Skip to content

feat: add QR code device pairing for mobile Firefox#261

Merged
layertwo merged 1 commit intomainlinefrom
feat/device-pairing
Mar 3, 2026
Merged

feat: add QR code device pairing for mobile Firefox#261
layertwo merged 1 commit intomainlinefrom
feat/device-pairing

Conversation

@layertwo
Copy link
Owner

@layertwo layertwo commented Mar 2, 2026

Summary

  • Add serverless WebSocket channel server (API Gateway WebSocket + Lambda + DynamoDB) for relaying encrypted pairing messages between devices
  • Vendor Mozilla's fxa-pairing-channel library (TLS 1.3 PSK over WebSocket), fully converted to TypeScript with 111 ported tests
  • Add authority page (/pair) that displays a QR code for desktop Firefox to scan
  • Add supplicant page (/pair/supp) where mobile Firefox lands after scanning
  • Add CDK infrastructure: WebSocket API Gateway, DynamoDB table with TTL, custom domain channel.{stage}.ffsync.layertwo.dev
  • Accept pairing redirect_uri in OAuth authorization endpoint

Channel server design

  • Connections stored as a list on the channel metadata item (no table scans)
  • Atomic connection/message limits via DynamoDB ConditionExpression
  • Idempotent disconnect with GoneException cleanup
  • Management API endpoint derived from event context (no env var needed)

Known limitation

The authority page does not transfer scoped encryption keys (keys_jwe) during pairing. This requires access to kB which is not persisted after initial login. Pairing succeeds for authentication but encrypted sync collections (passwords) will need a follow-up to transfer keys.

Test plan

  • Python: 950 tests, 100% coverage (channel service + OAuth redirect_uri)
  • CDK: frontend stack assertion test passes with channelApiDomain
  • Vitest: 111 pairing-channel TLS crypto tests pass
  • TypeScript: compiles cleanly
  • Vite: production build succeeds
  • Deploy and test pairing flow end-to-end with iPhone Firefox

@layertwo layertwo force-pushed the feat/device-pairing branch from 2503d9c to 71592c6 Compare March 2, 2026 19:24
@github-actions
Copy link

github-actions bot commented Mar 2, 2026
edited
Loading

Coverage report

Click to see where and how coverage changed

FileStatementsMissingCoverageCoverage
(new stmts)		Lines missing
  lambda/src/entrypoint
  __init__.py
  channel_api.py
  lambda/src/environment
  service_provider.py
  lambda/src/routes/auth
  oauth_authorization.py
  lambda/src/services
  channel_service.py
Project Total  

This report was generated by python-coverage-comment-action

@layertwo layertwo force-pushed the feat/device-pairing branch 4 times, most recently from b8ac77c to 6ea899b Compare March 2, 2026 22:43
@layertwo
feat: add QR code device pairing for mobile Firefox
dd018d1 
Add support for Firefox mobile device pairing via QR code scanning.
This enables iPhone/Android Firefox to pair with the self-hosted sync
server without typing credentials on the mobile device.

Components:
- Serverless WebSocket channel server (API Gateway + Lambda + DynamoDB)
  for relaying encrypted pairing messages between devices
- Vendored fxa-pairing-channel library (TLS 1.3 PSK) converted to
  TypeScript with 111 tests from Mozilla's test suite
- Authority page (/pair) showing QR code for desktop Firefox
- Supplicant page (/pair/supp) for mobile device landing
- CDK infrastructure: WebSocket API, DynamoDB table, custom domain
- OAuth authorization endpoint accepts pairing redirect_uri
@layertwo layertwo force-pushed the feat/device-pairing branch from 6ea899b to dd018d1 Compare March 3, 2026 01:56
@github-actions
Copy link

github-actions bot commented Mar 3, 2026

Diff for stage: DefaultStage

Warning

3 Destructive Changes

Diff for stack: GitHubOidcStack - 0 to add, 1 to update, 0 to destroy 🟡

Details 
Resources
[~] Custom::AWSCDKOpenIdConnectProvider GitHubOidcProvider7EBF861F
 ├─ [~] CodeHash
 │   ├─ [-] 62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb
 │   └─ [+] d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50
 └─ [~] RejectUnauthorized
[~] AWS::Lambda::Function CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb.zip
 │       └─ [+] d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb
         └─ [+] asset.d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50

Diff for stack: Service-prod - 20 to add, 3 to update, 3 to destroy

Details

[!WARNING]
Destructive Changes ‼️
Stack: Service-prod - Resource: AuthApiDeploymentB62B2E46cd727903b39a54701810720fe0a5fca4 - Impact: WILL_DESTROY

Stack: Service-prod - Resource: TokenApiDeploymentB896C219b16a73c2bacf13dff150a851137e236c - Impact: WILL_DESTROY

Stack: Service-prod - Resource: ProfileApiDeployment84A54415e0158c62574d24c31b8dbd21e82873c4 - Impact: WILL_DESTROY

IAM Statement Changes
┌───┬──────────────────────────────────────────────────────────────────────────────────────────────┬────────┬───────────────────────────────┬─────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                                                                     │ Effect │ Action                        │ Principal                                   │ Condition                                                                                                │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${ChannelApiHandler02759D57.Arn}                                                             │ Allow  │ lambda:InvokeFunction         │ Service:apigateway.amazonaws.com            │ "ArnLike": {                                                                                             │
│   │                                                                                              │        │                               │                                             │   "AWS:SourceArn": "arn:aws:execute-api:us-west-2:830583812777:${ChannelWebSocketApiD8D1793F}/*$connect" │
│   │                                                                                              │        │                               │                                             │ }                                                                                                        │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${ChannelApiHandlerServiceRole4DB30247.Arn}                                                  │ Allow  │ sts:AssumeRole                │ Service:lambda.amazonaws.com                │                                                                                                          │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${ChannelTableD3C84F79.Arn}                                                                  │ Allow  │ dynamodb:BatchGetItem         │ AWS:${ChannelApiHandlerServiceRole4DB30247} │                                                                                                          │
│   │                                                                                              │        │ dynamodb:BatchWriteItem       │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:ConditionCheckItem   │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:DeleteItem           │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:DescribeTable        │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:GetItem              │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:GetRecords           │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:GetShardIterator     │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:PutItem              │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:Query                │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:Scan                 │                                             │                                                                                                          │
│   │                                                                                              │        │ dynamodb:UpdateItem           │                                             │                                                                                                          │
├───┼──────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ arn:aws:execute-api:us-west-2:830583812777:${ChannelWebSocketApiD8D1793F}/*/*/@connections/* │ Allow  │ execute-api:ManageConnections │ AWS:${ChannelApiHandlerServiceRole4DB30247} │                                                                                                          │
└───┴──────────────────────────────────────────────────────────────────────────────────────────────┴────────┴───────────────────────────────┴─────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────────────────┘
IAM Policy Changes
┌───┬─────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                                │ Managed Policy ARN                                                             │
├───┼─────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${ChannelApiHandlerServiceRole4DB30247} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴─────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Resources
[-] AWS::ApiGateway::Deployment AuthApiDeploymentB62B2E46cd727903b39a54701810720fe0a5fca4 destroy
[-] AWS::ApiGateway::Deployment TokenApiDeploymentB896C219b16a73c2bacf13dff150a851137e236c destroy
[-] AWS::ApiGateway::Deployment ProfileApiDeployment84A54415e0158c62574d24c31b8dbd21e82873c4 destroy
[+] AWS::ApiGateway::Deployment AuthApiDeploymentB62B2E4627f0b326f37b837e2a54a9393870f6be
[+] AWS::ApiGateway::Deployment TokenApiDeploymentB896C2197f4fd8f40928d8ff6b65325e6f60c797
[+] AWS::ApiGateway::Deployment ProfileApiDeployment84A54415afa95090416ea0bbd4b1d2aac5a9241c
[+] AWS::DynamoDB::Table ChannelTableD3C84F79
[+] AWS::IAM::Role ChannelApiHandlerServiceRole4DB30247
[+] AWS::IAM::Policy ChannelApiHandlerServiceRoleDefaultPolicy4434A27C
[+] AWS::Lambda::Function ChannelApiHandler02759D57
[+] AWS::Logs::LogGroup ChannelApiHandlerLogGroupDF147B9D
[+] AWS::ApiGatewayV2::Api ChannelWebSocketApiD8D1793F
[+] AWS::Lambda::Permission ChannelWebSocketApiconnectRouteChannelIntegrationPermissionAA7E97E9
[+] AWS::ApiGatewayV2::Integration ChannelWebSocketApiconnectRouteChannelIntegration959BAB71
[+] AWS::ApiGatewayV2::Route ChannelWebSocketApiconnectRoute42A7B936
[+] AWS::ApiGatewayV2::Route ChannelWebSocketApidisconnectRouteB7B8781F
[+] AWS::ApiGatewayV2::Route ChannelWebSocketApidefaultRoute5E1D8E96
[+] AWS::ApiGatewayV2::Stage ChannelWebSocketStageE11BC72A
[+] AWS::CertificateManager::Certificate ChannelCertificateF24C3442
[+] AWS::ApiGatewayV2::DomainName ChannelDomainName06449B85
[+] AWS::ApiGatewayV2::ApiMapping ChannelApiMapping55F348C5
[+] AWS::Route53::RecordSet ChannelARecordSet582DB515
[+] AWS::Route53::RecordSet ChannelAAAARecordSet1EB4A128
[~] AWS::Lambda::Function AuthApiHandlerED50ACFA
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 │       └─ [+] 850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
         └─ [+] asset.850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf
[~] AWS::Lambda::Function TokenApiHandler2E66DB25
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 │       └─ [+] 850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
         └─ [+] asset.850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf
[~] AWS::Lambda::Function ProfileApiHandler9B65A298
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 │       └─ [+] 850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
         └─ [+] asset.850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf
[~] AWS::Lambda::Function ApiHandler5E7490E8
 ├─ [~] Code
 │   └─ [~] .S3Key:
 │       ├─ [-] 1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497.zip
 │       └─ [+] 850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf.zip
 └─ [~] Metadata
     └─ [~] .aws:asset:path:
         ├─ [-] asset.1078233baef00262c3a474067860af08c6948e91911f23c184c81fd977410497
         └─ [+] asset.850221aad906011940bd40dd2b8310bd089e61849abe9c6b1b3613b10da31dbf
[~] AWS::ApiGateway::Stage AuthApiDeploymentStageprodB0E4172A
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] AuthApiDeploymentB62B2E46cd727903b39a54701810720fe0a5fca4
         └─ [+] AuthApiDeploymentB62B2E4627f0b326f37b837e2a54a9393870f6be
[~] AWS::ApiGateway::Stage TokenApiDeploymentStageprod11035AE4
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] TokenApiDeploymentB896C219b16a73c2bacf13dff150a851137e236c
         └─ [+] TokenApiDeploymentB896C2197f4fd8f40928d8ff6b65325e6f60c797
[~] AWS::ApiGateway::Stage ProfileApiDeploymentStageprodF609D968
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] ProfileApiDeployment84A54415e0158c62574d24c31b8dbd21e82873c4
         └─ [+] ProfileApiDeployment84A54415afa95090416ea0bbd4b1d2aac5a9241c

Diff for stack: Frontend-prod - 0 to add, 2 to update, 0 to destroy 🟡

Details 
Resources
[~] AWS::CloudFront::Function WellKnownFunction5E8C00E8
 └─ [~] FunctionCode
     ├─ [-] function handler(event) {
  if (event.request.uri === '/.well-known/fxa-client-configuration') {
    return {
      statusCode: 200,
      statusDescription: 'OK',
      headers: {
        'content-type': { value: 'application/json' },
        'cache-control': { value: 'public, max-age=3600' }
      },
      body: '{"auth_server_base_url":"https://auth.prod.ffsync.layertwo.dev","oauth_server_base_url":"https://auth.prod.ffsync.layertwo.dev","profile_server_base_url":"https://profile.prod.ffsync.layertwo.dev","sync_tokenserver_base_url":"https://token.prod.ffsync.layertwo.dev","content_url":"https://prod.ffsync.layertwo.dev"}'
    };
  }
  return event.request;
}
     └─ [+] function handler(event) {
  if (event.request.uri === '/.well-known/fxa-client-configuration') {
    return {
      statusCode: 200,
      statusDescription: 'OK',
      headers: {
        'content-type': { value: 'application/json' },
        'cache-control': { value: 'public, max-age=3600' }
      },
      body: '{"auth_server_base_url":"https://auth.prod.ffsync.layertwo.dev","oauth_server_base_url":"https://auth.prod.ffsync.layertwo.dev","profile_server_base_url":"https://profile.prod.ffsync.layertwo.dev","sync_tokenserver_base_url":"https://token.prod.ffsync.layertwo.dev","content_url":"https://prod.ffsync.layertwo.dev","pairing_server_base_uri":"wss://channel.prod.ffsync.layertwo.dev"}'
    };
  }
  return event.request;
}
[~] Custom::CDKBucketDeployment DeployFrontendCustomResource3E02C3B7
 └─ [~] SourceObjectKeys
     └─ @@ -1,4 +1,4 @@
        [ ] [
        [-]   "3efa7116ad46ded79d60484fe90076d4e6aed6cd04933b728549b2a5fc2825ed.zip",
        [-]   "5f73fe051a4ac3ec0a13af2ed37612b2fb66e491197a38dcda0e676796c20aa9.zip"
        [+]   "be8fbce45c76f9f10f0be961f970ef7a48574cc277259ad4ff71fd4522026514.zip",
        [+]   "c393181dc54c1837490051e0b539fd4f9e26c830940aa7635bed18a6719891ec.zip"
        [ ] ]

No Changes for stack: Monitoring-prod ✅

Generated for commit dd018d1 at 2026-03-03T01:59:18.582Z

Repository owner deleted a comment from github-actions bot Mar 3, 2026
@layertwo layertwo merged commit 57fbe42 into mainline Mar 3, 2026
11 checks passed
@layertwo layertwo deleted the feat/device-pairing branch March 3, 2026 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@layertwo