>
account, obtain Sync storage encryption keys, then pull down my sync'ed<br>
bookmarks. Around April the login stopped working and started returning<br>
"The request was blocked for security reasons". I see at<br>
<a href="https://github.com/mozilla/fxa-auth-server/blob/master/" rel="noreferrer" target="_blank">https://github.com/mozilla/fxa<wbr>-auth-server/blob/master/</a><br>
docs/<a href="http://api.md#post-accountlogin" rel="noreferrer" target="_blank">api.md#post-accountlogin</a> that the login API seems to have some new<br>
query params and payload data.<br>
<br>
Is this new data and the process documented somewhere? I'd like to be able<br>
to adjust my code to call the API correctly.<br>
<br>
Chris<br></blockquote></div></span></div></blockquote></div></div></div>
<br>______________________________<wbr>_________________<br>
Dev-fxacct mailing list<br>
<a href="mailto:Dev-fxacct@mozilla.org">Dev-fxacct@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/dev-fxacct" rel="noreferrer" target="_blank">https://mail.mozilla.org/<wbr>listinfo/dev-fxacct</a><br>
<br></blockquote></div><br></div>