Closed
Bug 1049943
Opened 10 years ago
Closed 10 years ago
Ship New Login
Categories
(Webmaker Graveyard :: Login, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mattheww, Assigned: jon)
References
Details
(Whiteboard: [login3] [dec24] [login])
Attachments
(10 files, 4 obsolete files)
48 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
48 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
42 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
52 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
54 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
42 bytes,
text/x-github-pull-request
|
erik
:
review+
|
Details | Review |
52 bytes,
text/x-github-pull-request
|
erik
:
review+
|
Details | Review |
53 bytes,
text/x-github-pull-request
|
kate
:
review+
|
Details | Review |
54 bytes,
text/x-github-pull-request
|
kate
:
review+
|
Details | Review |
54 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
Complete functional prototype of new login for Webmaker. Based on... - ux prototype: https://webmaker.etherpad.mozilla.org/llooggiinn - details: https://webmaker.etherpad.mozilla.org/passwordless - discussion: https://webmaker.etherpad.mozilla.org/conquering-login
Reporter | ||
Comment 1•10 years ago
|
||
punchlist of primary functionality: login - send a handshake/token (done) - 30 mins expiry. single use. expire on failure? (done) - alert if no user exists (done) - add link "want to signup?" (done) - send a login as token & link (done!) - request a password if one exists signup - create new user (done) - alert if user already exists (done) - add button to sign in (done) misc - allow use of email or username - allow user to add/remove password persona - add button to modal - if user doesn't exists, but tries with persona ... drop them into new flow - consider conflicts. transition issues? popcorn - integration without angular dev - simplify setup for devs who want to contribute
Reporter | ||
Comment 2•10 years ago
|
||
another feature to implement... persist login - consider options and how we inform users - modal checkbox "stay logged in" (for users typing in key) - email could offer "Login now" or for "one year"
Comment 3•10 years ago
|
||
Attachment #8473186 -
Flags: review?(jon)
Comment 7•10 years ago
|
||
Attachment #8473194 -
Flags: review?(jon)
Comment 10•10 years ago
|
||
Mailroom Patch
Attachment #8473186 -
Attachment is obsolete: true
Attachment #8473186 -
Flags: review?(jon)
Attachment #8473198 -
Flags: review?(jon)
Comment 11•10 years ago
|
||
TODO: 1. log reset links and token login links to console, so devs don't need sawmill/lumberyard running 2. need password change.. somewhere. I.E. logged in user can delete, or change password 3. copy, copy, copy 4. make everything localizable, because I got lazy and didn't 5. probably more things I can't think of.
Updated•10 years ago
|
Status: NEW → ASSIGNED
Reporter | ||
Comment 12•10 years ago
|
||
Thanks for the update Chris. 5. Allow users to associate a secondary email address with their account. Already possible?
Comment 13•10 years ago
|
||
(In reply to mattheww from comment #12) > 5. Allow users to associate a secondary email address with their account. > Already possible? Not currently, but could be done with a little bit of extra work.
Comment 14•10 years ago
|
||
Comment on attachment 8473197 [details] [review] https://github.com/mozilla/lumberyard/pull/18 This is not needed thanks to webmaker-mailroom.
Attachment #8473197 -
Attachment is obsolete: true
Attachment #8473197 -
Flags: review?(jon)
Comment 15•10 years ago
|
||
I have the WIP prototype up at http://webmaker-handshake.herokuapp.com (not guaranteeing it will be there forever!) If you do use it's password feature, don't be silly and use a password you use for real world accounts, it's a prototype running on HTTP and is not secure.
Comment 16•10 years ago
|
||
(In reply to Chris DeCairos (:cade) from comment #15) > If you do use it's password feature, don't be silly and use a password you ugh, I mean "if you use the password feature"...
Comment 17•10 years ago
|
||
I've added a button on the reset page that will remove a user's password, setting them up for OTPs (one time passwords)
Assignee | ||
Updated•10 years ago
|
Attachment #8473192 -
Flags: review?(jon) → review-
Assignee | ||
Updated•10 years ago
|
Attachment #8473193 -
Flags: review?(jon) → review-
Assignee | ||
Comment 18•10 years ago
|
||
Comment on attachment 8473190 [details] [review] https://github.com/mozilla/webmaker.org/pull/935 We should be refactoring this into a separate Angular module, rather than building it into webmaker.org specifically
Attachment #8473190 -
Flags: review?(jon) → review-
Assignee | ||
Comment 19•10 years ago
|
||
Comment on attachment 8473194 [details] [review] https://github.com/mozilla/webmaker-auth-client/pull/36 there is a whole lot of example in here... needed for the heroku pwless app?
Attachment #8473194 -
Flags: review?(jon) → review-
Assignee | ||
Updated•10 years ago
|
Attachment #8473196 -
Flags: review?(jon) → review-
Assignee | ||
Updated•10 years ago
|
Attachment #8473198 -
Flags: review?(jon) → review+
Comment 20•10 years ago
|
||
sans password implementation (one time passwords only)
Attachment #8473192 -
Attachment is obsolete: true
Attachment #8480052 -
Flags: review?(jon)
Comment 21•10 years ago
|
||
I've added optional, Redis backed rate limiting to login. It's applied to the token generation and verification routes. /api/v2/user/request - rate limiting keyed on IP and email address. one request per minute right now. Should it be more? /api/v2/user/authenticateToken - rate limiting keyed on IP and email address. Ten requests per 10 seconds. It should theoretically take ~190 days to iterate over all possible login tokens at that rate limit, but a login token expires in 30 minutes (subject to change).
Comment 22•10 years ago
|
||
I've changed login tokens to be randomly generated human readable strings, using node's crypto.randomBytes function and a module called proquint (https://github.com/deoxxa/proquint) Tokens are now 11 characters long, and take the form of (v=vowel,c=consonant): "cvcvc-cvcvc" If I'm not mistaken, that means roughly 20 * 4 * 20 * 4 * 20 * 20 * 4 * 20 * 4 * 20 (16 Billion) different combinations of passwords. (proquint uses only 20 consonants and 4 vowels when generating strings) at a rate of 10 pass attempts per ten seconds, it'd take a cracker 189,000 days to iterate all possible combinations. with a window of only 30 minutes to expire the odds of correctly guessing the password (assuming 3600 guesses) is 2.197Ă—10^-5% or, fairly low.
Assignee | ||
Comment 23•10 years ago
|
||
Comment on attachment 8480052 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/295 I added some nits, but this is ready to roll IMHO
Attachment #8480052 -
Flags: review?(jon) → review+
Comment 24•10 years ago
|
||
Commit pushed to master at https://github.com/mozilla/login.webmaker.org https://github.com/mozilla/login.webmaker.org/commit/302dfb3f952ac10d4fcf7937bb2bbc6200981945 Bug 1049943 - Implement Token Login Strategy
Comment 25•10 years ago
|
||
Commit pushed to master at https://github.com/mozilla/webmaker-mailroom https://github.com/mozilla/webmaker-mailroom/commit/08bf5c3db912b6a8e5bb83caa9aa7dde71be830f Bug 1049943 - login request email and tests
Updated•10 years ago
|
Attachment #8473196 -
Flags: review- → review?(jon)
Assignee | ||
Updated•10 years ago
|
Attachment #8473196 -
Flags: review?(jon) → review+
Comment 26•10 years ago
|
||
I've put this together: https://webmaker.etherpad.mozilla.org/WebmakerLoginShippingPlan
Updated•10 years ago
|
Attachment #8473193 -
Flags: review- → review?(jon)
Updated•10 years ago
|
Attachment #8473194 -
Flags: review- → review?(jon)
Comment 27•10 years ago
|
||
Attachment #8496927 -
Flags: review?(jon)
Comment 28•10 years ago
|
||
Updated•10 years ago
|
Summary: Functional Prototype of Login → Ship New Login
Whiteboard: [login3] → [login3][oct17]
Updated•10 years ago
|
Whiteboard: [login3][oct17] → [login3][oct17][login]
Updated•10 years ago
|
Attachment #8473194 -
Attachment is obsolete: true
Attachment #8473194 -
Flags: review?(jon)
Updated•10 years ago
|
Attachment #8473190 -
Flags: review- → review?(jon)
Updated•10 years ago
|
Attachment #8496929 -
Flags: review?(jon)
Updated•10 years ago
|
Attachment #8496929 -
Flags: review?(jon) → review?(erik)
Updated•10 years ago
|
Attachment #8496927 -
Flags: review?(jon) → review?(erik)
Updated•10 years ago
|
Attachment #8496927 -
Flags: review?(erik) → review+
Updated•10 years ago
|
Attachment #8496929 -
Flags: review?(erik) → review+
Comment 29•10 years ago
|
||
Webmaker Events front end patch for new login
Comment 30•10 years ago
|
||
Webmaker Profile (2) patch for new login.
Assignee | ||
Comment 31•10 years ago
|
||
Attachment #8507140 -
Flags: review?(jon)
Comment 32•10 years ago
|
||
* the [oct17] train has now left the station * so please update with [oct31], [nov14], [nov28], etc.
Assignee | ||
Updated•10 years ago
|
Attachment #8473193 -
Flags: review?(jon) → review+
Updated•10 years ago
|
Whiteboard: [login3][oct17][login] → [login3] [oct17] [login]
Comment 33•10 years ago
|
||
* Just confirmed with Login group: we're not going to push anything to production pre MozFest
Whiteboard: [login3] [oct17] [login] → [login3] [nov14] [login]
Assignee | ||
Comment 34•10 years ago
|
||
Comment on attachment 8507140 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/302 Some very small nits noted in this PR
Attachment #8507140 -
Flags: review?(jon) → review+
Assignee | ||
Comment 35•10 years ago
|
||
Comment on attachment 8473190 [details] [review] https://github.com/mozilla/webmaker.org/pull/935 Flag me when the feature flag is removed, and all of the webmaker-auth-client cruft is removed.
Attachment #8473190 -
Flags: review?(jon) → review-
Comment 36•10 years ago
|
||
Comment on attachment 8507140 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/302 because I discovered a giant derp (see latest patch) I wants another review.
Attachment #8507140 -
Flags: review+ → review?(jon)
Assignee | ||
Comment 37•10 years ago
|
||
Comment on attachment 8507140 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/302 Lookin' good
Attachment #8507140 -
Flags: review?(jon) → review+
Updated•10 years ago
|
Attachment #8473190 -
Flags: review- → review?(jon)
Updated•10 years ago
|
Attachment #8506430 -
Flags: review?(jon)
Updated•10 years ago
|
Attachment #8506431 -
Flags: review?(jon)
Updated•10 years ago
|
Attachment #8506431 -
Flags: review?(jon) → review?(kate)
Comment 38•10 years ago
|
||
Comment on attachment 8506431 [details] [review] https://github.com/mozilla/webmaker-profile-2/pull/127 Looks good to me!
Attachment #8506431 -
Flags: review?(kate) → review+
Comment 39•10 years ago
|
||
Comment on attachment 8506430 [details] [review] https://github.com/mozilla/webmaker-events-2/pull/217 Everything looks fine here, I noticed a slight css problem on the links in alerts: https://k88hudson-screenshots.s3.amazonaws.com/screen-shots/k88mac@2x_2014-10-30_at_3.31.54_PM.png
Attachment #8506430 -
Flags: review?(jon) → review+
Assignee | ||
Comment 40•10 years ago
|
||
Comment on attachment 8473190 [details] [review] https://github.com/mozilla/webmaker.org/pull/935 r+ if you remove the switching bit
Attachment #8473190 -
Flags: review?(jon) → review+
Comment 41•10 years ago
|
||
NOTE: We must disable New Relic RUM everywhere: reason: https://github.com/iriscouch/browser-request/issues/36
Comment 42•10 years ago
|
||
* [nov14] is past -- please update to [nov28] train or later
Updated•10 years ago
|
Whiteboard: [login3] [nov14] [login] → [login3] [nov28] [login]
Assignee | ||
Updated•10 years ago
|
Assignee: cade → jon
Updated•10 years ago
|
Whiteboard: [login3] [nov28] [login] → [login3] [dec24] [login]
Comment 43•10 years ago
|
||
Commit pushed to master at https://github.com/mozilla/webmaker.org https://github.com/mozilla/webmaker.org/commit/56b87197c5a188794d7451ca729af0c2afb8f283 Bug 1049943 - Reland Webmaker Login 3.0 This reverts commit f819b5fcb56b182ede5bf78e9e010ad44a3e8bbc. Conflicts: public/js/angular/app.js public/views/partials/user-box.html
Assignee | ||
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•