Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When login-in via token, let a chance for user to set the password #3008

Merged
merged 3 commits into from Nov 15, 2017

Conversation

@Carreau
Copy link
Member

@Carreau Carreau commented Nov 2, 2017

When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running jupyter notebook password on the command
line.

The experience can likely be better, but just submitting that as a POC
for feedback

When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running `jupyter notebook password` on the command
line.

The experience can likely be better, but just submitting that as a POC
for feedback
Copy link
Member

@minrk minrk left a comment

Seems like a good idea to me.

Potential downsides:

  • there is no mechanism to disallow setting a password, for token-only auth
  • combined with #3009, setting a password means that the next login will be logged out because the cookie secret will have changed. I'm not sure this is a big deal, but it could be annoying.

self.set_login_cookie(self, uuid.uuid4().hex)
elif self.token and self.token == typed_password:
self.set_login_cookie(self, uuid.uuid4().hex)
if self.new_password:
Copy link
Member

@minrk minrk Nov 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra self.

@@ -85,6 +85,22 @@
<p>
Cookies are required for authenticated access to notebooks.
</p>
<h3>{% trans %}Setup a Password{% endtrans %}</h3>
Copy link
Member

@minrk minrk Nov 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This whole block should be conditional on password not being set already. And there should probably be a set_password_available for explicit disabling, as well.

@Carreau
Copy link
Member Author

@Carreau Carreau commented Nov 3, 2017

@Carreau
Copy link
Member Author

@Carreau Carreau commented Nov 11, 2017

Updated w/ documentation and options to disable.

allow_password_change = Bool(True, config=True,
help="""Allow password to be changed at login for the notebook server.
While login-in with a token, the notebook server UI will give the opportunity to
Copy link
Member

@takluyver takluyver Nov 13, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logging in

</div>
<div class="form-group">
<input type="password" name="new_password" id="new_password_input"
class="form-control" placeholder="New password" required>
Copy link
Member

@takluyver takluyver Nov 13, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we get the user to type the new password twice, and check that it's the same?

Copy link
Member Author

@Carreau Carreau Nov 13, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it is necessary, they can still issue jupyter notebook password to reset.

@takluyver
Copy link
Member

@takluyver takluyver commented Nov 13, 2017

Can you show a screenshot of the new login page?

Document the changing of password.
@Carreau
Copy link
Member Author

@Carreau Carreau commented Nov 13, 2017

In the end I think we want a change-password page that may or may not be available, and potentially pre-fill the token if it is given in the URL (and not redirect).

Though I do not want to spend too much time on that as most user will not even see this change password field.

screen shot 2017-11-13 at 07 55 02

@takluyver
Copy link
Member

@takluyver takluyver commented Nov 13, 2017

Thanks. I'm happy to merge this and see how it goes, but I'll give it a while for other people to have a look.

minrk
minrk approved these changes Nov 15, 2017
Copy link
Member

@minrk minrk left a comment

Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).

command line.

The ability to change the password at first login time may be disabled by
integrations by setting the ``--NotebookApp.allow_password_change=True``
Copy link
Member

@minrk minrk Nov 15, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

=False

@Carreau
Copy link
Member Author

@Carreau Carreau commented Nov 15, 2017

Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).

Oops. Should be fixed.

@takluyver takluyver merged commit 74fbc5b into jupyter:master Nov 15, 2017
4 checks passed
@Carreau Carreau deleted the autopawd branch Aug 25, 2018
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants