-
-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improved password reset and session invalidation for "locked" users #11790
Improved password reset and session invalidation for "locked" users #11790
Conversation
naz
commented
May 4, 2020
- Fixed error message when "locked user tries to login to show specific error instead of generic "Access Denied"
- Changed copy for password reset message to: "As a security precaution, your password must be reset. Click "Forgot?" to receive an email with instructions."
- Improved error returned by permission layer for non-active users. Allows Ghost-Admin to redirect them to signin screen instead of being stuck with "Resource Not Found" error
- Instead of returning generic 'access' denied message when error happens durin `User.check` we want to return more specific error thrown iside of the method, e.g.: 'accountLocked' or 'accountSuspended' - Fixed messaging for 'accountLocked' i18n, which not corresponds to the actual UI available to the end user
- Currently Ghost API was returning 404 for users having status set to "locked". This lead the user to be stuck in Ghost-Admin with "Rousource Not Found" error message. - By returning 401 for non-"active" users it allows for the Ghost-Admin to redirect the user to "signin" screen where they would be instructed to reset their password
For reference, old error returned by permission layer for "locked" users was 404 with following content:
A new response is 401:
|
refs TryGhost/Ghost#11790 - After user fails to signin due to "locked" being locked a new view with automatic email message and more instructions will be shown to make the password reset process easier.
refs TryGhost/Ghost#11790 - After user fails to signin due to "locked" being locked a new view with automatic email message and more instructions will be shown to make the password reset process easier. - Refined instructions screen - Added icon + animation - Refined copy Co-authored-by: Nazar Gargol <nazargargol@gmail.com>
@naz I think the new error response should be using the same |
@kevinansfield pushed that already 😉 |
Both client and here. The whole PR is ready for review and merge I think |
@@ -15,6 +15,10 @@ module.exports = { | |||
})); | |||
} | |||
|
|||
if (foundUser.get('status') !== 'active') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ensures redirect to /signin
for the Ghost-Admin when the user becomes "locked" with an active session.
package.json
Outdated
@@ -83,7 +83,7 @@ | |||
"express-query-boolean": "2.0.0", | |||
"express-session": "1.17.1", | |||
"fs-extra": "9.0.0", | |||
"ghost-ignition": "4.1.0", | |||
"ghost-ignition": "4.2.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Introduces new UnauthorizedError
error to be used with "locked" users
} | ||
|
||
if (err.errorType === 'PasswordResetRequiredError') { | ||
await api.authentication.generateResetToken({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kevinansfield what is your opinion this function call type. It awaits for the response currently but was also thinking to make it "fire-and-forget" style of call. Wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only issue with "fire-and-forget" is that problems with mail config never surface, just appears like emails never arrived. That's typically only a problem for self-hosters though.
- used by 3rd party clients where the email is necessary for users to know why login is failing
refs #11790 - reduced complexity by sticking to one email for both normal reset and forced reset (locked staff accounts) - exposed `siteTitle` for use in any email templates - updated email copy to be suitable for both types of password reset