lockbox-extension icon indicating copy to clipboard operation
lockbox-extension copied to clipboard
verified publisher icon mozilla-lockwise

Lockbox sign-in sometimes requires me to sign into FxA twice

Open cpeterso opened this issue 7 years ago • 9 comments

The Lockbox extension sometimes requires me to sign into FxA twice. I need to re-confirm my device and enter my FxA password a second time before Lockbox will show my saved usernames and passwords. I don't know under which conditions. Maybe I haven't signed into FxA for a while?

  1. I click the Lockbox toolbar menu's "Sign In" button.
  2. The FxA login window opens.
  3. I try to log into FxA, but it says I need to confirm my new sign-in (even though I have logged into FxA from this laptop and Firefox profile before).
  4. I receive the FxA "Confirm new sign-in to Firefox" email.
  5. I click the email's "Confirm sign-in" button, which opens a new tab confirming that I am now signed into FxA.
  6. I expand the Lockbox toolbar menu again and click the "Sign In" button, which opens the FxA login window again (from step 2) and forces me to enter my FxA password a second time.

cpeterso avatar Jan 16 '18 07:01 cpeterso

Having to sign in again is a bug somewhere. If you can remember or determine a sequence or scenario that reliably reproduces, it would greatly help.

The verification requirement is a little bothersome, right now we rely on cached cookies to hint to FxA. We've discussed with FxA on potentially better alternatives but haven't implemented anything there yet.

Including @rfk for notice and feedback.

linuxwolf avatar Jan 17 '18 17:01 linuxwolf

We've discussed with FxA on potentially better alternatives but haven't implemented anything there yet.

Yep, this is definitely on the FxA team to do better here, we've got some proposals in the works and hopefully will ship the first improvements in our next release...

I try to log into FxA, but it says I need to confirm my new sign-in (even though I have logged into FxA from this laptop and Firefox profile before).

@cpeterso were you signed in to sync on this Firefox profile at the time, or had you previously been signed in to sync?

I click the email's "Confirm sign-in" button, which opens a new tab confirming that I am now signed into FxA.

Did this open in the same browser where you were trying to access lockbox? I'm wondering if we somehow failed to complete the OAuth flow on this first attempt (which required the confirmation email) and that's why you were prompted for your password again.

rfk avatar Jan 17 '18 20:01 rfk

@cpeterso were you signed in to sync on this Firefox profile at the time, or had you previously been signed in to sync?

I'm not sure. The problem is not consistent. I use Sync on this profile, so I assume I'm always signed in "enough" for Sync to work. For security, Lockbox requires me to sign into FxA every time the browser restarts. Usually Lockbox requires only one sign in after restarting the browser, but sometimes two.

It feels like there are two problems here:

  1. FxA requiring me to re-confirm my device (via email). I use Firefox Nightly, so maybe that the frequent updates cause FxA to need to re-confirm my device often? This is probably just a fact of life and not a bug. I only sign into Lockbox 1-2 times per week.

  2. After confirming my device, Lockbox should recognize that I'm now signed into FxA instead of showing its Sign In button.

Did this open in the same browser where you were trying to access lockbox? I'm wondering if we somehow failed to complete the OAuth flow on this first attempt (which required the confirmation email) and that's why you were prompted for your password again.

Yes. I access the FxA confirmation email in Gmail in the same browser session where I am trying to sign into Lockbox.

cpeterso avatar Jan 17 '18 22:01 cpeterso

During testing I got into the create/confirm email loop and have narrowed down the repro steps:

  1. npm run run > new browser opens w/lockbox extension
  2. create new account > new window opens
  3. fill out new account data, submit > confirmation screen displays explaining email has been sent
  4. open email > COPY the activate link
  5. return to the new window with the email sent message > PASTE activate link into urlbar

expected: account confirmed actual: url routes user to create account/signup page, account is never confirmed

** I initially found this as my email lives in a separate browser than the testing browser. I confirmed that if the user has their email in the lockbox original browser window, clicking 'Activate' will confirm the account. However pasting the link into the create account browser window will create the loop.

rbillings avatar Feb 07 '18 16:02 rbillings

Here is the email verification link: https://accounts.firefox.com/verify_email?uid=b6769958f18347a79fef434862e647da&code=acf6bb1648ef5a7067f3cd90b224574f&service=1b024772203a0849&resume=eyJlbWFpbCI6InJiaWxsaW5ncyswMjA3NUBtb3ppbGxhLmNvbSIsImVudHJ5cG9pbnQiOm51bGwsImZsb3dCZWdpbiI6MTUxODAyMTQxMTA0OSwiZmxvd0lkIjoiNjE0ZjZmMTU1ZjkzMjY1OWQ4ZmI0YjQ3MTFjYjg1YjUxZThjYzc3NmZhZWZlZTdkZTJhMDNjZDU3NDNmYWY0ZCIsIm5lZWRzT3B0ZWRJblRvTWFya2V0aW5nRW1haWwiOmZhbHNlLCJyZXNldFBhc3N3b3JkQ29uZmlybSI6dHJ1ZSwidW5pcXVlVXNlcklkIjoiNDI0ZmY1NDgtYzFiNi00NGY0LThmODgtZGQ3ZjQzNTBlYjlhIiwidXRtQ2FtcGFpZ24iOm51bGwsInV0bUNvbnRlbnQiOm51bGwsInV0bU1lZGl1bSI6bnVsbCwidXRtU291cmNlIjpudWxsLCJ1dG1UZXJtIjpudWxsfQ%3D%3D&utm_source=email&utm_medium=email&utm_campaign=fx-welcome&utm_content=fx-activate

Here is where I was redirected after pasting the verification linK https://accounts.firefox.com/oauth/signup?response_type=code&client_id=1b024772203a0849&redirect_uri=https%3A%2F%2F2aa95473a5115d5f3deb36bb6875cf76f05e4c4d.extensions.allizom.org%2F&access_type=offline&scope=openid%20profile%20https%3A%2F%2Fidentity.mozilla.com%2Fapps%2Flockbox&state=vAYqTKLymizeStpNESZ2gQ&code_challenge=GGO7Xio9AEsrv2e4GmyqZ_GVF4k80JAkuZ3yUycWqC8&code_challenge_method=S256&keys_jwk=eyJrdHkiOiJFQyIsImtpZCI6IjF6VDJycjF6TnNsVVNGRUZ3RVl0VkFyakpzSE8teWcxY05JX1dONTdiZWsiLCJjcnYiOiJQLTI1NiIsIngiOiJZR0JvTEVMd2JKUmlJZnBmR0VaYUNEQlR5eU5iVDNYLWYybWlRTDMzQU9RIiwieSI6IkZTVkllZXhMVmFiWllBdGhZc05KcVJsUUNONkxpdXhtcDVockFyVllRVk0ifQ

rbillings avatar Feb 07 '18 16:02 rbillings

@rbillings when you copy and pasted that URL link, did you put it in a new tab, or in the same window as the "confirm email" page/window?

@rfk It looks more like a bug in FxA somewhere. Would you like us to file it under fxa-content-server or somewhere else?

linuxwolf avatar Feb 07 '18 16:02 linuxwolf

@linuxwolf I pasted it in the confirm email window. If you paste it in the window w/the lockbox extension it correctly verifies the account.

rbillings avatar Feb 07 '18 16:02 rbillings

@rfk It looks more like a bug in FxA somewhere. Would you like us to file it under fxa-content-server or somewhere else?

Agreed; I've gone ahead and copied the details across to a new bug here:

https://github.com/mozilla/fxa-content-server/issues/5891

rfk avatar Feb 07 '18 20:02 rfk

@linuxwolf pinging you here in case you don't get the notification from the other issue; I'd be interested in your thoughts on the latest explorations in https://github.com/mozilla/fxa-content-server/issues/5891#issuecomment-365406566

rfk avatar Feb 13 '18 21:02 rfk