[proposal] X-Client-State header for Sync relaunch
nalexander at mozilla.com
Mon Jan 27 10:03:36 PST 2014
On 1/27/2014, 9:46 AM, Nick Alexander wrote:
> Sync relaunch clients need to provide the X-Client-State header to the
> token server in order to not hit HMAC errors on key changes. We need to
> do this, it needs to be secure, but we can't version it client-side. Whee!
> From the token server docs:
> An optional base64-urlsafe string, up to 32 characters long, that
> can be sent to identity a unique configuration of client-side state.
> A change in the value of this header will cause the user's node
> allocation to be reset. Clients should include any client-side state
> that is necessary for accessing the selected app.
> Initial put
> How about HKDF(kB, salt=emailUTF8, context=KW("X-Client-State"), 16)?
Oops, I mean the base64-urlsafe encoding of these 16 bytes.
More information about the Sync-dev