-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Normalize OSF Verification Key [#OSF-6560] #5964
[Feature] Normalize OSF Verification Key [#OSF-6560] #5964
Conversation
… right after use. [skip ci]
- use get_verfiication_key() for token generation - remove redundant get_confirm_token() and unused get_claim_token() - add 'expires' to each record - check token equality and expires when verifying claim
14d7a1e
to
b1a6581
Compare
… ci]" This reverts commit c8a0fac.
b6c62c3
to
617d2eb
Compare
- fix test_modles.TestUnregisteredUser - revert previous changes
7c58b9b
to
6be7705
Compare
# <token> : { | ||
# 'email': <email address>, | ||
# 'expiration': <datetime>, | ||
# 'confirmed': whether user is confirmed or not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For CR: just updated the comments, no code change
…o feature/verification-key. - remove should-have-gone `reset_password()` form auth views - remove should-have-gone code segment which is part of `test_can_reset_password_if_form_success()` from web tests - update resetpassowrd.mako to include `${username}` in form action
8a48de7
to
2039dca
Compare
|
||
|
||
@collect_auth | ||
def reset_password(auth, **kwargs): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[To CR] Deprecated Code
As discussed with @mfraezz , the resend claim confirmation will be handled in another improvement/feature ticket: https://openscience.atlassian.net/browse/OSF-6998, which takes care of https://openscience.atlassian.net/browse/OSF-6673 along the way. |
""" | ||
|
||
# If user is already logged in, log user out | ||
# TODO: discuss this with @MattF |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please ignore this # TODO
, it was supposed to be added here https://github.com/CenterForOpenScience/osf.io/pull/5964/files#diff-9a64b4982d0bd80f7a498c65ddce2023R138.
As discussed on Friday, the decision is to log users out if they are already logged in instead of redirecting them to dashboard for both reset_password_get
and forgot_password_get
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this be removed, then?
'message_short': 'Invalid url.', | ||
'message_long': 'The verification key in the URL is invalid or has expired.' | ||
'message_short': 'Invalid Request.', | ||
'message_long': 'The requested URL is invalid, has expired, or was already used', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
update: a better message from product @saradbowman. The message is more informative without leaking the exact failure.
468d802
to
31d08eb
Compare
LGTM 🌳 Dropping this RTM |
…o feature/verification-key.
@cslzchen There are some merge conflicts that need resolving. |
- use verification key v2 - institution: no verificatiton key is generated - meetings: verification key v2 generated for resetting password
- replace `str verificiation_type` with `bool reset_password` - update usage and test
@@ -108,21 +108,24 @@ def register_unconfirmed(username, password, fullname, campaign=None): | |||
return user | |||
|
|||
|
|||
def get_or_create_user(fullname, address, is_spam=False): | |||
"""Get or create user by email address. | |||
def get_or_create_user(fullname, address, reset_password=True, is_spam=False): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add reset_password
:
- for new user from institution login, no need to ask user to reset password after creation, thus no verification key
- for conference
add_poster_by_email
, create user and send user confirmation email to reset password, generate reset password verification key
EXPIRATION_TIME_DICT = { | ||
'password': 30, # 30 minutes for forgot and reset password | ||
'confirm': 24 * 60, # 24 hours in minutes for confirm account and email | ||
'claim': 30 * 24 * 60 # 30 days in minutes for claim contributor-ship |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set 30 days instead of 7 days claim token, change back to 7 days after resend claim confirmation is implemented: OSF-6998.
@@ -556,17 +553,25 @@ def unconfirmed_email_add(auth=None): | |||
}, 200 | |||
|
|||
|
|||
def send_confirm_email(user, email, external_id_provider=None, external_id=None): | |||
def send_confirm_email(user, email, renew=False, external_id_provider=None, external_id=None): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when user asks to resend confirmation email, refresh the token with renew = True
""" | ||
|
||
# If user is already logged in, log user out | ||
# if users are logged in, log them out and redirect back to this page | ||
if auth.logged_in: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"log user out and redirect back" is more secure and less confusing than just "go to dashboard"
same for forgot_password_get
# clear verification key (v2) | ||
user_obj.verification_key_v2 = {} | ||
# new verification key (v1) for CAS | ||
user_obj.verification_key = generate_verification_key(verification_type=None) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cas login with username and verification key still uses v1 given it is instant verification
30ed520
to
10419b7
Compare
Update
verification key
Purpose
Issue
When user forgets and resets password, verification key never gets deleted unless overwritten. In addition, validation only checks the key. Neither the user to whom it belongs nor whether it has expired is checked. Furthermore, verification key are used twice instead of "one-time" for several tasks.
Fix
Add
User.verification_key_v2
which contains both the token string and an expiration time. Validation now checks username, token and expiration time. Renew the key once used.Further Fix
There are two other functionality "User Claim Contributor-ship" and "Send/Resend Registration Confirmation Email" that have similar issue. Although they have their own way of verification, both are fixed with the same idea.
Changes
Normalized Verification Key
Other
get_or_create_user()
with verification key.get_claim_token()
andget_confirm_token()
.Side effects
Ticket
https://openscience.atlassian.net/browse/OSF-6560
https://openscience.atlassian.net/browse/SEC-33