Improved password reset and session invalidation for "locked" users #11790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
naz
commented
May 4, 2020
naz
commented
- Fixed error message when "locked user tries to login to show specific error instead of generic "Access Denied"
- Changed copy for password reset message to: "As a security precaution, your password must be reset. Click "Forgot?" to receive an email with instructions."
- Improved error returned by permission layer for non-active users. Allows Ghost-Admin to redirect them to signin screen instead of being stuck with "Resource Not Found" error
- Instead of returning generic 'access' denied message when error happens durin `User.check` we want to return more specific error thrown iside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user
- Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password
|
For reference, old error returned by permission layer for "locked" users was 404 with following content: A new response is 401: |
naz
added a commit
to naz/Ghost-Admin
that referenced
this pull request
May 5, 2020
refs TryGhost/Ghost#11790 - After user fails to signin due to "locked" being locked a new view with automatic email message and more instructions will be shown to make the password reset process easier.
naz
added a commit
to TryGhost/Admin
that referenced
this pull request
May 5, 2020
refs TryGhost/Ghost#11790 - After user fails to signin due to "locked" being locked a new view with automatic email message and more instructions will be shown to make the password reset process easier. - Refined instructions screen - Added icon + animation - Refined copy Co-authored-by: Nazar Gargol <nazargargol@gmail.com>
|
@naz I think the new error response should be using the same |
|
@kevinansfield pushed that already 😉 |
|
Both client and here. The whole PR is ready for review and merge I think |
naz
commented
May 5, 2020
| @@ -15,6 +15,10 @@ module.exports = { | |||
| })); | |||
| } | |||
|
|
|||
| if (foundUser.get('status') !== 'active') { | |||
There was a problem hiding this comment.
Ensures redirect to /signin for the Ghost-Admin when the user becomes "locked" with an active session.
naz
commented
May 5, 2020
package.json
Outdated
| @@ -83,7 +83,7 @@ | |||
| "express-query-boolean": "2.0.0", | |||
| "express-session": "1.17.1", | |||
| "fs-extra": "9.0.0", | |||
| "ghost-ignition": "4.1.0", | |||
| "ghost-ignition": "4.2.0", | |||
There was a problem hiding this comment.
Introduces new UnauthorizedError error to be used with "locked" users
naz
commented
May 5, 2020
| } | ||
|
|
||
| if (err.errorType === 'PasswordResetRequiredError') { | ||
| await api.authentication.generateResetToken({ |
There was a problem hiding this comment.
@kevinansfield what is your opinion this function call type. It awaits for the response currently but was also thinking to make it "fire-and-forget" style of call. Wdyt?
There was a problem hiding this comment.
Only issue with "fire-and-forget" is that problems with mail config never surface, just appears like emails never arrived. That's typically only a problem for self-hosters though.
- used by 3rd party clients where the email is necessary for users to know why login is failing
kevinansfield
added a commit
that referenced
this pull request
May 6, 2020
refs #11790 - reduced complexity by sticking to one email for both normal reset and forced reset (locked staff accounts) - exposed `siteTitle` for use in any email templates - updated email copy to be suitable for both types of password reset
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.