Allow re-authentication in editor after 401 response

[jaswilli]

This PR supersedes #3492. The commit from #3492 has been rebased and is now working. There are some UX and other minor details that need to be sorted out:

A couple things I noticed right away (there are likely others as well):

• There's currently no feedback after the re-authentication succeeds or fails.
• Credentials need to be cleared from the controller after the re-auth attempt.
• The modal needs to be styled.

[ErisDS]

@JohnONolan & @PaulAdamDavis this PR includes a new modal that allows you to sign back in on the editor in the event that you get logged out. It currently looks like this:

Needs some ❤️ 😉

[PaulAdamDavis]

Along with changing the class on the button, add this to the bottom of core/client/assets/sass/components/modals.scss

The extra spacing under the title comes from #4632

// Modal login styles
.modal-body .login-form {
    display: block; // Override inherited `display: table-cell;`

    .email-wrap,
    .password-wrap {
        input {
            width: 100%;
        }
    }

    @media (max-width: 900px) {
        margin: 0 auto;
        max-width: 264px;

        .email-wrap,
        .password-wrap {
            width: 100%;
            margin: 0 auto 1em;
        }

        .btn {
            margin: 0;
            width: 100%;
            margin-bottom: 1em;
        }
    }

    @media (min-width: 901px) {
        .email-wrap,
        .password-wrap {
            width: calc(50% - 5px);
        }

        .email-wrap {
            float: left;
        }

        .password-wrap {
            float: right;
        }

        .btn {
            margin-top: 8px;
            float: right;
        }
    }
}

[jaswilli]

Thanks @PaulAdamDavis -- updated with those changes.

[jaswilli]

What do we think about only allowing the re-auth to be against the user that was previously logged in by either pre-filling the username field (and making it readonly) or just only showing a password prompt?

It's really not appropriate to log in as a different user in this situation and from a technical standpoint--who knows what would happen. Basically we'd have to reset the application, which is exactly the opposite of what we're trying to accomplish here.

[JohnONolan]

+1

[jaswilli]

Updated to only allow re-auth as the previously logged in user.

I also added a notification after a successful re-auth because it felt really...abrupt without any feedback. But let me know if no notification is preferred.

Anyway, I think this in a pretty workable state right now so it'd be great if people could take it for a spin and see if there are any issues.

[jaswilli]

Also, for anyone who wants to test this, you can get the modal to come up by opening the editor, deleting the access token from the database (delete from accesstokens;) and then clicking the save button in the editor.

[jaswilli]

[ErisDS]

@jaswilli are you happy with this now?

Just saw you took the WIP tag off so I assume yes, Sorry!

[jaswilli]

Yeah, I took off the WIP because it seems pretty good to me. Definitely open to feedback and more changes though.

[ErisDS]

I think it might be worth adding the user-select false CSS rule to the disabled input? Just because if you try to select the email and hit backspace it actually goes back and gets a bit confusing.

[ErisDS]

Otherwise seems to be working pretty awesomely!

[jaswilli]

As far as I know user-select doesn't work on input elements. I could change the email address to be in a span instead and make it unselectable:

[JohnONolan]

I don't think we should display email at all, just "Please re-authenticate" (for the heading) and password field?

[jaswilli]

@JohnONolan how about this?:

edit (I can change the header to please re-authenticate)

[jaswilli]

Screenshot from PR as it stands right now:

[JohnONolan]

Perfect - just need @PaulAdamDavis to followup with CSS on the form

[JohnONolan]

Also what happens if I click on the X ?

[jaswilli]

Also what happens if I click on the X ?

The modal just goes away and you're back in the editor. From there if you try to navigate away you'll get the "Are you sure you want to leave?" modal, or if you do something that triggers another 401 (i.e. saving) the re-auth modal will come back up.

[PaulAdamDavis]

Here's some minor style changes (thought it would be clearer sharing the whole block instead of line-per-line comments.

It looks like this on desktop. Mobile view hasn't changed.

// Modal login styles
.modal-body .login-form {
    display: block; // Override inherited `display: table-cell;`

    .password-wrap {
        input {
            width: 100%;
        }
    }

    @media (max-width: 900px) {
        margin: 0 auto;
        max-width: 264px;

        .password-wrap {
            width: 100%;
            margin: 0 auto 1em;
        }

        .btn {
            margin: 0;
            width: 100%;
            margin-bottom: 1em;
        }
    }

    @media (min-width: 901px) {
        display: flex;

        .password-wrap {
            flex: 1;
        }
    }
}

[sebgie]

Tested, looks very good to me 👍! When the CSS changes from Pauls comment are in, this is good to go.

[jaswilli]

Updated CSS is in. Thanks again, @PaulAdamDavis