View Issue Details

IDProjectCategoryView StatusLast Update
0021854mantisbtauthenticationpublic2016-11-27 00:45
Reportervboctor Assigned Tovboctor  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionfixed 
Product Version2.0.0-rc.1 
Target Version2.0.0-rc.2Fixed in Version2.0.0-rc.2 
Summary0021854: Re-authenticating when visiting manage page should re-use login page
Description

If a plugin extends the login page to support alternative login mechanisms, then the re-authenticate form that shows when user Manage page doesn't make a lot of sense. Instead of maintaining login logic in two places, we should have the re-authentication redirect to login page and pre-fill the username. This way, we have a single flow and UI for login.

TagsNo tags attached.

Activities

dregad

dregad

2016-11-04 09:09

developer   ~0054407

redirect to login page and pre-fill the username

IMO, username should moreover be read-only in this case

vboctor

vboctor

2016-11-04 11:59

manager   ~0054412

IMO, username should moreover be read-only in this case

I don't know if we really need it to be read-only. However, we should have the username defaulted, and the focus on the password field by default. User should be able to change the username to go from vboctor to vboctoradmin if they like (as an example). But in most cases, they should just type in a password and press enter.

dregad

dregad

2016-11-04 12:19

developer   ~0054413

I hear your argument, but from my point of view it sounds weird to allow someone to switch users in a reauthentication context.

Not a big deal if they can, but weird.

vboctor

vboctor

2016-11-06 12:21

manager   ~0054444

PR: https://github.com/mantisbt/mantisbt/pull/940

cproensa

cproensa

2016-11-08 06:21

developer   ~0054464

I'd add to dregad comment:
all the complementary elements in the login page should not be used in reuthenticating form, like:
lost your password
signup new account
login anonymous
Only allow your session to be used from this IP address
etc

The core point of this feature should be use the same code to present the login form, to eventually unify login methods/plugins, etc

And:

  • username should be readonly, imo (as per dregad suggestion)
  • A message should be presented, in the like like current reauthentication does:
    "You are visiting a secure page, and your secure session has expired. Please authenticate yourself to continue."

I think having the plain login page without modification is confusing.

Related Changesets

MantisBT: master f409ea2a

2016-11-06 07:19

vboctor


Details Diff
Re-authentication flow should re-use login page

This changes removes a redundant re-authentication page in favor of the standard login page.
This removes redundant code and makes it easier for plugins or custom authentication
schemes to plugin into one place for providing extra functionality.

Fixes 0021854
Affected Issues
0021854
mod - core/authentication_api.php Diff File
mod - login_page.php Diff File

MantisBT: master ee4a656c

2016-11-08 15:20

vboctor


Details Diff
Revise login page features in case of reauth

Hide the following features:
- Signup
- Reset Password
- Anonymous Login
- Remember Me
- Secure Session
- Warnings - though happy to show this to increase awareness.

Added or changed
- Use the re-authentication language string rather than login for form title.
- Show the re-authentication message language string for user to understand why they need to login.

Fixes 0021854
Affected Issues
0021854
mod - login_page.php Diff File

MantisBT: master 97628c14

2016-11-08 16:53

vboctor


Details Diff
Flow re-authenticate flag on login failures

This avoid extra redirect and shows correct error message for wrong password.

Fixes 0021854
Affected Issues
0021854
mod - login.php Diff File
mod - login_page.php Diff File