1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00
phorge-phorge/webroot/rsrc/css
epriestley 1329b7b51e Add password authentication and registration to new registration
Summary:
Ref T1536. Ref T1930. Code is not reachable.

This provides password authentication and registration on the new provider/adapter framework.

I sort of cheated a little bit and don't really route any password logic through the adapter (instead, this provider uses an empty adapter and just sets the type/domain on it). I think the right way to do this //conceptually// is to treat username/passwords as an external black box which the adapter communicates with. However, this creates a lot of practical implementation and UX problems:

  - There would basically be two steps -- in the first one, you interact with the "password black box", which behaves like an OAuth provider. This produces some ExternalAccount associated with the username/password pair, then we go into normal registration.
  - In normal registration, we'd proceed normally.

This means:

  - The registration flow would be split into two parts, one where you select a username/password (interacting with the black box) and one where you actually register (interacting with the generic flow). This is unusual and probably confusing for users.
  - We would need to do a lot of re-hashing of passwords, since passwords currently depend on the username and user PHID, which won't exist yet during registration or the "black box" phase. This is a big mess I don't want to deal with.
  - We hit a weird condition where two users complete step 1 with the same username but don't complete step 2 yet. The box knows about two different copies of the username, with two different passwords. When we arrive at step 2 the second time we have a lot of bad choices about how to reoslve it, most of which create security problems. The most stragihtforward and "pure" way to resolve the issues is to put password-auth usernames in a separate space, but this would be incredibly confusuing to users (your login name might not be the same as your username, which is bizarre).
  - If we change this, we need to update all the other password-related code, which I don't want to bother with (at least for now).

Instead, let registration know about a "default" registration controller (which is always password, if enabled), and let it require a password. This gives us a much simpler (albeit slightly less pure) implementation:

  - All the fields are on one form.
  - Password adapter is just a shell.
  - Password provider does the heavy lifting.

We might make this more pure at some point, but I'm generally pretty satisfied with this.

This doesn't implement the brute-force CAPTCHA protection, that will be coming soon.

Test Plan: Registered with password only and logged in with a password. Hit various error conditions.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, chad

Maniphest Tasks: T1536, T1930

Differential Revision: https://secure.phabricator.com/D6164
2013-06-16 10:15:49 -07:00
..
aphront Add password authentication and registration to new registration 2013-06-16 10:15:49 -07:00
application Conpherence - fix no messages button 2013-06-14 17:00:09 -07:00
core Conpherence - fix no messages button 2013-06-14 17:00:09 -07:00
layout Tweak audit status colors. 2013-06-11 20:53:55 -07:00
phui PHUIButtonView class 2013-06-12 18:23:35 -07:00
sprite-actions.css Add action icons to object list views 2013-05-10 12:57:01 -07:00
sprite-apps-large.css Add authentication icon 2013-06-12 07:40:04 -07:00
sprite-apps-xlarge.css Added Feed icons. 2013-01-10 10:00:18 -08:00
sprite-apps.css Add authentication icon 2013-06-12 07:40:04 -07:00
sprite-conpherence.css Conpherence - some cleanup type stuff 2013-03-13 13:03:51 -07:00
sprite-docs.css Document icons sprite sheet. 2013-03-10 14:16:16 -07:00
sprite-gradient.css PHUIList, PHUIDocument updates 2013-06-05 08:41:43 -07:00
sprite-icons.css Fix white + icon hover / apps create 2013-06-11 19:10:12 -07:00
sprite-login.css Add Login icons to PHUIIconView. 2013-06-12 15:05:16 -07:00
sprite-menu.css Rework Mobile Header and Mobile Home. 2013-03-22 11:50:30 -07:00
sprite-minicons.css PhabricatorActionHeaderView v0 2013-04-05 07:40:27 -07:00
sprite-payments.css Payment sprite icons. 2013-04-22 16:41:00 -07:00
sprite-tokens.css PHUIIconView 2013-04-19 17:44:20 -07:00