From 1695e1eb1fea29f95f03633fd350d5c6dbbbb9c4 Mon Sep 17 00:00:00 2001 From: Barry Chen Date: Mon, 15 Jun 2026 14:00:17 -0500 Subject: [PATCH] fix: add settings for FxA acct event SET `aud` and `iss` --- docs/src/config.md | 2 ++ syncserver/src/tokenserver/mod.rs | 21 ++++++++------------- tokenserver-settings/src/lib.rs | 8 +++++++- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/docs/src/config.md b/docs/src/config.md index b66c5f6d0b..c2dfad5c6e 100644 --- a/docs/src/config.md +++ b/docs/src/config.md @@ -107,6 +107,8 @@ The following configuration options are available. | SYNC_TOKENSERVER__TOKEN_DURATION | 3600 | Token TTL (1 hour) | | SYNC_TOKENSERVER__FXA_WEBHOOK_ENABLED | false | Enable the FxA webhook endpoint. When disabled, the route is not registered. | | SYNC_TOKENSERVER__FXA_WEBHOOK_METRICS_ONLY | false | Run the FxA webhook handler in metrics-only mode. Received events are counted but not processed. Only used if `FXA_WEBHOOK_ENABLED` is true. | +| SYNC_TOKENSERVER__FXA_WEBHOOK_SET_CLIENT_ID | None | Expected `aud` of FxA Security Event Tokens. Required for account event webhooks. | +| SYNC_TOKENSERVER__FXA_WEBHOOK_SET_ISSUER | None | Expected `iss` of FxA Security Event Tokens. Required for account event webhooks. | ### Tokenserver+FxA Integration diff --git a/syncserver/src/tokenserver/mod.rs b/syncserver/src/tokenserver/mod.rs index 756764fb61..ab45b852bc 100644 --- a/syncserver/src/tokenserver/mod.rs +++ b/syncserver/src/tokenserver/mod.rs @@ -76,25 +76,20 @@ impl ServerState { let set_verifiers = { let mut verifiers = Vec::with_capacity(2); - if let Some(client_id) = &settings.fxa_client_id { + if let (Some(client_id), Some(issuer)) = ( + &settings.fxa_webhook_set_client_id, + &settings.fxa_webhook_set_issuer, + ) { if let Some(primary_jwk) = &settings.fxa_oauth_primary_jwk { verifiers.push( - SETVerifierImpl::new( - primary_jwk, - client_id, - &settings.fxa_oauth_server_url, - ) - .expect("Invalid primary JWK for SET verification"), + SETVerifierImpl::new(primary_jwk, client_id, issuer) + .expect("Invalid primary JWK for SET verification"), ); } if let Some(secondary_jwk) = &settings.fxa_oauth_secondary_jwk { verifiers.push( - SETVerifierImpl::new( - secondary_jwk, - client_id, - &settings.fxa_oauth_server_url, - ) - .expect("Invalid secondary JWK for SET verification"), + SETVerifierImpl::new(secondary_jwk, client_id, issuer) + .expect("Invalid secondary JWK for SET verification"), ); } } diff --git a/tokenserver-settings/src/lib.rs b/tokenserver-settings/src/lib.rs index f0f38b5af3..662e893f1a 100644 --- a/tokenserver-settings/src/lib.rs +++ b/tokenserver-settings/src/lib.rs @@ -40,7 +40,7 @@ pub struct Settings { /// A secondary JWK to be used to verify OAuth tokens. This is intended to be used to enable /// seamless key rotations on FxA. pub fxa_oauth_secondary_jwk: Option, - /// Sync's client id assigned by FxA. It is used to validate the `aud` of JWKs. + /// Sync's client id assigned by FxA. Used to validate OAuth access tokens. pub fxa_client_id: Option, /// The rate at which capacity should be released from nodes that are at capacity. pub node_capacity_release_rate: Option, @@ -75,6 +75,10 @@ pub struct Settings { /// are counted but not processed. /// Defaults to false. pub fxa_webhook_metrics_only: bool, + /// The `aud` of Security Event Tokens received on the account events webhook endpoint. + pub fxa_webhook_set_client_id: Option, + /// The `iss` of Security Event Tokens received on the account events webhook endpoint. + pub fxa_webhook_set_issuer: Option, } impl Default for Settings { @@ -105,6 +109,8 @@ impl Default for Settings { init_node_capacity: 100000, fxa_webhook_enabled: false, fxa_webhook_metrics_only: false, + fxa_webhook_set_client_id: None, + fxa_webhook_set_issuer: None, } } }