Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When login-in via token, let a chance for user to set the password #3008

Merged
merged 3 commits into from Nov 15, 2017

Conversation

Projects
None yet
4 participants
@Carreau
Copy link
Contributor

Carreau commented Nov 2, 2017

When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running jupyter notebook password on the command
line.

The experience can likely be better, but just submitting that as a POC
for feedback

When login-in via token, let a chance for user to set the password
When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running `jupyter notebook password` on the command
line.

The experience can likely be better, but just submitting that as a POC
for feedback
@minrk
Copy link
Member

minrk left a comment

Seems like a good idea to me.

Potential downsides:

  • there is no mechanism to disallow setting a password, for token-only auth
  • combined with #3009, setting a password means that the next login will be logged out because the cookie secret will have changed. I'm not sure this is a big deal, but it could be annoying.
self.set_login_cookie(self, uuid.uuid4().hex)
elif self.token and self.token == typed_password:
self.set_login_cookie(self, uuid.uuid4().hex)
if self.new_password:

This comment has been minimized.

@minrk

minrk Nov 3, 2017

Member

extra self.

@@ -85,6 +85,22 @@
<p>
Cookies are required for authenticated access to notebooks.
</p>
<h3>{% trans %}Setup a Password{% endtrans %}</h3>

This comment has been minimized.

@minrk

minrk Nov 3, 2017

Member

This whole block should be conditional on password not being set already. And there should probably be a set_password_available for explicit disabling, as well.

@Carreau

This comment has been minimized.

Copy link
Contributor Author

Carreau commented Nov 3, 2017

@Carreau

This comment has been minimized.

Copy link
Contributor Author

Carreau commented Nov 11, 2017

Updated w/ documentation and options to disable.

allow_password_change = Bool(True, config=True,
help="""Allow password to be changed at login for the notebook server.
While login-in with a token, the notebook server UI will give the opportunity to

This comment has been minimized.

@takluyver

takluyver Nov 13, 2017

Member

logging in

</div>
<div class="form-group">
<input type="password" name="new_password" id="new_password_input"
class="form-control" placeholder="New password" required>

This comment has been minimized.

@takluyver

takluyver Nov 13, 2017

Member

Should we get the user to type the new password twice, and check that it's the same?

This comment has been minimized.

@Carreau

Carreau Nov 13, 2017

Author Contributor

I don't think it is necessary, they can still issue jupyter notebook password to reset.

@takluyver

This comment has been minimized.

Copy link
Member

takluyver commented Nov 13, 2017

Can you show a screenshot of the new login page?

Add option disabled changing password at login.
Document the changing of password.

@Carreau Carreau force-pushed the Carreau:autopawd branch from 5495366 to a897141 Nov 13, 2017

@Carreau

This comment has been minimized.

Copy link
Contributor Author

Carreau commented Nov 13, 2017

In the end I think we want a change-password page that may or may not be available, and potentially pre-fill the token if it is given in the URL (and not redirect).

Though I do not want to spend too much time on that as most user will not even see this change password field.

screen shot 2017-11-13 at 07 55 02

@takluyver

This comment has been minimized.

Copy link
Member

takluyver commented Nov 13, 2017

Thanks. I'm happy to merge this and see how it goes, but I'll give it a while for other people to have a look.

@minrk

minrk approved these changes Nov 15, 2017

Copy link
Member

minrk left a comment

Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).

command line.

The ability to change the password at first login time may be disabled by
integrations by setting the ``--NotebookApp.allow_password_change=True``

This comment has been minimized.

@minrk

minrk Nov 15, 2017

Member

=False

@Carreau

This comment has been minimized.

Copy link
Contributor Author

Carreau commented Nov 15, 2017

Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).

Oops. Should be fixed.

@takluyver takluyver merged commit 74fbc5b into jupyter:master Nov 15, 2017

4 checks passed

codecov/patch 27.27% of diff hit (target 0%)
Details
codecov/project 78.74% (-0.06%) compared to c097387
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@Carreau Carreau deleted the Carreau:autopawd branch Aug 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.