Closed data-sync-user closed 4 years ago
data-sync-user
commented
4 years ago ➤ Jared Hirsch commented:
Good suggestion from [~vbudhram@mozilla.com] : what if we just don't allow users in unverified sessions to generate anon_id? What might the consequences be?
data-sync-user
commented
4 years ago ➤ Wil Clouser commented:
[~rkelly@mozilla.com] please comment here
data-sync-user
commented
4 years ago ➤ Ryan Kelly commented:
Good suggestion from [~vbudhram@mozilla.com] : what if we just don't allow users in unverified sessions to generate anon_id? What might the consequences be?
This sounds fine to me - we should make our best effort to generate an anon_id, but not at the expense of RP user experience. Given that we have logic in AET clients to generate placeholder ids when the real one is missing, it doesn't seem too bad to leave the non_id empty in this case and just hope the user does a verified flow some time later to fill it in.
See https://github.com/mozilla/fxa/pull/5989#discussion_r458336093 and TODO above:
"Using sessionReauth to get keys could potentially pose some issues if the user is attempting to come from an unverified session. FxA only allows fetching keys from sessions that are verified (ex. performed some email verification loop)."
This might need discussion.
┆Issue is synchronized with this Jira Task ┆Issue Number: FXA-2338