mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 22:10:55 +01:00
Provide contextual help on auth provider configuration
Summary: Ref T1536. - Move all the provider-specific help into contextual help in Auth. - This provides help much more contextually, and we can just tell the user the right values to use to configure things. - Rewrite account/registration help to reflect the newer state of the word. - Also clean up a few other loose ends. Test Plan: {F46937} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6247
This commit is contained in:
parent
3b9ccf11f2
commit
1834584e98
18 changed files with 167 additions and 158 deletions
|
@ -553,11 +553,6 @@ return array(
|
|||
|
||||
// -- Auth ------------------------------------------------------------------ //
|
||||
|
||||
// Can users login with a username/password, or by following the link from
|
||||
// a password reset email? You can disable this and configure one or more
|
||||
// OAuth providers instead.
|
||||
'auth.password-auth-enabled' => true,
|
||||
|
||||
// Maximum number of simultaneous web sessions each user is permitted to have.
|
||||
// Setting this to "1" will prevent a user from logging in on more than one
|
||||
// browser at the same time.
|
||||
|
@ -1032,10 +1027,6 @@ return array(
|
|||
'aphront.default-application-configuration-class' =>
|
||||
'AphrontDefaultApplicationConfiguration',
|
||||
|
||||
'controller.oauth-registration' =>
|
||||
'PhabricatorOAuthDefaultRegistrationController',
|
||||
|
||||
|
||||
// Directory that phd (the Phabricator daemon control script) should use to
|
||||
// track running daemons.
|
||||
'phd.pid-directory' => '/var/tmp/phd/pid',
|
||||
|
|
|
@ -14,6 +14,18 @@ final class PhabricatorApplicationAuth extends PhabricatorApplication {
|
|||
return 'authentication';
|
||||
}
|
||||
|
||||
public function getHelpURI() {
|
||||
// NOTE: Although reasonable help exists for this in "Configuring Accounts
|
||||
// and Registration", specifying a help URI here means we get the menu
|
||||
// item in all the login/link interfaces, which is confusing and not
|
||||
// helpful.
|
||||
|
||||
// TODO: Special case this, or split the auth and auth administration
|
||||
// applications?
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public function buildMainMenuItems(
|
||||
PhabricatorUser $user,
|
||||
PhabricatorController $controller = null) {
|
||||
|
|
|
@ -10,7 +10,7 @@ final class PhabricatorEmailLoginController
|
|||
public function processRequest() {
|
||||
$request = $this->getRequest();
|
||||
|
||||
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
|
||||
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
|
||||
return new Aphront400Response();
|
||||
}
|
||||
|
||||
|
|
|
@ -74,7 +74,7 @@ final class PhabricatorEmailTokenController
|
|||
unset($unguarded);
|
||||
|
||||
$next = '/';
|
||||
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
|
||||
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
|
||||
$next = '/settings/panel/external/';
|
||||
} else if (PhabricatorEnv::getEnvConfig('account.editable')) {
|
||||
$next = (string)id(new PhutilURI('/settings/panel/password/'))
|
||||
|
|
|
@ -224,6 +224,12 @@ final class PhabricatorAuthEditController
|
|||
->addCancelButton($cancel_uri)
|
||||
->setValue($button));
|
||||
|
||||
$help = $provider->getConfigurationHelp();
|
||||
if ($help) {
|
||||
$form->appendChild(id(new PHUIFormDividerControl()));
|
||||
$form->appendRemarkupInstructions($help);
|
||||
}
|
||||
|
||||
$crumbs = $this->buildApplicationCrumbs();
|
||||
$crumbs->addCrumb(
|
||||
id(new PhabricatorCrumbView())
|
||||
|
|
|
@ -21,6 +21,10 @@ abstract class PhabricatorAuthProvider {
|
|||
return $this->providerConfig;
|
||||
}
|
||||
|
||||
public function getConfigurationHelp() {
|
||||
return null;
|
||||
}
|
||||
|
||||
public function getDefaultProviderConfig() {
|
||||
return id(new PhabricatorAuthProviderConfig())
|
||||
->setProviderClass(get_class($this))
|
||||
|
|
|
@ -7,6 +7,24 @@ final class PhabricatorAuthProviderOAuthDisqus
|
|||
return pht('Disqus');
|
||||
}
|
||||
|
||||
public function getConfigurationHelp() {
|
||||
$login_uri = $this->getLoginURI();
|
||||
|
||||
return pht(
|
||||
"To configure Disqus OAuth, create a new application here:".
|
||||
"\n\n".
|
||||
"http://disqus.com/api/applications/".
|
||||
"\n\n".
|
||||
"Create an application, then adjust these settings:".
|
||||
"\n\n".
|
||||
" - **Callback URL:** Set this to `%s`".
|
||||
"\n\n".
|
||||
"After creating an application, copy the **Public Key** and ".
|
||||
"**Secret Key** to the fields above (the **Public Key** goes in ".
|
||||
"**OAuth App ID**).",
|
||||
$login_uri);
|
||||
}
|
||||
|
||||
protected function newOAuthAdapter() {
|
||||
return new PhutilAuthAdapterOAuthDisqus();
|
||||
}
|
||||
|
|
|
@ -9,6 +9,25 @@ final class PhabricatorAuthProviderOAuthFacebook
|
|||
return pht('Facebook');
|
||||
}
|
||||
|
||||
public function getConfigurationHelp() {
|
||||
$uri = new PhutilURI(PhabricatorEnv::getProductionURI('/'));
|
||||
return pht(
|
||||
'To configure Facebook OAuth, create a new Facebook Application here:'.
|
||||
"\n\n".
|
||||
'https://developers.facebook.com/apps'.
|
||||
"\n\n".
|
||||
'You should use these settings in your application:'.
|
||||
"\n\n".
|
||||
" - **Site URL**: Set this to your full domain with protocol. For ".
|
||||
" this Phabricator install, the correct value is: `%s`\n".
|
||||
" - **Site Domain**: Set this to the full domain without a protocol. ".
|
||||
" For this Phabricator install, the correct value is: `%s`\n\n".
|
||||
"After creating your new application, copy the **App ID** and ".
|
||||
"**App Secret** to the fields above.",
|
||||
(string)$uri,
|
||||
$uri->getDomain());
|
||||
}
|
||||
|
||||
public function getDefaultProviderConfig() {
|
||||
return parent::getDefaultProviderConfig()
|
||||
->setProperty(self::KEY_REQUIRE_SECURE, 1);
|
||||
|
|
|
@ -7,6 +7,27 @@ final class PhabricatorAuthProviderOAuthGitHub
|
|||
return pht('GitHub');
|
||||
}
|
||||
|
||||
public function getConfigurationHelp() {
|
||||
$uri = PhabricatorEnv::getProductionURI('/');
|
||||
$callback_uri = $this->getLoginURI();
|
||||
|
||||
return pht(
|
||||
"To configure GitHub OAuth, create a new GitHub Application here:".
|
||||
"\n\n".
|
||||
"https://github.com/settings/applications/new".
|
||||
"\n\n".
|
||||
"You should use these settings in your application:".
|
||||
"\n\n".
|
||||
" - **URL:** Set this to your full domain with protocol. For this ".
|
||||
" Phabricator install, the correct value is: `%s`\n".
|
||||
" - **Callback URL**: Set this to: `%s`\n".
|
||||
"\n\n".
|
||||
"Once you've created an application, copy the **Client ID** and ".
|
||||
"**Client Secret** into the fields above.",
|
||||
$uri,
|
||||
$callback_uri);
|
||||
}
|
||||
|
||||
protected function newOAuthAdapter() {
|
||||
return new PhutilAuthAdapterOAuthGitHub();
|
||||
}
|
||||
|
|
|
@ -7,6 +7,27 @@ final class PhabricatorAuthProviderOAuthGoogle
|
|||
return pht('Google');
|
||||
}
|
||||
|
||||
public function getConfigurationHelp() {
|
||||
$login_uri = $this->getLoginURI();
|
||||
|
||||
return pht(
|
||||
"To configure Google OAuth, create a new 'API Project' here:".
|
||||
"\n\n".
|
||||
"https://code.google.com/apis/console/".
|
||||
"\n\n".
|
||||
"You don't need to enable any Services, just go to **API Access**, ".
|
||||
"click **Create an OAuth 2.0 client ID...**, and configure these ".
|
||||
"settings:".
|
||||
"\n\n".
|
||||
" - During initial setup click **More Options** (or after creating ".
|
||||
" the client ID, click **Edit Settings...**), then add this to ".
|
||||
" **Authorized Redirect URIs**: `%s`\n".
|
||||
"\n\n".
|
||||
"After completing configuration, copy the **Client ID** and ".
|
||||
"**Client Secret** to the fields above.",
|
||||
$login_uri);
|
||||
}
|
||||
|
||||
protected function newOAuthAdapter() {
|
||||
return new PhutilAuthAdapterOAuthGoogle();
|
||||
}
|
||||
|
|
|
@ -9,6 +9,12 @@ final class PhabricatorAuthProviderPassword
|
|||
return pht('Username/Password');
|
||||
}
|
||||
|
||||
public function getConfigurationHelp() {
|
||||
return pht(
|
||||
'You can select a minimum password length by setting '.
|
||||
'`account.minimum-password-length` in configuration.');
|
||||
}
|
||||
|
||||
public function getDescriptionForCreate() {
|
||||
return pht(
|
||||
'Allow users to login or register using a username and password.');
|
||||
|
@ -227,4 +233,16 @@ final class PhabricatorAuthProviderPassword
|
|||
$account->setAccountID($account->getUserPHID());
|
||||
}
|
||||
|
||||
public static function getPasswordProvider() {
|
||||
$providers = self::getAllEnabledProviders();
|
||||
|
||||
foreach ($providers as $provider) {
|
||||
if ($provider instanceof PhabricatorAuthProviderPassword) {
|
||||
return $provider;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -101,7 +101,7 @@ abstract class PhabricatorController extends AphrontController {
|
|||
|
||||
if ($this->shouldRequireLogin() && !$user->getPHID()) {
|
||||
$login_controller = new PhabricatorAuthStartController($request);
|
||||
$login_controller->setCurrentApplication(
|
||||
$this->setCurrentApplication(
|
||||
PhabricatorApplication::getByClass('PhabricatorApplicationAuth'));
|
||||
return $this->delegateToController($login_controller);
|
||||
}
|
||||
|
|
|
@ -13,19 +13,6 @@ final class PhabricatorAuthenticationConfigOptions
|
|||
|
||||
public function getOptions() {
|
||||
return array(
|
||||
$this->newOption(
|
||||
'auth.password-auth-enabled', 'bool', true)
|
||||
->setBoolOptions(
|
||||
array(
|
||||
pht("Allow password authentication"),
|
||||
pht("Don't allow password authentication")
|
||||
))
|
||||
->setSummary(pht("Enables password-based authentication."))
|
||||
->setDescription(
|
||||
pht(
|
||||
"Can users login with a username/password, or by following the ".
|
||||
"link from a password reset email? You can disable this and ".
|
||||
"configure one or more OAuth providers instead.")),
|
||||
$this->newOption('auth.sessions.web', 'int', 5)
|
||||
->setSummary(
|
||||
pht("Number of web sessions a user can have simultaneously."))
|
||||
|
|
|
@ -47,12 +47,6 @@ final class PhabricatorExtendingPhabricatorConfigOptions
|
|||
->setBaseClass('AphrontApplicationConfiguration')
|
||||
// TODO: This could probably use some better documentation.
|
||||
->setDescription(pht("Application configuration class.")),
|
||||
$this->newOption(
|
||||
'controller.oauth-registration',
|
||||
'class',
|
||||
'PhabricatorOAuthDefaultRegistrationController')
|
||||
->setBaseClass('PhabricatorOAuthRegistrationController')
|
||||
->setDescription(pht("OAuth registration controller.")),
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
@ -612,7 +612,7 @@ EOBODY;
|
|||
$new_username = $this->getUserName();
|
||||
|
||||
$password_instructions = null;
|
||||
if (PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
|
||||
if (PhabricatorAuthProviderPassword::getPasswordProvider()) {
|
||||
$uri = $this->getEmailLoginURI();
|
||||
$password_instructions = <<<EOTXT
|
||||
If you use a password to login, you'll need to reset it before you can login
|
||||
|
|
|
@ -25,7 +25,7 @@ final class PhabricatorSettingsPanelPassword
|
|||
|
||||
// ...or this install doesn't support password authentication at all.
|
||||
|
||||
if (!PhabricatorEnv::getEnvConfig('auth.password-auth-enabled')) {
|
||||
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
@ -150,8 +150,11 @@ Now, navigate to whichever subdomain you set up. You should see instructions to
|
|||
continue setup. The rest of this document contains additional instructions for
|
||||
specific setup steps.
|
||||
|
||||
When you see the login screen, continue with @{article:Configuring Accounts and
|
||||
Registration}.
|
||||
When you resolve any issues and see the welcome screen, enter credentials to
|
||||
create your initial administrator account. After you log in, you'll want to
|
||||
configure how other users will be able to log in or register -- until you do,
|
||||
no one else will be able to sign up or log in. For more information, see
|
||||
@{article:Configuring Accounts and Registration}.
|
||||
|
||||
= Storage: Configuring MySQL =
|
||||
|
||||
|
|
|
@ -5,32 +5,41 @@ Describes how to configure user access to Phabricator.
|
|||
|
||||
= Overview =
|
||||
|
||||
Phabricator supports a number of login systems, like traditional
|
||||
username/password, Facebook OAuth, GitHub OAuth, and Google OAuth. You can
|
||||
enable or disable these systems to configure who can register for and access
|
||||
your install, and how users with existing accounts can login.
|
||||
Phabricator supports a number of login systems. You can enable or disable these
|
||||
systems to configure who can register for and access your install, and how users
|
||||
with existing accounts can login.
|
||||
|
||||
By default, only username/password auth is enabled, and there are no valid
|
||||
accounts. Start by creating a new account with the
|
||||
##phabricator/bin/accountadmin## script.
|
||||
Methods of logging in are called **Authentication Providers**. For example,
|
||||
there is a "Username/Password" authentication provider available, which allows
|
||||
users to log in with a traditional username and password. Other providers
|
||||
support logging in with other credentials. For example:
|
||||
|
||||
= Using accountadmin =
|
||||
- **Username/Password:** Users use a username and password to log in or
|
||||
register.
|
||||
- **LDAP:** Users use LDAP credentials to log in or register.
|
||||
- **OAuth:** Users use accounts on a supported OAuth2 provider (like
|
||||
GitHub, Facebook, or Google) to log in or register.
|
||||
- **Other Providers:** More providers are available, and Phabricator
|
||||
can be extended with custom providers. See the "Auth" application for
|
||||
a list of available providers.
|
||||
|
||||
##accountadmin## is a user-friendly command line interface for creating and
|
||||
editing accounts. To use ##accountadmin##, just run the script:
|
||||
By default, no providers are enabled. You must use the "Auth" application to
|
||||
add one or more providers after you complete the installation process.
|
||||
|
||||
$ ./phabricator/bin/accountadmin
|
||||
Enter a username to create a new account or edit an existing account.
|
||||
After you add a provider, you can link it to existing accounts (for example,
|
||||
associate an existing Phabricator account with a GitHub OAuth account) or users
|
||||
can use it to register new accounts (assuming you enable these options).
|
||||
|
||||
Enter a username:
|
||||
= Recovering Administrator Accounts =
|
||||
|
||||
This will walk you through the process of creating an initial user account.
|
||||
Once you've created an account, you can login with it and use the web console
|
||||
to create and manage accounts more easily (provided you make your first account
|
||||
an administrator).
|
||||
If you accidentally lock yourself out of Phabricator, you can use the `bin/auth`
|
||||
script to recover access to an administrator account. To recover access, run:
|
||||
|
||||
You can use this script later to create or edit accounts if you, for example,
|
||||
accidentally remove your admin flag.
|
||||
phabricator/ $ ./bin/auth recover <username>
|
||||
|
||||
...where `<username>` is the admin account username you want to recover access
|
||||
to. This will give you a link which will log you in as the specified
|
||||
administrative user.
|
||||
|
||||
= Managing Accounts with the Web Console =
|
||||
|
||||
|
@ -38,114 +47,20 @@ To manage accounts from the web, login as an administrator account and go to
|
|||
##/people/## or click "People" on the homepage. Provided you're an admin,
|
||||
you'll see options to create or edit accounts.
|
||||
|
||||
= Managing Accounts from the Command Line =
|
||||
= Manually Creating New Accounts =
|
||||
|
||||
You can use ##scripts/user/add_user.php## to batch create accounts. Run it
|
||||
like:
|
||||
There are two ways to manually create new accounts: via the web UI using
|
||||
the "People" application (this is easiest), or via the CLI using the
|
||||
`accountadmin` binary (this has a few more options).
|
||||
|
||||
$ ./add_user.php <username> <email> <realname> <admin>
|
||||
To use the CLI script, run:
|
||||
|
||||
For example:
|
||||
phabricator/ $ ./bin/accountadmin
|
||||
|
||||
$ ./add_user.php alincoln alincoln@logcabin.com 'Abraham Lincoln' tjefferson
|
||||
|
||||
This will create a new ##alincoln## user and send them a "Welcome to
|
||||
Phabricator" email from ##tjefferson## with instructions on how to log in and
|
||||
set a password.
|
||||
|
||||
= Configuring Facebook OAuth =
|
||||
|
||||
You can configure Facebook OAuth to allow login, login and registration, or
|
||||
nothing (the default). If registration is not allowed, users must have an
|
||||
existing account in order to link a Facebook account to it, but can use
|
||||
Facebook to login once the accounts are linked.
|
||||
|
||||
To configure Facebook OAuth, create a new Facebook Application:
|
||||
|
||||
https://developers.facebook.com/apps
|
||||
|
||||
You should set these things in your application:
|
||||
|
||||
- **Site URL**: Set this to your full domain with protocol, like
|
||||
"##https://phabricator.example.com/##".
|
||||
- **Site Domain**: Set this to the entire domain, like ##example.com##. You
|
||||
might be able to get away with including the subdomain if you want to
|
||||
scope more tightly.
|
||||
|
||||
Once that is set up, edit your Phabricator configuration and set these keys:
|
||||
|
||||
- **facebook.auth-enabled**: set this to ##true##.
|
||||
- **facebook.application-id**: set to your Facebook application's ID. Make
|
||||
sure you set this as a string.
|
||||
- **facebook.application-secret**: set to your Facebook application's
|
||||
secret key.
|
||||
- **facebook.registration-enabled**: set this to ##true## to let users
|
||||
register for your install with a Facebook account (this is a very open
|
||||
setting) or ##false## to prevent users from registering with Facebook.
|
||||
- **facebook.auth-permanent**: you can set this to prevent account unlinking.
|
||||
It is unlikely you want to prevent it, but Facebook's internal install uses
|
||||
this option since Facebook uses Facebook as its only auth mechanism.
|
||||
|
||||
= Configuring GitHub OAuth =
|
||||
|
||||
You can configure GitHub OAuth to allow login, login and registration, or
|
||||
nothing (the default).
|
||||
|
||||
To configure GitHub OAuth, create a new GitHub Application:
|
||||
|
||||
https://github.com/settings/applications/new
|
||||
|
||||
You should set these things in your application:
|
||||
|
||||
- **URL**: Set this to the full domain with protocol, like
|
||||
"##https://phabricator.example.com/##".
|
||||
- **Callback URL**: Set this to your domain plus "##/oauth/github/login/##",
|
||||
like "##https://phabricator.example.com/oauth/github/login/##".
|
||||
|
||||
Once you've created an application, edit your Phabricator configuration and
|
||||
set these keys:
|
||||
|
||||
- **github.auth-enabled**: set this to ##true##.
|
||||
- **github.application-id**: set this to your application/client ID.
|
||||
- **github.application-secret**: set this to your application secret.
|
||||
- **github.registration-enabled**: set to ##true## to let users register with
|
||||
just GitHub credentials (this is a very open setting) or ##false## to
|
||||
prevent users from registering. If set to ##false##, users may still link
|
||||
existing accounts and use GitHub to login, they just can't create new
|
||||
accounts.
|
||||
- **github.auth-permanent**: set to ##true## to prevent unlinking Phabricator
|
||||
accounts from GitHub accounts.
|
||||
|
||||
= Configuring Google OAuth =
|
||||
|
||||
You can configure Google OAuth to allow login, login and registration, or
|
||||
nothing (the default).
|
||||
|
||||
To configure Google OAuth, create a new Google "API Project":
|
||||
|
||||
https://code.google.com/apis/console/
|
||||
|
||||
You don't need to enable any **Services**, just go to **API Access**, click
|
||||
**"Create an OAuth 2.0 client ID..."**, and configure these settings:
|
||||
|
||||
- Click **More Options** next to **Authorized Redirect APIs** and add the
|
||||
full domain (with protocol) plus ##/oauth/google/login/## to the list.
|
||||
For example, ##https://phabricator.example.com/oauth/google/login/##
|
||||
- Click **Create Client ID**.
|
||||
|
||||
Once you've created a client ID, edit your Phabricator configuration and set
|
||||
these keys:
|
||||
|
||||
- **google.auth-enabled**: set this to ##true##.
|
||||
- **google.application-id**: set this to your Client ID (from above).
|
||||
- **google.application-secret**: set this to your Client Secret (from above).
|
||||
- **google.registration-enabled**: set this to ##true## to let users register
|
||||
with just Google credentials (this is a very open setting) or ##false## to
|
||||
prevent users from registering. If set to ##false##, users may still link
|
||||
existing accounts and use Google to login, they jus can't create new
|
||||
accounts.
|
||||
- **google.auth-permanent**: set this to ##true## to prevent unlinking
|
||||
Phabricator accounts from Google accounts.
|
||||
Some options (like setting passwords and changing certain account flags) are
|
||||
only available from the CLI. You can also use this script to make a user
|
||||
an administrator (if you accidentally remove your admin flag) or create an
|
||||
administrative account.
|
||||
|
||||
= Next Steps =
|
||||
|
||||
|
|
Loading…
Reference in a new issue