feat(devices): devices API with refreshTokens

[vladikoff]

Connects to https://github.com/mozilla/fxa-auth-server/issues/2547 Fixes https://github.com/mozilla/fxa-auth-server/issues/2547 Fixes https://github.com/mozilla/fxa-auth-server/issues/2936

TODO:

• [x] We need to be checking for the "oldsync" scope
• [x] add test for refreshToken cleanup
• [x] fix the duplicate check: https://github.com/mozilla/fxa-auth-server/pull/2937/commits/68c514ddb5784eabcf3f203cb82bbf531d2e45c6
• [x] fix the failing thing in CI: https://github.com/mozilla/fxa-auth-server/pull/2937#issuecomment-472569222 , reenable tests
• [x] Clean up new remote tests, style mostly
• [x] Turn off oauth server logs
• [x] When deleting a deviceRecord, we'll need to also delete the corresponding refreshToken. This happens happens as part of the deleteDevice stored-procedure for sessionTokens, but I guess for refreshTokens we'll have to do it manually.
• [x] Restrict device record registration to public oauth clients (otherwise the semantics of password change will not match up between the two services; non-public clients have their refreshTokens persist after password change/reset).
• [x] // TODO: verify that first chunk is Bearer?
• [x] // XXX TODO: if the refreshToken belongs to a non-public client, // we should require the client_secret in Authentication header.
• [x] CI Cannot find Error: Cannot find module '../config/key.json'

Follow up issues

https://github.com/mozilla/fxa-auth-server/issues/2956 https://github.com/mozilla/fxa-auth-server/issues/2973 https://github.com/mozilla/fxa-auth-server/issues/2974 https://github.com/mozilla/fxa-auth-server/issues/2975

[rfk]

Some things to consider from the matching db-server PR [1]:

• When deleting a deviceRecord, we'll need to also delete the corresponding refreshToken. This happens happens as part of the deleteDevice stored-procedure for sessionTokens, but I guess for refreshTokens we'll have to do it manually.
• Restrict device record registration to public oauth clients (otherwise the semantics of password change will not match up between the two services; non-public clients have their refreshTokens persist after password change/reset).
• When listing device records, we should also list all the refresh tokens on the oauth server and do a "merge" to eliminate zombie devices whose refresh token no longer exists.

We may be able to defer some or all of these to follow-up work, but let's be explicit about it so none of them get lost.

[1] https://github.com/mozilla/fxa-auth-db-mysql/pull/483#issuecomment-467793239

[vladikoff]

When listing device records, we should also list all the refresh tokens on the oauth server and do a "merge" to eliminate zombie devices whose refresh token no longer exists.

Let's do a file up issue for this one

[vladikoff]

SendTab PR tester run it via: RUST_BACKTRACE=1 cargo run --example devices_api

[vladikoff]

@rfk this should be ready to go

[rfk]

(Also, watch out for github hiding some of my comments away behind its little "hidden conversations" toggle...)

[vladikoff]

@rfk All the requested changes are in https://github.com/mozilla/fxa-auth-server/pull/2937/commits/f748042a0a27897aedd1bdac13e943dca4c34f48 plus a fix for https://github.com/mozilla/fxa-auth-server/issues/2936 . Let me know!