Need UX for Session Token management

[vladikoff]

@ryanfeeley Here are my sessionTokens:

We need to UX to distinguish these sessionTokens. Example, see last 2 entries here:

[ryanfeeley]

@vladikoff So these are browsers that have logged into FxA settings?

[vladikoff]

@vladikoff So these are browsers that have logged into FxA settings?

Yes

[vladikoff]

@ryanfeeley we will somehow filter out the sessionTokens used for Sync in that list.

[ryanfeeley]

@vladikoff I assume you chose "destroy" because it functioned differently than disconnect. If true, why?

[vladikoff]

@vladikoff I assume you chose "destroy" because it functioned differently than disconnect. If true, why?

I chose it to alert you ;)

[rfk]

we will somehow filter out the sessionTokens used for Sync in that list

If a sessionToken is used for Sync, it will have a corresponding Device record. So IIUC any sessionTokens without a corresponding Device record are the one's we're interested in here.

[ryanfeeley]

I think we need to be clear about what we are adding. It sounds like it is related to sessions for FxA Settings. We could present this as more of an "app" style. But I'm worried that we'll end up showing two for every device that is connected to Sync (making it look like there are four). Let's discuss further @rfk

[rfk]

I think we need to be clear about what we are adding.
It sounds like it is related to sessions for FxA Settings.

It's anything that's not Firefox Sync that has a login session to FxA. How to communicate that effectively to users is an open question.

I like to use the example of, I've opened up Chrome and signed in to Pocket with my Firefox Account. That results in two new things being "connected" to my account:

• The Pocket servers now hold an OAuth token to my account. We handle this via the "connected apps" work that @vladikoff has been doing.
• That instance of Chrome now holds a session token to my account, stored in localStorage on behalf of https://accounts.firefox.com. Anyone with access to that browser can view my account details, change my avatar, and login to other OAuth reliers as me. But notably, they can't get at my sync data.

That session token is not currently visible anywhere in the settings page. The only way to destroy it is to go back to that Chrome browser, visit https://accounts.firefox.com, and click "logout".

Replace "I sign in to Pocket in Chrome" with "an attacker signs in to my account using a custom script and a leaked password" for something a little more sinister. There's no particular reason why the attacker's session token would show up in the current devices view.

My over-arching principal here is: anything with active access to the user's account should show up somehow in this view.

But I'm worried that we'll end up showing two for every device that is connected to Sync

I think we can do an OK job of this, if we should show precisely one record for every sessionToken that exists on the user's account:

• If that sessionToken has a corresponding device record, show it as a device that's connected to sync
• Otherwise, show it as a web login session

There is one way that can go wrong - you can have a browser that's logged in to sync and also logged in via web content with a different sessionToken. We try to avoid it, but it can happen, particularly on developers machine where we're regularly signing into and out of things with FxA. In this case you'd see two entries that correspond to that single instance of Firefox.

[vladikoff]

need to chat about this ...

[vladikoff]

@rfk @ryanfeeley how do we proceed with this feature?

[rfk]

We could ship a non-final-UX version of it behind a feature flag, visible only to mozilla and softvision accounts. This would let us get a feel for any edge-cases etc in practice, rather than trying to theorize about ways that it might get confusing.

That said, the open UX questions I see here, and my naive suggestions for moving them forward, are as follows:

• What exactly is going to show up here that wasn't there before?
  • Web login sessions that are not affiliated with sync.
  • Technically: all sessionTokens that do not have registered device record.
• What icon should these web login sessions have?
  • I don't think it would be terrible to use the default oauth service icon until we figure out something better.
• What name should we display for these sessions?
  • Use the same "Browser on OS" form that we use for placeholder device names; the surrounding context will indicate that it's not a device
• What should the "disconnect" button say and do?*
  • Saying "disconnect..." seems OK to me
  • We want to know all the same things about why they're disconnecting as we might from a registered device. In particular, if it's an unknown or suspicious login, it would be nice to get a report of that fact.

@ryanfeeley if you like we can talk through this in person next week, I'm pretty keen to see if move forward as it's the final towards achieving:

anything with active access to the user's account should show up somehow in this view.

Which is pretty important IMHO.

[ryanfeeley]

Let's use this:

[vladikoff]

icon link https://www.dropbox.com/s/k1vjx5xsymmxiod/defaultFavicon.svg?dl=0

[rfk]

👍

[vladikoff]

Continued in #4585