When login-in via token, let a chance for user to set the password #3008
Conversation
When token is enabled, the login page will present a form to the user asking them if they want to set a password at the same time. This is almost equivalent to running `jupyter notebook password` on the command line. The experience can likely be better, but just submitting that as a POC for feedback
There was a problem hiding this comment.
Seems like a good idea to me.
Potential downsides:
- there is no mechanism to disallow setting a password, for token-only auth
- combined with Hash cookie secret with user hashed password. #3009, setting a password means that the next login will be logged out because the cookie secret will have changed. I'm not sure this is a big deal, but it could be annoying.
notebook/auth/login.py
Outdated
| self.set_login_cookie(self, uuid.uuid4().hex) | ||
| elif self.token and self.token == typed_password: | ||
| self.set_login_cookie(self, uuid.uuid4().hex) | ||
| if self.new_password: |
notebook/templates/login.html
Outdated
| @@ -85,6 +85,22 @@ | |||
| <p> | |||
| Cookies are required for authenticated access to notebooks. | |||
| </p> | |||
| <h3>{% trans %}Setup a Password{% endtrans %}</h3> | |||
There was a problem hiding this comment.
This whole block should be conditional on password not being set already. And there should probably be a set_password_available for explicit disabling, as well.
|
Yep I thought to most of those. I'm even considering redirecting users to
the login screen immediately if they set a password to be sure it works.
I'll work on that this week-end or next week. Thanks !
…On Nov 3, 2017 03:22, "Min RK" ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In notebook/templates/login.html
<#3008 (comment)>:
> @@ -85,6 +85,22 @@
<p>
Cookies are required for authenticated access to notebooks.
</p>
+ <h3>{% trans %}Setup a Password{% endtrans %}</h3>
This whole block should be conditional on password not being set already.
And there should probably be a set_password_available for explicit
disabling, as well.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#3008 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAUez1m-FiumTBm5vjmyfmz-qBAZxkEHks5syulbgaJpZM4QQLYK>
.
|
|
Updated w/ documentation and options to disable. |
notebook/notebookapp.py
Outdated
| allow_password_change = Bool(True, config=True, | ||
| help="""Allow password to be changed at login for the notebook server. | ||
|
|
||
| While login-in with a token, the notebook server UI will give the opportunity to |
| </div> | ||
| <div class="form-group"> | ||
| <input type="password" name="new_password" id="new_password_input" | ||
| class="form-control" placeholder="New password" required> |
There was a problem hiding this comment.
Should we get the user to type the new password twice, and check that it's the same?
There was a problem hiding this comment.
I don't think it is necessary, they can still issue jupyter notebook password to reset.
|
Can you show a screenshot of the new login page? |
Document the changing of password.
|
In the end I think we want a change-password page that may or may not be available, and potentially pre-fill the token if it is given in the URL (and not redirect). Though I do not want to spend too much time on that as most user will not even see this change password field.
|
|
Thanks. I'm happy to merge this and see how it goes, but I'll give it a while for other people to have a look. |
docs/source/public_server.rst
Outdated
| command line. | ||
|
|
||
| The ability to change the password at first login time may be disabled by | ||
| integrations by setting the ``--NotebookApp.allow_password_change=True`` |
Oops. Should be fixed. |
When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running
jupyter notebook passwordon the commandline.
The experience can likely be better, but just submitting that as a POC
for feedback