Apparently we didn't have an issue to track this, so here's a blob of (lightly edited) out of context text from internal discussions:
The list is much smaller than I anticipated. The things we care about are:
- Account deactivation (currently at the bottom of the first tab in settings)
- 3PID (email, phone) adding
- Deleting devices (both in bulk and individually)
The other things the backend team might want is a way to test "fallback auth", which is Riot just opening a page instead of using a native UI for the auth step. In theory this could be a dialog within Riot or just opening a new tab.
At risk of over-explaining it: User-Interactive Authentication (UIA) is a framework for requiring arbitrary steps to be completed before an action can be taken. The spec defines a few possibilities, but the server could request anything (in theory). In practice, we can be reasonably sure which steps (also known as flows in the UIA world) will be offered by the server so we don't need to design for every single eventuality here (yet). We currently support password auth on those endpoints, but the bug is that Mozilla and other SSO users don't have passwords and can't do certain things with their accounts.
The backend team is also currently working on supporting the feature, so the last few stages of it are still somewhat undefined (how we get info from the SSO system into Riot so it can shove it over to the server).
Related issues:
Apparently we didn't have an issue to track this, so here's a blob of (lightly edited) out of context text from internal discussions:
The list is much smaller than I anticipated. The things we care about are:
The other things the backend team might want is a way to test "fallback auth", which is Riot just opening a page instead of using a native UI for the auth step. In theory this could be a dialog within Riot or just opening a new tab.
At risk of over-explaining it: User-Interactive Authentication (UIA) is a framework for requiring arbitrary steps to be completed before an action can be taken. The spec defines a few possibilities, but the server could request anything (in theory). In practice, we can be reasonably sure which steps (also known as flows in the UIA world) will be offered by the server so we don't need to design for every single eventuality here (yet). We currently support password auth on those endpoints, but the bug is that Mozilla and other SSO users don't have passwords and can't do certain things with their accounts.
The backend team is also currently working on supporting the feature, so the last few stages of it are still somewhat undefined (how we get info from the SSO system into Riot so it can shove it over to the server).
Related issues: