The user is still signed in on stage server after the device is revoked

[GeorgiuCiprian]

[Affected versions]:

• Firefox 65.0.1

[Affected Platforms]:

• Windows 10 x64
• macOS 10.13
• Ubuntu 18.04 x64

[Steps to reproduce]:

1. Navigate to http://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net and Sign in with a valid account.
2. Go to https://stable.dev.lcip.org/settings
3. Click on the "Show" button from the Devices & apps section.
4. Click on "Revoke" from the left side of the "Firefox Monitor Trusted (Stage)".
5. Click "Done".
6. Return to the http://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net and refresh the website.

[Expected result]:

• The user is signed out from the website.

[Actual result]:

• The user is still signed in into the website.

[Regression]:

• N/A

[groovecoder]

Good catch. I don't think we want to ping the user's FxA profile on every page-load(?). But I'm not sure if FxA can send a callback to us when the user revokes the permission? @mozilla/fxa-core ?

[shane-tomlinson]

Good catch. I don't think we want to ping the user's FxA profile on every page-load(?)

Depends on the load, but every page load seems like a pretty heavy hammer. Maybe you could do something along the lines of "if the refresh token hasn't been checked in the past 10 minutes, then do so?"

But I'm not sure if FxA can send a callback to us when the user revokes the permission? @mozilla/fxa-core ?

We do not have any such functionality yet, though I foresee something along these lines in Q2 as part of Subscription Services.

[tcinotto]

Will be closed and fixed when number 816 is fixed.