1049943 - Ship New Login

Status: RESOLVED FIXED

(Webmaker Graveyard :: Login, defect)

Description

[Matthew Willse [:mattheww]]

Complete functional prototype of new login for Webmaker.

Based on...
 - ux prototype: https://webmaker.etherpad.mozilla.org/llooggiinn
 - details: https://webmaker.etherpad.mozilla.org/passwordless
 - discussion: https://webmaker.etherpad.mozilla.org/conquering-login

Comment 1

[Matthew Willse [:mattheww]]

punchlist of primary functionality:

login
 - send a handshake/token (done)
   - 30 mins expiry. single use. expire on failure? (done)
 - alert if no user exists (done)
   - add link "want to signup?" (done)
 - send a login as token & link (done!)
 - request a password if one exists

signup
 - create new user (done)
 - alert if user already exists (done)
 - add button to sign in (done)

misc
 - allow use of email or username
 - allow user to add/remove password

persona
 - add button to modal
 - if user doesn't exists, but tries with persona ... drop them into new flow
 - consider conflicts. transition issues?

popcorn
 - integration without angular

dev
 - simplify setup for devs who want to contribute

Comment 2

[Matthew Willse [:mattheww]]

another feature to implement...

persist login
 - consider options and how we inform users
   - modal checkbox "stay logged in" (for users typing in key)
   - email could offer "Login now" or for "one year"

Comment 3

[Chris DeCairos (:cade)]

Attachment: Lol Have fun

Comment 4

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker.org/pull/935

Webmaker.org Patch

Comment 5

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/login.webmaker.org/pull/294

Login server patch

Comment 6

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker-auth/pull/15

Webmaker Auth Patch

Comment 7

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker-auth-client/pull/36

Comment 8

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/sawmill/pull/27

Sawmill Patch

Comment 9

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/lumberyard/pull/18

Lumberyard Patch

Comment 10

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker-mailroom/pull/10

Mailroom Patch

Comment 11

[Chris DeCairos (:cade)]

TODO:

1. log reset links and token login links to console, so devs don't need sawmill/lumberyard running
2. need password change.. somewhere. I.E. logged in user can delete, or change password
3. copy, copy, copy
4. make everything localizable, because I got lazy and didn't
5. probably more things I can't think of.

Comment 12

[Matthew Willse [:mattheww]]

Thanks for the update Chris. 

5. Allow users to associate a secondary email address with their account. Already possible?

Comment 13

[Chris DeCairos (:cade)]

(In reply to mattheww from comment #12)
> 5. Allow users to associate a secondary email address with their account.
> Already possible?

Not currently, but could be done with a little bit of extra work.

Comment 14

[Chris DeCairos (:cade)]

Comment on attachment 8473197 [details] [review]
https://github.com/mozilla/lumberyard/pull/18

This is not needed thanks to webmaker-mailroom.

Comment 15

[Chris DeCairos (:cade)]

I have the WIP prototype up at http://webmaker-handshake.herokuapp.com (not guaranteeing it will be there forever!)

If you do use it's password feature, don't be silly and use a password you use for real world accounts, it's a prototype running on HTTP and is not secure.

Comment 16

[Chris DeCairos (:cade)]

(In reply to Chris DeCairos (:cade) from comment #15)
> If you do use it's password feature, don't be silly and use a password you

ugh, I mean "if you use the password feature"...

Comment 17

[Chris DeCairos (:cade)]

I've added a button on the reset page that will remove a user's password, setting them up for OTPs (one time passwords)

Comment 18

[Jon Buckley [:jbuck]]

Comment on attachment 8473190 [details] [review]
https://github.com/mozilla/webmaker.org/pull/935

We should be refactoring this into a separate Angular module, rather than building it into webmaker.org specifically

Comment 19

[Jon Buckley [:jbuck]]

Comment on attachment 8473194 [details] [review]
https://github.com/mozilla/webmaker-auth-client/pull/36

there is a whole lot of example in here... needed for the heroku pwless app?

Comment 20

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/login.webmaker.org/pull/295

sans password implementation (one time passwords only)

Comment 21

[Chris DeCairos (:cade)]

I've added optional, Redis backed rate limiting to login. It's applied to the token generation and verification routes.

/api/v2/user/request - rate limiting keyed on IP and email address. one request per minute right now. Should it be more?

/api/v2/user/authenticateToken - rate limiting keyed on IP and email address. Ten requests per 10 seconds. It should theoretically take ~190 days to iterate over all possible login tokens at that rate limit, but a login token expires in 30 minutes (subject to change).

Comment 22

[Chris DeCairos (:cade)]

I've changed login tokens to be randomly generated human readable strings, using node's crypto.randomBytes function and a module called proquint (https://github.com/deoxxa/proquint)

Tokens are now 11 characters long, and take the form of (v=vowel,c=consonant): "cvcvc-cvcvc"

If I'm not mistaken, that means roughly 20 * 4 * 20 * 4 * 20 * 20 * 4 * 20 * 4 * 20 (16 Billion) different combinations of passwords. (proquint uses only 20 consonants and 4 vowels when generating strings) at a rate of 10 pass attempts per ten seconds, it'd take a cracker 189,000 days to iterate all possible combinations.

with a window of only 30 minutes to expire the odds of correctly guessing the password (assuming 3600 guesses) is 2.197×10^-5% or, fairly low.

Comment 23

[Jon Buckley [:jbuck]]

Comment on attachment 8480052 [details] [review]
https://github.com/mozilla/login.webmaker.org/pull/295

I added some nits, but this is ready to roll IMHO

Comment 24

[[github robot]]

Commit pushed to master at https://github.com/mozilla/login.webmaker.org

https://github.com/mozilla/login.webmaker.org/commit/302dfb3f952ac10d4fcf7937bb2bbc6200981945
Bug 1049943 - Implement Token Login Strategy

Comment 25

[[github robot]]

Commit pushed to master at https://github.com/mozilla/webmaker-mailroom

https://github.com/mozilla/webmaker-mailroom/commit/08bf5c3db912b6a8e5bb83caa9aa7dde71be830f
Bug 1049943 - login request email and tests

Comment 26

[Chris DeCairos (:cade)]

I've put this together:

https://webmaker.etherpad.mozilla.org/WebmakerLoginShippingPlan

Comment 27

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/sawmill/pull/31

Comment 28

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker-mailroom/pull/13

Comment 29

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker-events-2/pull/217

Webmaker Events front end patch for new login

Comment 30

[Chris DeCairos (:cade)]

Attachment: https://github.com/mozilla/webmaker-profile-2/pull/127

Webmaker Profile (2) patch for new login.

Comment 31

[Jon Buckley [:jbuck]]

Attachment: https://github.com/mozilla/login.webmaker.org/pull/302

Comment 32

[Matt Thompson (@OpenMatt :OpenMatt)]

* the [oct17] train has now left the station
* so please update with [oct31], [nov14], [nov28], etc.

Comment 33

[Matt Thompson (@OpenMatt :OpenMatt)]

* Just confirmed with Login group: we're not going to push anything to production pre MozFest

Comment 34

[Jon Buckley [:jbuck]]

Comment on attachment 8507140 [details] [review]
https://github.com/mozilla/login.webmaker.org/pull/302

Some very small nits noted in this PR

Comment 35

[Jon Buckley [:jbuck]]

Comment on attachment 8473190 [details] [review]
https://github.com/mozilla/webmaker.org/pull/935

Flag me when the feature flag is removed, and all of the webmaker-auth-client cruft is removed.

Comment 36

[Chris DeCairos (:cade)]

Comment on attachment 8507140 [details] [review]
https://github.com/mozilla/login.webmaker.org/pull/302

because I discovered a giant derp (see latest patch) I wants another review.

Comment 37

[Jon Buckley [:jbuck]]

Comment on attachment 8507140 [details] [review]
https://github.com/mozilla/login.webmaker.org/pull/302

Lookin' good

Comment 38

[inactivate account for kate]

Comment on attachment 8506431 [details] [review]
https://github.com/mozilla/webmaker-profile-2/pull/127

Looks good to me!

Comment 39

[inactivate account for kate]

Comment on attachment 8506430 [details] [review]
https://github.com/mozilla/webmaker-events-2/pull/217

Everything looks fine here, I noticed a slight css problem on the links in alerts: 

https://k88hudson-screenshots.s3.amazonaws.com/screen-shots/k88mac@2x_2014-10-30_at_3.31.54_PM.png

Comment 40

[Jon Buckley [:jbuck]]

Comment on attachment 8473190 [details] [review]
https://github.com/mozilla/webmaker.org/pull/935

r+ if you remove the switching bit

Comment 41

[Chris DeCairos (:cade)]

NOTE:

We must disable New Relic RUM everywhere:

reason: https://github.com/iriscouch/browser-request/issues/36

Comment 42

[Matt Thompson (@OpenMatt :OpenMatt)]

* [nov14] is past -- please update to [nov28] train or later

Comment 43

[[github robot]]

Commit pushed to master at https://github.com/mozilla/webmaker.org

https://github.com/mozilla/webmaker.org/commit/56b87197c5a188794d7451ca729af0c2afb8f283
Bug 1049943 - Reland Webmaker Login 3.0

This reverts commit f819b5fcb56b182ede5bf78e9e010ad44a3e8bbc.

Conflicts:
	public/js/angular/app.js
	public/views/partials/user-box.html