Work on v1.305

README.md

@@ -21,6 +21,12 @@
 1. `init.sh` will create all files in `$DEST` (\`pwd\`/dest for default) folder for deployment. so make sure persistenpath should be relative to `$DEST` if using relative path
 2. you can change dest folder via `DEST=somefolder ./init.sh`
 
+## Notice for upgrading from xxxx
+
+Now firefox use `oauth_webchannel_v1` instead of `fx_desktop_v3` as context param.
+If you still want to use `fx_desktop_v3` , remeber to set `identity.fxaccounts.oauth.enabled` to false.
+Note in future , firefox or fxa may remove `fx_desktop_v3` support.
+
 ## Notice for upgrading from v1.242.4
 1. [BREAKING] mysql from 5.7 to 8.0 (It is recommended to use version after 8.0.16 since it have auto upgrade feature, otherwise you need to manually do `mysql_upgrade`)
 

_init/auth/oauthserver-prod.tmpl.yml

@@ -97,7 +97,7 @@ oauthServer:
     id: 5882386c6d801776
     hashedSecret: 71b5283536f1f1c331eca2f75c58a5947d7a7ac54164eadb4b33a889afe89fbf
     imageUri: ''
-    redirectUri: urn:ietf:wg:oauth:2.0:oob
+    redirectUri: urn:ietf:wg:oauth:2.0:oob:oauth-redirect-webchannel
     #! sync:addon_storage: see readme at end of file
     allowedScopes: https://identity.mozilla.com/apps/oldsync https://identity.mozilla.com/tokens/session sync:addon_storage https://identity.mozilla.com/ids/ecosystem_telemetry
     trusted: true

_init/content/contentserver-prod.tmpl.yml

@@ -44,6 +44,7 @@ scopedKeys:
         - #@ "https://{content}.{domain_name}/oauth/success/1b1a3e44c54fbb58".format(content=data.values.domain.content,domain_name=data.values.domain.name)
         #! Firefox VR (see bugzilla1585480)
         - #@ "https://{content}.{domain_name}/oauth/success/7ad9917f6c55fb77".format(content=data.values.domain.content,domain_name=data.values.domain.name)
+        - #@ "https://{content}.{domain_name}/oauth/success/5882386c6d801776".format(content=data.values.domain.content,domain_name=data.values.domain.name)
         - urn:ietf:wg:oauth:2.0:oob:pair-auth-webchannel
         - urn:ietf:wg:oauth:2.0:oob:oauth-redirect-webchannel
         - urn:ietf:wg:oauth:2.0:oob

config.yml.sample

@@ -9,7 +9,7 @@ persistencepath: .
 
 #! [WARNING] DO NOT DOWNGRADE WITHOUT A CLEAN DB SINCE SCHEMA CANNOT DOWNGRADE.
 
-#! latest tested version is : v1.284.7
+#! latest tested version is : v1.305.0
 
 #! [NOTE] Pin mysql version to 8.4 to make server compatible with argument "mysql-native-password"
 #! [NOTE] You could also try my (upgraded) syncserver3 in Python3, No data integrity guaranteed!
@@ -32,7 +32,7 @@ persistencepath: .
 #! [NOTE] v1.173+ change base docker image . missing key_*.json in fxa-auth-server so we change to branch br-v1.174.0 to apply breaking changes
 
 #! by default we use tested version , using latest at your own risk.
-fxa_version: "v1.284.7"
+fxa_version: "v1.305.0"
 
 option:
   sync:
@@ -236,3 +236,5 @@ debug:
   full_self_sign_workaround: false
   #! Use a [python3 version syncserver](https://github.com/jackyzy823/syncserver3)
   use_syncserver3: false
+  #! for old docker-compose binary backward compatibility
+  keep_compose_file_version_property: false

docker-compose.tmpl.yml

@@ -2,7 +2,9 @@
 #@ load("@ytt:data", "data")
 #@ load("@ytt:assert", "assert")
 #@ load("@ytt:struct", "struct")
-version: "3.7"
+#@ if hasattr(data.values.debug,"keep_compose_file_version_property") and data.values.debug.keep_compose_file_version_property == True:
+version: '3.7'
+#@ end
 
 x-logging:
   &default-logging
@@ -194,10 +196,14 @@ services:
       #!  check mail via API
       - MAILER_HOST=0.0.0.0
       - MAILER_PORT=9001 #!  need ports to outside! for GET /mail/your-mail-address!
+      - REDIS_HOST=redis
     #! becasue  after v1.173.0 docker image base changes and npm will always fail because of lacking of python for nodegyp to build unixgram package.
     command:  sh -c "mkdir -p test && cd test && cp /fxa/packages/fxa-auth-server/test/mail_helper.js . && npm init --yes && npm i mailparser@0.6.1 simplesmtp && node mail_helper.js"
     restart: unless-stopped
     logging: *default-logging
+    depends_on:
+      waitforinfra:
+        condition: service_completed_successfully
 
 #@ elif  data.values.mail.type == "localrelay":
   #!  if your hosting allows you send email via smtp/25
@@ -278,6 +284,10 @@ services:
       - CUSTOMS_REDIS_HOST=redis
       - METRICS_REDIS_HOST=redis
       - AUTH_CACHE_REDIS_HOST=redis
+      #! - RECOVERY_PHONE__ENABLED=false
+      #! - RECOVERY_PHONE_REDIS_ENABLED=false
+      #! even not used, this should be set too.:(
+      - RECOVERY_PHONE_REDIS_HOST=redis
 
       #!  sqs for 3rd rp
       #!  sns for profile/sync/pushbox
@@ -580,7 +590,24 @@ services:
       #! v1 -> v2 upgrade detail fxa-auth-client/lib/client.ts
       #! - ROLLOUT_KEY_STRETCH_V2=1
 
-    command: ["node","server/bin/fxa-content-server.js"]
+      #! if don't use react in signup/signin -> sync will not auto enabled.
+      #  and old firefox (fx_desktop_v3) will not able to pass the signup/sign in flow
+      #! not sure it is my config problem or FxA's problem
+      #! so just keep the same as the prod
+      - REACT_CONVERSION_SIGNUP_ROUTES=true
+      - REACT_CONVERSION_SIGNIN_ROUTES=true
+      - REACT_CONVERSION_SIMPLE_ROUTES=true
+      - REACT_CONVERSION_RESET_PASSWORD_ROUTES=true
+      - REACT_CONVERSION_POST_VERIFY_THIRD_PARTY_AUTH=true
+
+    #! since docker iamge use "cdn.accounts.firefox.com" , we should replace it to avoid CSP issue and keep full selfhosting
+    #! double dollar sign for PUBLIC_URL in sed command is required for docker-compose file not to substitle it.
+    command:
+      - /bin/sh
+      - -c
+      - |
+        sed -i "s|https://cdn.accounts.firefox.com|$${PUBLIC_URL}|g" ./dist/settings/prod/asset-manifest.json ./dist/settings/prod/index.html ./dist/settings/prod/static/js/main.* &&
+        node server/bin/fxa-content-server.js
     restart: unless-stopped
     logging: *default-logging
 
@@ -628,6 +655,9 @@ services:
       #! currently disabled not work for SNS_TOPIC_ARN, and to make fxa-graphql not crash, SNS_TOPIC_ENDPOINT is needed.
       - SNS_TOPIC_ARN=disabled
       - SNS_TOPIC_ENDPOINT=disabled
+
+      #! to find the correct path of config and load recoverPhone redis host
+      - CONFIG_FILES=/fxa/packages/fxa-graphql-api/dist/packages/fxa-graphql-api/src/config/production.json
     #! two dollar sign below is for docker-compose escape.
     #@ if data.values.debug.full_self_sign_workaround == True:
     command:
@@ -640,6 +670,7 @@ services:
         sed -i 's/hawk.header(method, this.url(path),/hawk.header(method, `$${this.public_url}$${path}`,/' /fxa/packages/fxa-auth-client/dist/server/cjs/packages/fxa-auth-client/lib/client.js &&
         sed -i 's/30000;/30000;this.public_url = options.public_url || this.uri ;/' /fxa/packages/fxa-auth-client/dist/server/esm/packages/fxa-auth-client/lib/client.js &&
         sed -i 's/hawk.header(method, this.url(path),/hawk.header(method, `$${this.public_url}$${path}`,/' /fxa/packages/fxa-auth-client/dist/server/esm/packages/fxa-auth-client/lib/client.js &&
+        echo '{"recoveryPhone":{"redis":{"host": "redis"}}}' > /fxa/packages/fxa-graphql-api/dist/packages/fxa-graphql-api/src/config/production.json &&
         node src/main.js
     #@ else:
     command: sh -c "node src/main.js"

init.sh

@@ -10,16 +10,16 @@ cp -r _init "${DEST}"/
 
 # define yq && ytt function
 yq() {
-  docker run --rm -i -v "${PWD}":/workdir mikefarah/yq:4.13.2 "$@"
+  docker run --rm -i -v "${PWD}":/workdir:z mikefarah/yq:4.13.2 "$@"
 }
 
 yqw() {
-  docker run --rm -i --user "$UID" -v "${PWD}":/workdir mikefarah/yq:4.13.2 "$@"
+  docker run --rm -i --user "$UID" -v "${PWD}":/workdir:z mikefarah/yq:4.13.2 "$@"
 }
 
 ## DEST is mounted into ytt's docker workdirt
 ytt_dest() {
-  docker run --rm -i -v "${DEST}":/workdir -w /workdir k14s/image@sha256:1100ed870cd6bdbef229f650f044cb03e91566c7ee0c7bfdbc08efc6196a41d8 ytt "$@"
+  docker run --rm -i -v "${DEST}":/workdir:z -w /workdir k14s/image@sha256:1100ed870cd6bdbef229f650f044cb03e91566c7ee0c7bfdbc08efc6196a41d8 ytt "$@"
 }
 
 # check config exists