Firefox Accounts is adding in a pre-verified API. Let's hook that up. In the case where: * a user is logged into the Marketplace (dev or consumer pages) with Persona * the persona account is verified We can then ping firefox accounts and let them know that the account does not need that extra email verification step. The API is here: https://github.com/mozilla/fxa-auth-server/issues/780 It's important that only accounts logged in with Persona use this as otherwise we've got an account take over vector.

Discussion about this is at https://mail.mozilla.org/pipermail/dev-fxacct/2014-August/001064.html I think they are waiting for #1 and #2 (confirmation from the Marketplace)

dbialer said he'd sign off on this approach today.

David: please confirm

We've been moving forward without confirmation, but it would still be nice to get product level confirmation that this preVerified API is a desired and a go.

confirmed (though too late :)

There are two places in the flow we plan to use the pre-verified API: * if the user is logged into the marketplace and has a verified persona account * emails we'll send to developers containing the pre-verified key (bug 1059561) The primary purpose of this bug is to get the pre-verified API working so that we can hook it into these spots.

:ashort, we need to URL at which your signing key will be hosted for (both in dev and in prod) for this work.

Whoops, forgot to note that. https://marketplace-dev.allizom.org/api/v1/account/fxa-preverify-key/ https://marketplace.firefox.com/api/v1/account/fxa-preverify-key/

This config change should into our train-22 release. It's currently in stage: bug 1071309.

The production URL is 404. $ curl -D - 'https://marketplace.firefox.com/api/v1/account/fxa-preverify-key/' HTTP/1.1 404 NOT FOUND Server: nginx Date: Tue, 30 Sep 2014 00:27:02 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive API-Filter: carrier=&lang=en-US&pro=&region=restofworld Access-Control-Expose-Headers: API-Filter, API-Status, API-Version Strict-Transport-Security: max-age=31536000 Vary: API-Filter, Accept-Language, Cookie API-Pinned: False ETag: "d41d8cd98f00b204e9800998ecf8427e" API-Version: 1 Access-Control-Allow-Headers: X-HTTP-Method-Override, Content-Type

I noticed the key from the dev url doesn't include a "kid" field. Although the preVerifyToken *should* work without one, I strongly recommend we use them.

next push to production is 7 Oct, this key url will be live then. 'kid' field added: https://github.com/mozilla/zamboni/commit/223ecb5

Please add STR here or mark it with [qa-] if no QA is needed.