blog.mirabellette.eu

A blog about digital independence and autonomy

Archives october 2018

I failed to install Firefox Accounts Server

Written by Mirabellette / 06 october 2018 / no comments

In order to continue to be more and more independent and because I trust less and less Mozilla Foundation, I decided to manage by myself the Firefox authentication system (without Docker). For those who do not know, Firefox divided the whole authentication system and the storage management system. You can manage your data (bookmarks, history, tabs, profile) with Firefox Sync. I deployed it previously and a tutorial is available here. After hosting the most important part of my datas that Firefox manages, I wanted to host the all thing. I worked on it during 21 hours and was still not able to run it properly. I decided to share my experience.

Criticism

Firefox Authentication Server is built in following a microservices architecture. For those who do not know it, it divides an application into little smaller applications. Each of them should have a specific role and perimeter. For example, a microservice dedicated to send email or another dedicated to manage the user interface. However, this architecture, if not well built and documented could have some disadvantages. You can find below a list from Wikipedia:

  • Services form information barriers
  • Inter-service calls over a network have a higher cost in terms of network latency and message processing time than in-process calls within a monolithic service process
  • Testing and deployment are more complicated
  • Moving responsibilities between services is more difficult. It may involve communication between different teams, rewriting the functionality in another language or fitting it into a different infrastructure
  • Viewing the size of services as the primary structuring mechanism can lead to too many services when the alternative of internal modularization may lead to a simpler design.

Unfortunately, I think the Firefox Accounts Server fall in most of them. They are improving it but there is so much work to do. Especially because it seems like Mozilla Foundation wants to maintain the compatibility with the past. You can find below the list of issues I found which made it really hard to deploy it and which demonstrates why it is obsolete.

  • Each microservice has his own structure. In some of them, you have configuration in config/index.js, another one has it in /server/config/local.json, in another one you have two files to configure
  • Each microservice has his own running process. For example, the running command could be different, in another case, you need to build the code to make it runnable.
  • The documentation is clearly missing (no system-d unit, no reverse proxy configuration). Anybody who tries to run it in following the process in the documentation will most of the time failed because some part of it is not documented or is obsolete

Regarding the Firefox Authentication Server in general. I am sorry to say it but it is clearly out of date and has vulnerabilities inside. About obsolescence, I could talk about the need to use mysql 5.6 and about vulnerabilities, the node modules vulnerabilities. It is not ready to be deployed by anybody else than someone who works in this project or in the Mozilla Firefox platform. I do not imagine one second a system administrator without development skill being able to deploy it in less than 3 days.

Just another example about the mess, I made an issue here about the difficulties I got. Two people from Mozilla answered, the first answer was pertinent and helped me in the process. The second one was clearly out of subjects, I am not even sure he read it, he just repeats one thing I said, thing which does not work and he closed the issue without giving a fuck. Yes, it closed it, without waiting for my answer. I just took three days trying to make it works before asking for help and my issue was closed like "OK, thank you".

My responsability

My lack of knowledge was, of course, a reason of my impossibility to succeed in this task. Even if I deployed dozens of applications, I am not used to deploy microservices applications. The only comfort I have is I am not the only who did not succeed.

Installation process

I took three days deploying and configuring Firefox Accounts Server. For those who are interested, you can find below the process I follow to be able to run them. I was able to run 5 services, maybe it required more to make it runnable, but some of them still have issues and it. The list of microservices I deployed:

  • fxa-auth-db-mysql
  • fxa-auth-server
  • fxa-content-server
  • fxa-oauth-server
  • fxa-profile-server

Global installation

In order to prepare the system, you need to to the following stuff:

adduser --system --shell /usr/sbin/nologin --group firefox
As npm needs to have a home directory, we will not add the --no-create-home option.

apt update && apt install -y git python sudo make gcc g++

In debian 9, you will need to install only mysql-server without mariadb

apt install lsb-release # necessary to install mysql
wget https://dev.mysql.com/get/mysql-apt-config_0.8.10-1_all.deb
dpkg -i mysql-apt-config_0.8.10-1_all.deb
apt update
apt install mysql-server

You have to choose mysql version 5.6, I tested with version 8 and mariadb and it doesn't work

cd /opt
# Get the last stable version of node
wget https://nodejs.org/dist/v8.12.0/node-v8.12.0-linux-x64.tar.xz -P /opt
tar xf node-v8.12.0-linux-x64.tar.xz
ln -s /opt/node-v8.12.0-linux-x64/bin/node /bin/
ln -s /opt/node-v8.12.0-linux-x64/bin/npm /bin/

Tips

In order to find the configuration file easily, I recommend you to use grep as much as possible and to read the packages.json file which could help you to find running command. You can find interesting stuff with:

grep -R 127.0.0.1 --exclude-dir=node_modules *
grep -R public_url -i --exclude-dir=node_modules *

Part of the installation process of Firefox Accounts database service

I still have issues with it. db.example.com

git clone https://github.com/mozilla/fxa-auth-db-mysql.git
chown firefox:firefox -R fxa-auth-db-mysql
cd /opt/fxa-auth-db-mysql
sudo -u firefox npm install
# found 28 vulnerabilities (21 low, 5 moderate, 1 high, 1 critical)

sudo -u firefox NODE_ENV=prod npm start

vim config/config.js

Firefox Accounts Server

I still have issues with it. auth.example.com

git clone git://github.com/mozilla/fxa-auth-server.git
chown firefox:firefox fxa-auth-server
cd /opt/fxa-auth-server
sudo -u firefox npm install --production
sudo -u firefox NODE_ENV=prod npm start

To change the listen address of the server, you have to modify the file config/index.js and replace it.

publicUrl: {
format: 'url',
default: 'http://127.0.0.1:9000',
env: 'PUBLIC_URL'
},

Firefox Accounts Content Server

account.example.com
#You will need to install openjdk
apt-cache search java | grep openjdk and then install the most recent version available for your distribution. For me, it was the openjdk-8-jre
apt update && apt install openjdk-8-jre

git clone https://github.com/mozilla/fxa-content-server.git
chown firefox:firefox -R fxa-content-server
cd /opt/fxa-content-server
sudo -u firefox npm install --production
sudo -u firefox npm install bluebird
sudo -u firefox npm run build-production
# found 7 vulnerabilities (6 low, 1 moderate)
sudo -u firefox NODE_ENV=production npm run start-production

All the configuration is in the file server/config/local.json-dist
Firefox Content Server loads his configuration from file we should create. It should be a copy of local.json-dist.

cd config/
sudo -u firefox cp local.json-dist config/local.js
# First of all, we have to replace the secret "YOU_MUST_CHANGE_ME":
head -c 20 /dev/urandom | sha1sum

vim server/lib/configuration.js

default: 'http://127.0.0.1:3030'

public_url: {
default: 'http://127.0.0.1:3030',
doc: 'The publically visible URL of the deployment',
env: 'PUBLIC_URL'
},

I recommend you to disable csp because they are completely obsolete. They still using x-content-security-policy even if it is obsolete since Firefox 23 !

vim server/config/production.json
# csp:false

Firefox Accounts OAuth Server

oauth.example.com

git clone https://github.com/mozilla/fxa-oauth-server.git
chown firefox:firefox -R fxa-oauth-server/
cd /opt/fxa-oauth-server/
sudo -u firefox npm install
# found 7 vulnerabilities (5 low, 1 high, 1 critical)
sudo -u firefox npm audit fix
sudo -u firefox npm start

Firefox Accounts Profile Service

profile.example.com

apt update && apt -y install graphicsmagick

git clone https://github.com/mozilla/fxa-profile-server.git
chown firefox:firefox -R fxa-profile-server
cd /opt/fxa-profile-server
sudo -u firefox npm install
# found 14 vulnerabilities (7 low, 6 moderate, 1 high)
sudo -u firefox NODE_ENV=prod npm start
vim lib/config.js

Sources

Conclusion

I hope it will motivate you NOT to try to install it and save your time. I hope they will improve it and make it easier to configure and deploy. Maybe one day, we will be able to use only the Mozilla Firefox Browser and be able to manage everything behind, maybe.

Social media

If you find this article useful, feel free to follow my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think it could interested someone.