FxA Account Manager refactor

[grigoryk]

State machine changes:

• "profile" states have been removed, profile is now handled outside of the state machine
• states and events have been split into two subtypes: external and internal. External states are the AccountStates (authenticated, not authenticated, auth problem, etc) and internal states are InternalState (beginning auth, completing auth, recovering from auth problems, etc)
• this split should hopefully make navigating the state machine more intuitive
• retry logic and error handling was added for all internal transitions which require networking (Closes [Bug] Crash @kotlin.KotlinNullPointerException: at mozilla.components.service.fxa.manager.FxaAccountManager.postAuthenticated(FxaAccountManager.kt:36) #7536)

account manager changes:

• removed ability to "set sync config" from the public API. we weren't using it (and have no plans to use this), so the added complexity wasn't benefiting anything.

async/suspend API changes:

account manager, account and device constellation APIs are now suspend, which makes both internal code and consuming of these APIs nicer and more flexible. Actual semantics of what's going on didn't change.

sync manager changes:

introduced a delay to the periodic sync scheduling, so that we can properly manage what goes on during startup (Closes #7335)

Tests are half-way being updating, so this is still a WIP.

cc @csadilek @rfk @eoger @jonalmeida

---

Pull Request checklist

• Quality: This PR builds and passes detekt/ktlint checks (A pre-push hook is recommended)
• Tests: This PR includes thorough tests or an explanation of why it does not
• Changelog: This PR includes a changelog entry or does not need one
• Accessibility: The code in this PR follows accessibility best practices or does not include any user facing features

After merge

• Milestone: Make sure issues closed by this pull request are added to the milestone of the version currently in development.
• Breaking Changes: If this is a breaking change, please push a draft PR on Reference Browser to address the breaking issues.

[rfk]

There's a lot going on here, but I did a first pass and left some notes. I think you're right that it will make the state-machine easier to understand overall.

FWIW the PR would be easier to digest with the async->suspend stuff landed separately 😁

[rfk]

I continue to be sad that we have to plumb a bunch of sync-related things through here, but oh well, not really anything you can do about it in this PR.

[grigoryk]

I'm not so sure this is bad, the upside is that it gives consumers a single point of interaction with all of these things.

If you mean something closer to "it's too bad sync manager is managed in one repo, but sync scheduling in another", then yes, I agree that it is unfortunate and something we should look into fixing 👍

[rfk]

Do any of your consumers actually use getSessionToken, or is it exposed mostly for completeness? It doesn't feel like anyone should be calling this method in practice.

[grigoryk]

In practice, this is just used internally by the account manager (to get sync going).

In theory, if consumers aren't using the account manager this lets them do something useful with the account object beyond just fetching a profile, but... yeah, not really something we want to encourage.

Next on my plate is to work through the "we have a firefox-shaped oauth account abstraction with just a single implementation" bit, and simplify things on that front... Perhaps we can clean this up as part of that work.

[rfk]

Hrm, the fact that there are so many ways to spell "did a fresh signin" seems like a tiny bit of a code-smell to me. What things do we need to do that differ between Signin, Signup and Pairing? (I seem to recall this being added initially for metrics purposes?)

[grigoryk]

Another place where we use this is to kick-off sync after an onAuthenticated event (first sync vs startup sync), with a different mapping from device's init/ensure.

Otherwise, this is plumbed around in such detail mostly for telemetry, yeah.

[grigoryk]

I'll think about perhaps a different internal/external representation of this.

[rfk]

IIUC this means the syncNow request is just dropped on the floor. Is it possible that this might cause a bad user experience where they request a "sync now" but we don't honour it because we happened to be doing something else at the time?

[grigoryk]

That's right, we're dropping it here. FWIW, I think this can't really happen in practice - if we're in any of the "active" states, there isn't really a way for the user to request a sync. We're either starting/completing auth, logging out, migrating, etc - Fenix's UI, at least, doesn't expose "sync" button in any of these scenarios.

I'm not quite sure if having this check is necessary (it shouldn't happen), but left it here for completeness. This may as well produce a caught exception that we submit into Sentry, since it is an illegal event essentially (but, it exists outside of the state machine).

Another alternative is to make "sync" an "external event" on the state machine itself, but I'm not sure that's significantly better really, and it starts to introduce "sync" bits into what's otherwise an fxa-only thing.

[grigoryk]

Thanks for taking a look, @rfk! I'm still making some tweaks, but the core of it is there.

FWIW the PR would be easier to digest with the async->suspend stuff landed separately 😁

Yup, I got a little carried away there... At this point, it'll be quite a task to split the comments into a sensible "story", happy to chat on zoom/slack about any of this.

[csadilek]

OK, completed the first pass now.

The state machine looks really clean now with the different type of states! One suggestion below.

I also have one question about changing scopes in the push feature if I read this correctly and whether it was intentional.

Did a round of manual testing as well. All looking good.

[csadilek]

Do we really want to run this on the main thread? Before this ran on AutoPushFeature.coroutineScope via notifyObservers.

[csadilek]

Looks like we maybe want to make these observer methods suspend functions as well, so we don't need to context switch?

[grigoryk]

Yeah, this will run as before in practice (underneath we have a dedicated dispatcher), and marking the interface funs as suspend will avoid switching and certainly make the intention here clearer.

[grigoryk]

Filed #7899

[jonalmeida]

@grigoryk I don't follow why we need to switch to the main dispatcher here. Previously the FxaPushSupportFeature would execute the call on the autopush dispatcher since account manager had it's own dispatcher. Shouldn't there be the ability to add a process a raw message that doesn't come from a coroutine on an internal dispatcher?

[grigoryk]

@jonalmeida Previously the FxaPushSupportFeature would execute the call on the autopush dispatcher i don't think that's quite correct. Yes, it'll execute, say, processRawEventAsync on the autopush dispatcher (or, in whichever context onMessageReceived will be invoked). However processRawEventAsync itself will do the actual work on the account manger's dispatcher. With the suspend function, the actual "work" is still happening on the account manager's dispatcher, just as before, it's just how we "kick it off" is different now - but I don't think that actually changes semantics here in a way that matters?

I agree that it's a little awkward, hence #7889. However we can't make observer methods suspend since Observable doesn't currently support "notifying" suspend observers, and I don't think we want to expand that pattern.

Another option is to remove withcontext wrapper from impl suspend methods, and rely on callers to correctly call these functions (e.g. on a worker dispatcher of sorts). Current approach holds your hand a bit, and doesn't let you screw up too badly. I'm not sure if that's necessary.

[csadilek]

Same question as above re: main scope.

[grigoryk]

One remaining aspect of this PR that I need to change before this can land is improving how we handle the "offline startup" case. Current version will likely fail to finalize the account after multiple attempts, and will drive the user to the NotAuthenticated state, which isn't really something we'd ship. Existing state machine would just kind of give up at that point, and some things may not work correctly, but at least the user remains signed-in.

Ideally, we shouldn't be concerned with this stuff at the startup at all. Current fxaclient APIs don't make any guarantees around what happens during ensure/init calls, so we assume they talk to the network during a regular startup flow.
It would be nice if this wasn't the case - regular startup shouldn't require any network interactions.

We can "paper over" this at the state machine level, but I'm inclined to first investigate changing the a-s APIs first. cc @rfk

[grigoryk]

This should be good to land now. However, since I'm away until mid-September, and due to how various releases are aligning right now, let's land it once I'm back on the 16th.

[grigoryk]

@csadilek once you're back from PTO, let's get this landed. Should be good to go.

[csadilek]

@grigoryk OK did another pass and also looked at latest commits. Just some nits, but good to land from my perspective!

[grigoryk]

@csadilek addressed your feedback, thanks! Let's land this 👍