feat: implement device management endpoints#269
Merged
Conversation
Add 4 FxA device management endpoints to eliminate 403 errors during
sync. New DeviceManager service stores device records in the auth
DynamoDB table (DEVICE#{uid}#{deviceId} partition key).
Endpoints:
- POST /v1/account/device — register or update a device
- GET /v1/account/devices — list devices with idle filtering
- GET /v1/account/attached_clients — list connected services
- POST /v1/account/devices/notify — accept notifications (no-op)
The session Hawk middleware now injects hawk_token_id into the event
context alongside hawk_uid, enabling device routes to correlate
devices with sessions without re-parsing the Authorization header.
Send Tab (command queue + push) deferred to a future PR.
Diff for stage: DefaultStageDiff for stack: GitHubOidcStack - 0 to add, 1 to update, 0 to destroy 🟡DetailsResources
[~] Custom::AWSCDKOpenIdConnectProvider GitHubOidcProvider7EBF861F
├─ [~] CodeHash
│ ├─ [-] 62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb
│ └─ [+] d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50
└─ [~] RejectUnauthorized
[~] AWS::Lambda::Function CustomAWSCDKOpenIdConnectProviderCustomResourceProviderHandlerF2C543E0
├─ [~] Code
│ └─ [~] .S3Key:
│ ├─ [-] 62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb.zip
│ └─ [+] d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50.zip
└─ [~] Metadata
└─ [~] .aws:asset:path:
├─ [-] asset.62fa02efcaa700e1c247e1d3cc2aa0cd07a0808a9a3e3d2230e51f57a02233fb
└─ [+] asset.d75c48c9f82cde63e9bf414df335e84e8ac24f11eb34889be255b702aec71e50
Diff for stack: Service-prod - 0 to add, 0 to update, 0 to destroy ✅DetailsResources
[~] AWS::Lambda::Function AuthApiHandlerED50ACFA
├─ [~] Code
│ └─ [~] .S3Key:
│ ├─ [-] 5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988.zip
│ └─ [+] 61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e.zip
└─ [~] Metadata
└─ [~] .aws:asset:path:
├─ [-] asset.5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988
└─ [+] asset.61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e
[~] AWS::Lambda::Function TokenApiHandler2E66DB25
├─ [~] Code
│ └─ [~] .S3Key:
│ ├─ [-] 5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988.zip
│ └─ [+] 61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e.zip
└─ [~] Metadata
└─ [~] .aws:asset:path:
├─ [-] asset.5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988
└─ [+] asset.61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e
[~] AWS::Lambda::Function ProfileApiHandler9B65A298
├─ [~] Code
│ └─ [~] .S3Key:
│ ├─ [-] 5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988.zip
│ └─ [+] 61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e.zip
└─ [~] Metadata
└─ [~] .aws:asset:path:
├─ [-] asset.5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988
└─ [+] asset.61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e
[~] AWS::Lambda::Function ApiHandler5E7490E8
├─ [~] Code
│ └─ [~] .S3Key:
│ ├─ [-] 5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988.zip
│ └─ [+] 61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e.zip
└─ [~] Metadata
└─ [~] .aws:asset:path:
├─ [-] asset.5174e8eb39d2a8923c1463ac8268cc0ba8191e0dbc87557af1d142a35d5b5988
└─ [+] asset.61dce01fd53c44c40e667bd8b0d495ecfe2c0bf3e7aa815d976dc2dea640468e
[~] AWS::Lambda::Function ChannelApiHandler02759D57
├─ [~] Code
│ └─ [~] .S3Key:
│ ├─ [-] 0823488cf4518e58ff22331aa868f9110776de70f7cba2b156f42954b11061e8.zip
│ └─ [+] c57f3f60d974052ab670829f75267201e439864ef969e852054809342a2cfefd.zip
└─ [~] Metadata
└─ [~] .aws:asset:path:
├─ [-] asset.0823488cf4518e58ff22331aa868f9110776de70f7cba2b156f42954b11061e8
└─ [+] asset.c57f3f60d974052ab670829f75267201e439864ef969e852054809342a2cfefd
No Changes for stack: Frontend-prod ✅ Generated for commit 6ef2c93 at 2026-03-03T04:10:27.836Z |
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
DeviceManagerservice for device CRUD in the auth DynamoDB tablehawk_token_idfor device-session correlationEndpoints
/v1/account/device/v1/account/devicesfilterIdleDevicesTimestamp)/v1/account/attached_clients/v1/account/devices/notifyContext
Firefox calls these 4 endpoints during every sync cycle. They were returning 403 because they weren't implemented. While sync works without them, the errors cause noisy logs and prevent device registration (needed for Send Tab later).
Test plan