-
Notifications
You must be signed in to change notification settings - Fork 488
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Account migration #7916
Account migration #7916
Conversation
* secured the initial FacesContext approach * password input renders if validation failed
Hi @janvanmansum, thanks for sharing this. I appreciate the simplification of the workflow here. Just so I understand, when the user encounters this screen in the new Dataverse installation, will their passwords have already been loaded into the Dataverse installation's database? Would this only be able to be used by installations where passwords from the old system were known and transferred? Regarding the 4.0 text, I've adjusted the text on a currently-unmerged branch so that the old version is not referenced specifically. |
Hi @janvanmansum, good to see you at the community meeting last week. I'm just making sure you saw my note above. Any thoughts? |
@djbrooke : sorry for the late response. Yes, this assumes that the user password is in the database already (just not encrypted with the preferred algorithm). |
@janvanmansum hi, I'm just checking if this pull request is ready for review or if you're still working on it. I noticed a new commit from a couple weeks ago. |
@janvanmansum - From a slack conversation - @pdurbin notes this needs documentation of the new settings, a short release note about the password algorithm change mechanism getting updated, and to be merged with develop to get rid of the conflict. |
Thanks @qqmyers for discussing, and thanks @janvanmansum for following up. I think we both missed each other a few times. :) I want @scolapasta to weigh in before we decide the merge this because we talked in some detail (prompting my question above in #7916 (comment)) - if there's a specific security concern about implementing this, let's discuss. |
Hi, sorry for the delay in getting to this! I think the idea makes sense overall, but I wonder about having these settings? i.e. when we first added this we knew that we were requiring stricter passwords which was one reason to force the new password. But since this incorporates that (i.e. it forces new password if not strict enough), let's just make this the default behavior. In that way we can save a few settings and have all installations operate this way. In short, rather than have this provide an alternative approach, let's have that alternative be standard. @janvanmansum would you be able to make these changes? |
@scolapasta : OK, then we will remove the settings and make the behavior the same as currently with the following values:
|
@janvanmansum Thanks for the update. I think @scolapasta still needs to review but I decided to do a quick test of the password complexity workflow. It appears it is not functioning correctly in your branch at the moment. What happens is if I change :PVMinLength to be 10 rather than 6 and log in with an existing account, without setting :PVCustomPasswordResetAlertMessage, I see different results: |
@kcondon the issue you described above should now be fixed. Would your retest it please? |
@janvanmansum @mderuijter could one of you get the latest from develop (now that 5.8 has been released?) |
@scolapasta : done. |
@pdurbin @scolapasta : I have merged back the latest |
What this PR does / why we need it: Currently, when a user logs in to a migrated builtin user account for which the password is encrypted with a legacy hash algorithm (e.g., SHA-1), Dataverse will display a password reset page that also requires the user to accept the Terms of Use again. After a new password is provided it gets encrypted with the latest and greatest algorithm.
There are several limitations and issues with the current reset page:
Example of the current screen:
Which issue(s) this PR closes: N/A
Special notes for your reviewer:
This PR introduces the following database settings::SilentPasswordAlgorithmUpdateEnabled
: if set totrue
, the "New Password" and "Retype Password" entry fields are hidden and the existing password is automatically re-encrypted on clicking the continue button.:PVCustomPasswordResetAlertMessage
: the text that should appear in the blue banner at the top of the passwordreset page.:CustomPasswordResetButton
: the caption of the button to continue. (If:SilentPasswordAlgorithmUpdateEnabled
is enabled you should override the default text, which is "Reset Password", with something else, for example "Continue"):CustomPasswordResetAlertIntro
: the introductory text.Settings have been removed at the request of @scolapasta (see #7916 and #7916)
Note that, if the password turns out not to comply with the minimal security requirements, the user is presented with the regular password reset page on clicking Continue, and will be required to provide a new password.
Suggestions on how to test this:
Configure the Dataverse instance to automatically reencrypt password, e.g.:echo -n mypassword001 | openssl dgst -binary -sha1 | openssl base64
builtinuser
table:(Note: you can customize the build number with the script
dataverse/scripts/custom-build-number
in the Dataverse code.)Does this PR introduce a user interface change? If mockups are available, please link/include them here: See previous item.
Is there a release notes update needed for this change?: No
Additional documentation: