Should an invalid password from auth-db-server return 404 (and should it have a detail code)

[jrgm]

I was looking at what was happening when auth-db-mysql was using the wrong version of auth-db-server. Right here, we treat any 404 as meaning 'password mismatch'.

Is 404 the right code for a password mismatch? Should it return a sub-code on the wire to indicate more precisely what is wrong?

(p.s., it's hard to figure out where to put bugs sometimes in cases like these where the 404 is consumed by one repo but produced by another. I started writing this in fxa-auth-server, but realized it was a question about the api).

[rfk]

I guess this maps most directly onto the semantics of the underlying query, which is "select the account record with verifierHash = BLAH" but it does seem like a potential footgun from an API standpoint. IMHO a 400 would be more in line with our broader API design.

[chilts]

Here are a few WIP branches. I'm putting them here now for two reasons:

1. just so they can be looked at and sanity checked (more important than the next item)
2. they're not yet complete (if I PR, they'll all fail due to something something package shrinkwrap something something)

• https://github.com/mozilla/fxa-auth-server/compare/master...chilts:check-for-400-from-check-password?expand=1 <- branch include's @eoger's commit in fix(password): Revert changes induced by #954 pull request fxa-auth-server#955
• https://github.com/mozilla/fxa-auth-db-server/compare/master...chilts:add-incorrect-password-app-error?expand=1
• https://github.com/mozilla/fxa-auth-db-mem/compare/master...chilts:return-400-on-incorrect-password?expand=1
• https://github.com/mozilla/fxa-auth-db-mysql/compare/master...chilts:return-400-on-incorrect-password?expand=1

How do they look? I've done some local tests with the fxa-js-client and curl, but I have yet to add real tests. Happy to see if anyone can see any gotchyers first. Thanks.

[chilts]

All PRs can be reviewed. See below for merge order.

First PR to be merged:

• feat(db-api): Add AppError.incorrectPassword for the backends to use … fxa-auth-db-server#146

The following two PRs can be reviewed. Once the above PR is merged, I'll re-push these two with the new package/shrinkwrap pointing to the mozilla repos (not mine):

• fix(db): Return 400 on incorrect password fxa-auth-db-mem#35
• fix(db): Return 400 on incorrect password #53

Finally, when all the above three are merged, I'll update the following PR's shrinkwrap and we can merge it too:

• Check for 400 from check password fxa-auth-server#964

All feedback appreciated. Anyone for a r?

[rfk]

(if I PR, they'll all fail due to something something package shrinkwrap something something)
See below for merge order.

Not related to this PR, but this cross-repo change management is becoming an obvious source of roadblocks and delays for our work in the backend. I don't think the purported benefits of being split into multiple repos are outweighing the costs. Let's find a way to dig ourselves out of this - #54.

[rfk]

Reviewing now, but please don't merge until train-39 is cut.

[chilts]

It is now returning a 400 (not a 404). We have a separate issue now for being able to return a detail code: mozilla/fxa-auth-db-server#150

I will leave this one open for the moment so that we can go back and add tests that the detail code is what we expect once the above issue is done.