Identity/Firefox Accounts/Account lockout

Here is an implementation plan for the account lockout feature of Firefox Accounts.

• Original requirements
• Technical proposal

Task breakdown

• fxa-customs-server
  • keep track of failed attempts against an account (regardless of the IP address)
  • add a new flag to the `failedLoginAttempt` API endpoint
  • https://github.com/mozilla/fxa-customs-server/pull/60
• fxa-auth-db-server
  • add new flag in DB
  • https://github.com/mozilla/fxa-auth-db-server/issues/89
• fxa-auth-mailer
  • add new "unlock" email (copy and l10n needed)
  • https://github.com/mozilla/fxa-auth-mailer/issues/16
• fxa-auth-server
  • add new errno=104 return code to /account/{destroy,login} and /password/change/start
  • implement and document new API endpoints: /account/unlock/{verify_code,resend_code}
  • clear the locked flag on successful password resets
  • add locked property to the data returned by /account/status
  • https://github.com/mozilla/fxa-auth-server/issues/801
• fxa-content-server
  • check for errno=104 on /account/{destroy,login} and /password/change/start
  • new error message for locked accounts (copy and l10n needed)
  • https://github.com/mozilla/fxa-content-server/issues/1760
• fennec (in the 36 cycle)
  • check for errno=104 on /account/login (fennec doesn't expose account destruction or password change)
  • new error page for locked accounts (using the copy from the content server)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1080242

Deployment timeline

1. deploy the new customs server with support for account lockout
2. update auth server DB schema on production
3. deploy auth mailer with the extra email added
4. deploy content server with support for the new error code
5. deploy auth server which honours locked accounts