This opens a session with full access to the given Firefox Account in
order to get the credentials to access Firefox Sync.
By design, this means this program will have to access to your plaintext
password. It doesn't store it, and just forwards it to [fxa-js-client](https://www.npmjs.com/package/fxa-js-client)
which handles the actual authentication.
### OAuth
You're given a OAuth URL to open in your browser, where you can input
your password in Mozilla's own website, which will in turn grant access
to this program by redirecting to a URL that includes an authentication
code.
With this method, the program never gets access to the plaintext
password, on top of being granted a token with restricted permissions.
That said there's [currently no way](https://www.codejam.info/2021/08/scripting-firefox-sync-lockwise-complete-oauth.html#a-note-about-granular-scopes)
to request access to specific Firefox Sync collections meaning that this
grant will have access to all the native Firefox Sync collections.
Because this program doesn't have its own OAuth client ID, it uses the
public client ID from the [Lockwise Android app](https://github.com/mozilla-lockwise/lockwise-android/blob/d3c0511f73c34e8759e1bb597f2d3dc9bcc146f0/app/src/main/java/mozilla/lockbox/support/Constant.kt#L29%3E).
This means that we don't control the OAuth redirect URL, and can't set
it to a temporary server on some random `localhost` port, which would
allow seamless authentication of this CLI. To work around that, the CLI
will kindly ask you to open the OAuth URL in Firefox, which it knows how
to poll for "visited places" by querying `places.sqlite` in the profile
directory. It will be able to detect the Android app redirect URL to
extract the OAuth code and complete the authentication process.
In case this doesn't work (it's clearly a hack, let's face it), consider