Add account validation capability to the accounts plugin #1982
Conversation
magopian
force-pushed
the
1973-account-validation
branch
from
a8216cf
to
0ff6728
Compare
There was a problem hiding this comment.
Hi, thanks for the feature, it's great!
Here's some feedback:
-
Why not adding a flag to note if the account is validated or not, rather than relying on some other fields? I tend to think that explicit is better than implicit.
-
At first, I had trouble to understand what this
activation-form-urlwas made for, but from what I understand, it's purpose is to add a link in the validation email that is sent to the user.
I have an alternative proposal for this one: what about this flow:
- WebApp creates a new user. It specifies a
validation_redirect_url - Kinto stores all the data and sens an email
- The user clicks on the link in the email
- Browser issues a GET request to the Kinto server with the activation key
- Kinto server validates the account
- Kinto server issues a redirect response to the
redirection_url
magopian
force-pushed
the
1973-account-validation
branch
from
ba6102a
to
9dd642e
Compare
@almet the idea (discussed in #1973) is that modifying the user record should not be done with a GET, but with a POST (or PATCH). So the The WebApp should do this POST asynchronously, in the background (everything kinto related should be done this way in a WebApp I believe), so I'm not sure we need a redirection url. I'm not arguing against the GET and redirection url though ;) |
Why displaying a form if the user clicks on the link already? The Webapp could do the POST directly, saving an extra click, and staying RESTful. If we decide to go this way, we could have a default webapp shipped direclty with kinto-accounts, which will do the POST on behalf of the user, and letting the ability to the developer to specify a different webapp to use. |
If we're comfortable with modifying a record without a user explicit action (auto-POSTing a form), I'd be ok with going all in and changing the If we do that, then there's no more need for an In any case, the Maybe we should discuss this in another issue/PR? |
|
Ok, the current work on the user creation and validation should be done now, and properly documented. What's left to discuss before this can be merged: |
magopian
force-pushed
the
1973-account-validation
branch
2 times, most recently
from
8268dc3
to
9313147
Compare
|
After an out-of-band discussion with @Natim we came to the conclusion that this PR could be slightly modified: 1/ don't require an |
|
Not sure what you mean with « email context ». You mean a template? Also, In addition to what you've described, I think that if we go with a POST to validate the account, then we should provide a simple WebApp that does the POSTing automatically, in order to have a easy-to-setup account registration mechanism (e.g. as an admin deploying the stack, I want this to be simple enough) |
|
As for delaying reset password to another PR, I think it's un-necessary, unless you're in a hurry having this shipped (in which case, do as you prefer!) |
No the context to render the template aka: |
We could as an example but it is quite orthogonal to the service code. |
|
As for delaying reset password to another PR, I think it's un-necessary, unless you're in a hurry having this shipped (in which case, do as you prefer!)
Some softwares have UI that are not browsers (e.g. a CLI script), which is why I think this is necessary to have by default. |
In that case they might not use links to validate the account. |
I think I missed something then. To me, if I register an account with the command line, the workflow is as follows:
Unfortunately, users use links in the emails to validate the accounts, and this happens through HTTP GET requests only. What other scenario do you have in mind to avoid this webapp? |
This is the case when working with a webapp, but if you are using a software you might want to use the following:
|
|
Ah yes! I haven't thought about this solution. I remember that's what Twitter used to do in the past :-) That being said, I tend to prefer the « user clicks on the link » solution, because it's simpler. What's the value of having the user copy a verification code over clicking a link in an email, apart not having to implement an UI? |
|
I think it is up to the developper to define the flow, I am not against building a little Elm demo webapp if it pleases you. We can even pair on it once this lands. |
I agree, we need to let the possibility for the developer to tweak the flow, if they want it to be different. One major selling point of kinto is « don't reinvent the wheel each time », and as such, I believe we should provide the golden path for everything. Something that makes it easy for everyone to use accounts, without having to implement something special. |
|
I agree with you in the scope of Kinto which is an API. As soon as you have front-end facing experience, it is not the place of Kinto to solve it. However we could decide that the kinto-admin has got a built-in page to handle that. |
|
I agree, but I believe that if we start solving one problem (here having accounts validation), then we need to do it completely, and painlessly for the devs that want to use it. As a side note, I think we're kinda going in circles with this discussion. I don't really mind disagreeing, but if anyone wants to weight in in order to move forward on this topic that would be beneficial :-) cc @leplatrem @glasserc |
|
I'm not sure you really want to hear my opinion, so I've been trying to stay out of it, but since you asked: I don't think Kinto is a good foundation for the kinds of thing you want to do. I don't like the current Kinto accounts plugin and I would prefer Kinto core not be cluttered with support for all the different possible things some developer might want an accounts system to do. I think the PostgREST approach here is pretty solid: don't do any user stuff whatsoever -- delegate that to some other service -- but allow people to present JWTs to prove their identities. I recently saw https://github.com/netlify/gotrue which seems like a pretty nice product, but if you wanted to build something open source I would certainly support that too. |
I agree with you and I guess it is why we decided to put the account code in a plugin. As of why plugins ships with Kinto itself, this is another story. |
|
Wow, such long thread. Here's a plan: Once this is done, we can decide if it's good enough to land. Regarding the "sample webapp that kinto should provide": let's discuss this in another issue, I'd like to not delay the landing of this functionality for too long. We can still improve in the future if we want (eg: also allowing a GET to validate an endpoint, providing redirect URL, providing a sample webapp, ...). |
magopian
force-pushed
the
1973-account-validation
branch
from
9181735
to
9f16d46
Compare
magopian
force-pushed
the
1973-account-validation
branch
from
c68665a
to
80a7cae
Compare
|
Ok folks, I hope I have addressed all your comments and reviews, but one thing: the heartbeat request. I've seen @natim PR and would love that they merge it. In any case, I'd love this PR to land as is, and maybe in the future add the heartbeat. There's also this comment I'm not sure how to deal with it. What do you think @Natim @leplatrem @almet? Anything else I'm missing? |
kinto/plugins/accounts/__init__.py
Outdated
| # according to | ||
| # https://docs.pylonsproject.org/projects/pyramid_mailer/en/latest/#debugging | ||
| mailer = settings.get("mail.mailer", "") | ||
| config.include("pyramid_mailer" + ("." + mailer if mailer else "")) |
There was a problem hiding this comment.
| config.include("pyramid_mailer" + ("." + mailer if mailer else "")) | |
| config.include("pyramid_mailer" + (f".{mailer}" if mailer else "")) |
|
Quick note: it seems the |
Yes we should probably fix it. Feel free to add a test for it if you want. |
| .. code-block:: ini | ||
|
|
||
| # Set the regular expression used to validate a proper email address. | ||
| kinto.account_validation.email_regexp = "^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$" |
There was a problem hiding this comment.
that's an "additional restriction", it doesn't take over/replace what's declared in https://github.com/Kinto/kinto/blob/master/kinto/plugins/accounts/views.py#L33 (if that's the root cause of this issue, not sure yet, I'm investigating)
There was a problem hiding this comment.
Maybe shall we use the same regex for both?
There was a problem hiding this comment.
I don't think it's the same use case: in one case (no account validation) you want to allow a few set of characters, in the other case you might want to restrict emails to a given sub-domain.
There was a problem hiding this comment.
I don't think it's the same use case: in one case (no account validation) you want to allow a few set of characters, in the other case you might want to restrict emails to a given sub-domain.
Yeah makes sense 👍
magopian
force-pushed
the
1973-account-validation
branch
from
13052e5
to
9309fb5
Compare
There was a problem hiding this comment.
Almost r+ :)
I re-read everything :) This PR is huge but the feature is a valuable addition! Thanks a lot for your patience on this!
More seriously, my main concern is the organization of docs between settings and API. We should mention the context in the API docs, and leave settings as concise as possible.
And also some repeated code about cache manipulation that could be gathered in utils.
magopian
force-pushed
the
1973-account-validation
branch
from
f28b95e
to
b3b6cc1
Compare
magopian
force-pushed
the
1973-account-validation
branch
from
b3b6cc1
to
bfde10d
Compare
|
I believe I've addressed all your comments @leplatrem please let me know if I missed anything (in particular, are you happy with the way the docs are organized now?) |
Fixes #1973
Try it here: https://kinto.github.io/kinto-account-demo/
kinto.tplfile with it.This is a work in progress, may I have some feedback on the current work before pushing forward with the reset password functionality and the documentation?
Thanks!