Skip to content

fxa-client: Don't expose the session token directly to consumers.#7317

Open
mhammond wants to merge 1 commit intomozilla:mainfrom
mhammond:push-yqytmmnsxvyx
Open

fxa-client: Don't expose the session token directly to consumers.#7317
mhammond wants to merge 1 commit intomozilla:mainfrom
mhammond:push-yqytmmnsxvyx

Conversation

@mhammond
Copy link
Copy Markdown
Member

@mhammond mhammond commented Apr 13, 2026
edited
Loading

This was exposed primarily for use with the web channel, but the fact it is exposed means that consumers are free to use it in ways we'd like to better control. We do this by adding a couple of new methods which are explicitly used only for webchannels, and the data moved over those APIs are abstracted away - the consumers just pass the raw JSON data from the webchannel message and the component knows what format it is in and decodes it appropriately.

This is a breaking change for Android and iOS:

@jonalmeida @bendk @skhamis @LZoog - I think this is a good improvement, wdyt?

Pull Request checklist

  • Breaking changes: This PR follows our breaking change policy
    • This PR follows the breaking change policy:
      • This PR has no breaking API changes, or
      • There are corresponding PRs for our consumer applications that resolve the breaking changes and have been approved
  • Quality: This PR builds and tests run cleanly
    • Note:
      • For changes that need extra cross-platform testing, consider adding [ci full] to the PR title.
      • If this pull request includes a breaking change, consider cutting a new release after merging.
  • Tests: This PR includes thorough tests or an explanation of why it does not
  • Changelog: This PR includes a changelog entry in CHANGELOG.md or an explanation of why it does not need one
    • Any breaking changes to Swift or Kotlin binding APIs are noted explicitly
  • Dependencies: This PR follows our dependency management guidelines
    • Any new dependencies are accompanied by a summary of the due diligence applied in selecting them.

@mhammond mhammond force-pushed the push-yqytmmnsxvyx branch 2 times, most recently from e729e18 to b80e90d Compare April 13, 2026 05:41
@mhammond mhammond mentioned this pull request Apr 13, 2026
Open
7 tasks
bendk
bendk approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@bendk bendk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this change. The more we can move the logic into the component the better, IMO. That way if there's a bug or change we only need to change the Rust code.

skhamis
skhamis reviewed Apr 13, 2026
View reviewed changes
Comment thread components/fxa-client/src/internal/oauth.rs Outdated
/// The JSON payload is the `data` object from the `fxaccounts:login` WebChannel command.
pub fn handle_web_channel_login(&mut self, json_payload: &str) -> Result<()> {
let data: serde_json::Value = serde_json::from_str(json_payload)?;
if let Some(token) = data.get("sessionToken").and_then(|v| v.as_str()) {
Copy link
Copy Markdown
Contributor

@skhamis skhamis Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there ever a scenario where we wouldn't get the sessionToken? I see NoSessionToken below for pw change but here we still return success even if no sessionToken?

Copy link
Copy Markdown
Member Author

@mhammond mhammond Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, good spot thanks, this should probably return the same error.

skhamis
skhamis approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@skhamis skhamis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree I think this is an awesome improvement! Love to see it!

@mhammond mhammond force-pushed the push-yqytmmnsxvyx branch from b80e90d to 93fbc2f Compare April 14, 2026 13:37
@mhammond
fxa-client: Don't expose the session token directly to consumers.
2926443 
This was exposed primarily for use with the web channel, but the fact it is exposed means
that consumers are free to use it in ways we'd like to better control. We do this by adding
a couple of new methods which are explicitly used only for webchannels, and the data moved
over those APIs are abstracted away - the consumers just pass the raw JSON data from the
webchannel message and the component knows what format it is in and decodes it
appropriately.

This is a breaking change for Android and iOS:
TODO: link to PRs for them.
@mhammond mhammond force-pushed the push-yqytmmnsxvyx branch from 93fbc2f to 2926443 Compare April 14, 2026 13:42
@jonalmeida
Copy link
Copy Markdown
Collaborator

jonalmeida commented Apr 14, 2026

This is a good step! :shipit:

I think protecting against using the session token incorrectly is more valuable than protecting against holding it - the handleWebChannelLogin doesn't prevent the application from grabbing the session token during the channel message nor during state persistence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skhamis skhamis skhamis approved these changes

@bendk bendk bendk approved these changes

Assignees

No one assigned

Labels

☢️ Do not merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mhammond @jonalmeida @skhamis @bendk