Closed Bug 1049943 Opened 11 years ago Closed 10 years ago

Ship New Login

Categories

(Webmaker Graveyard :: Login, defect)

Product:
Webmaker Graveyard
Component:
Login
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mattheww, Assigned: jon)

References

Details

(Whiteboard: [login3] [dec24] [login])

Attachments

(10 files, 4 obsolete files)

https://github.com/mozilla/webmaker.org/pull/935
48 bytes, text/x-github-pull-request
jon
: review+
Details | Review
https://github.com/mozilla/webmaker-auth/pull/15
48 bytes, text/x-github-pull-request
jon
: review+
Details | Review
https://github.com/mozilla/sawmill/pull/27
42 bytes, text/x-github-pull-request
jon
: review+
Details | Review
https://github.com/mozilla/webmaker-mailroom/pull/10
52 bytes, text/x-github-pull-request
jon
: review+
Details | Review
https://github.com/mozilla/login.webmaker.org/pull/295
54 bytes, text/x-github-pull-request
jon
: review+
Details | Review
https://github.com/mozilla/sawmill/pull/31
42 bytes, text/x-github-pull-request
erik
: review+
Details | Review
https://github.com/mozilla/webmaker-mailroom/pull/13
52 bytes, text/x-github-pull-request
erik
: review+
Details | Review
https://github.com/mozilla/webmaker-events-2/pull/217
53 bytes, text/x-github-pull-request
kate
: review+
Details | Review
https://github.com/mozilla/webmaker-profile-2/pull/127
54 bytes, text/x-github-pull-request
kate
: review+
Details | Review
https://github.com/mozilla/login.webmaker.org/pull/302
54 bytes, text/x-github-pull-request
jon
: review+
Details | Review
Complete functional prototype of new login for Webmaker. Based on... - ux prototype: https://webmaker.etherpad.mozilla.org/llooggiinn - details: https://webmaker.etherpad.mozilla.org/passwordless - discussion: https://webmaker.etherpad.mozilla.org/conquering-login
punchlist of primary functionality: login - send a handshake/token (done) - 30 mins expiry. single use. expire on failure? (done) - alert if no user exists (done) - add link "want to signup?" (done) - send a login as token & link (done!) - request a password if one exists signup - create new user (done) - alert if user already exists (done) - add button to sign in (done) misc - allow use of email or username - allow user to add/remove password persona - add button to modal - if user doesn't exists, but tries with persona ... drop them into new flow - consider conflicts. transition issues? popcorn - integration without angular dev - simplify setup for devs who want to contribute
another feature to implement... persist login - consider options and how we inform users - modal checkbox "stay logged in" (for users typing in key) - email could offer "Login now" or for "one year"
Attached file Lol Have fun (obsolete) —
Attachment #8473186 - Flags: review?(jon)
Webmaker.org Patch
Attachment #8473190 - Flags: review?(jon)
Login server patch
Attachment #8473192 - Flags: review?(jon)
Webmaker Auth Patch
Attachment #8473193 - Flags: review?(jon)
Attachment #8473194 - Flags: review?(jon)
Sawmill Patch
Attachment #8473196 - Flags: review?(jon)
Attached file https://github.com/mozilla/lumberyard/pull/18 (obsolete) —
Lumberyard Patch
Attachment #8473197 - Flags: review?(jon)
Mailroom Patch
Attachment #8473186 - Attachment is obsolete: true
Attachment #8473186 - Flags: review?(jon)
Attachment #8473198 - Flags: review?(jon)
TODO: 1. log reset links and token login links to console, so devs don't need sawmill/lumberyard running 2. need password change.. somewhere. I.E. logged in user can delete, or change password 3. copy, copy, copy 4. make everything localizable, because I got lazy and didn't 5. probably more things I can't think of.
Status: NEW → ASSIGNED
Thanks for the update Chris. 5. Allow users to associate a secondary email address with their account. Already possible?
(In reply to mattheww from comment #12) > 5. Allow users to associate a secondary email address with their account. > Already possible? Not currently, but could be done with a little bit of extra work.
Comment on attachment 8473197 [details] [review] https://github.com/mozilla/lumberyard/pull/18 This is not needed thanks to webmaker-mailroom.
Attachment #8473197 - Attachment is obsolete: true
Attachment #8473197 - Flags: review?(jon)
I have the WIP prototype up at http://webmaker-handshake.herokuapp.com (not guaranteeing it will be there forever!) If you do use it's password feature, don't be silly and use a password you use for real world accounts, it's a prototype running on HTTP and is not secure.
(In reply to Chris DeCairos (:cade) from comment #15) > If you do use it's password feature, don't be silly and use a password you ugh, I mean "if you use the password feature"...
I've added a button on the reset page that will remove a user's password, setting them up for OTPs (one time passwords)
Depends on: 1057041
Depends on: 1057357
Attachment #8473192 - Flags: review?(jon) → review-
Attachment #8473193 - Flags: review?(jon) → review-
Comment on attachment 8473190 [details] [review] https://github.com/mozilla/webmaker.org/pull/935 We should be refactoring this into a separate Angular module, rather than building it into webmaker.org specifically
Attachment #8473190 - Flags: review?(jon) → review-
Comment on attachment 8473194 [details] [review] https://github.com/mozilla/webmaker-auth-client/pull/36 there is a whole lot of example in here... needed for the heroku pwless app?
Attachment #8473194 - Flags: review?(jon) → review-
Attachment #8473196 - Flags: review?(jon) → review-
Attachment #8473198 - Flags: review?(jon) → review+
Depends on: 1058630
sans password implementation (one time passwords only)
Attachment #8473192 - Attachment is obsolete: true
Attachment #8480052 - Flags: review?(jon)
I've added optional, Redis backed rate limiting to login. It's applied to the token generation and verification routes. /api/v2/user/request - rate limiting keyed on IP and email address. one request per minute right now. Should it be more? /api/v2/user/authenticateToken - rate limiting keyed on IP and email address. Ten requests per 10 seconds. It should theoretically take ~190 days to iterate over all possible login tokens at that rate limit, but a login token expires in 30 minutes (subject to change).
I've changed login tokens to be randomly generated human readable strings, using node's crypto.randomBytes function and a module called proquint (https://github.com/deoxxa/proquint) Tokens are now 11 characters long, and take the form of (v=vowel,c=consonant): "cvcvc-cvcvc" If I'm not mistaken, that means roughly 20 * 4 * 20 * 4 * 20 * 20 * 4 * 20 * 4 * 20 (16 Billion) different combinations of passwords. (proquint uses only 20 consonants and 4 vowels when generating strings) at a rate of 10 pass attempts per ten seconds, it'd take a cracker 189,000 days to iterate all possible combinations. with a window of only 30 minutes to expire the odds of correctly guessing the password (assuming 3600 guesses) is 2.197Ă—10^-5% or, fairly low.
Comment on attachment 8480052 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/295 I added some nits, but this is ready to roll IMHO
Attachment #8480052 - Flags: review?(jon) → review+
Attachment #8473196 - Flags: review- → review?(jon)
Attachment #8473196 - Flags: review?(jon) → review+
Depends on: 1073005
Attachment #8473193 - Flags: review- → review?(jon)
Attachment #8473194 - Flags: review- → review?(jon)
Depends on: 1075796
Summary: Functional Prototype of Login → Ship New Login
Whiteboard: [login3] → [login3][oct17]
Depends on: 1083260
Depends on: 1083261
Depends on: 1083266
Depends on: 1083306
Whiteboard: [login3][oct17] → [login3][oct17][login]
Attachment #8473194 - Attachment is obsolete: true
Attachment #8473194 - Flags: review?(jon)
Attachment #8473190 - Flags: review- → review?(jon)
Attachment #8496929 - Flags: review?(jon)
Attachment #8496929 - Flags: review?(jon) → review?(erik)
Attachment #8496927 - Flags: review?(jon) → review?(erik)
Attachment #8496927 - Flags: review?(erik) → review+
Attachment #8496929 - Flags: review?(erik) → review+
Webmaker Events front end patch for new login
Webmaker Profile (2) patch for new login.
* the [oct17] train has now left the station * so please update with [oct31], [nov14], [nov28], etc.
Attachment #8473193 - Flags: review?(jon) → review+
Whiteboard: [login3][oct17][login] → [login3] [oct17] [login]
* Just confirmed with Login group: we're not going to push anything to production pre MozFest
Whiteboard: [login3] [oct17] [login] → [login3] [nov14] [login]
Comment on attachment 8507140 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/302 Some very small nits noted in this PR
Attachment #8507140 - Flags: review?(jon) → review+
Comment on attachment 8473190 [details] [review] https://github.com/mozilla/webmaker.org/pull/935 Flag me when the feature flag is removed, and all of the webmaker-auth-client cruft is removed.
Attachment #8473190 - Flags: review?(jon) → review-
Depends on: 1086595
Comment on attachment 8507140 [details] [review] https://github.com/mozilla/login.webmaker.org/pull/302 because I discovered a giant derp (see latest patch) I wants another review.
Attachment #8507140 - Flags: review+ → review?(jon)
Depends on: 1086939
Attachment #8473190 - Flags: review- → review?(jon)
Attachment #8506430 - Flags: review?(jon)
Attachment #8506431 - Flags: review?(jon)
Depends on: 1088195
Depends on: 1088347
Depends on: 1088816
Depends on: 1089552
Depends on: 1088830
Depends on: 1090283
Depends on: 1090285
Depends on: 1090286
Depends on: 1091261
Attachment #8506431 - Flags: review?(jon) → review?(kate)
Comment on attachment 8473190 [details] [review] https://github.com/mozilla/webmaker.org/pull/935 r+ if you remove the switching bit
Attachment #8473190 - Flags: review?(jon) → review+
NOTE: We must disable New Relic RUM everywhere: reason: https://github.com/iriscouch/browser-request/issues/36
Depends on: 1093317
Depends on: 1093748
Depends on: 1093752
Depends on: 1093821
Depends on: 1093824
Depends on: 1093877
Depends on: 1093881
Depends on: 1094249
Depends on: 1094254
Depends on: 1094256
Depends on: 1095078
Depends on: 1095161
Depends on: 1095710
Depends on: 1098411
Depends on: 1099231
Depends on: 1098570
Depends on: 1099009
Depends on: 1099203
Depends on: 1098568
Depends on: 1097053
Depends on: 1099020
Depends on: 1099300
* [nov14] is past -- please update to [nov28] train or later
Blocks: 1101213
Whiteboard: [login3] [nov14] [login] → [login3] [nov28] [login]
Depends on: 1101661
Depends on: 1102452
Depends on: 1104344
Depends on: 1106197
Assignee: cade → jon
Whiteboard: [login3] [nov28] [login] → [login3] [dec24] [login]
Commit pushed to master at https://github.com/mozilla/webmaker.org https://github.com/mozilla/webmaker.org/commit/56b87197c5a188794d7451ca729af0c2afb8f283 Bug 1049943 - Reland Webmaker Login 3.0 This reverts commit f819b5fcb56b182ede5bf78e9e010ad44a3e8bbc. Conflicts: public/js/angular/app.js public/views/partials/user-box.html
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: