Password reset confusion

Marjolaine : When I reset my password, I land on https://api.nantes.happy-dev.fr/accounts/profile/ which is fairly confusing.

changed milestone to %Previously done stuff

By Alexandre on 2020-01-16T14:38:24 (imported from GitLab project)

added 1 deleted label

assigned to @calummackervoy

@calummackervoy It's on DjangoLDP-Accounts, feel free to ask me if you need some help on. :)

@alexandre On what should we redirect the user? During the reset password, we'll have no clue of where is the frontend of the user.

On the first step of the process, we bring the user to https://api.alpha.happy-dev.fr/auth/password_reset/done/

I guess we have no choice but to create a similar page, inviting the user to access its application with its newly created password.

Candid question: can't we store on the webid the preferred app of the user?

By Alexandre on 2020-01-18T16:07:47 (imported from GitLab project)

I don't see any reason why not @jbpasquier ?

That sound a good idea.

Candid question: can't we store on the webid the preferred app of the user?

@sylvain @balessan Do you agree on that?

Do you mean front end app? So that we reroute the user to their own app?

Sounds good, but doesn't that prevent me from using another app?

I believe that we redirect you to "the last app you used" if there are no one on login parameters. Maybe one day we can implement a "preferred app" or keep a track to every apps you used and list them to you?

Yes but my point was: if I'm redirected to my prefered app, can I use another one? Or will I be redirected everytime to my prefered app?

No, we only redirect you in case you have no redirect_uri or like this case, you're not even logged and have reset your password.

oh ok get it. Then it sounds like an improvement.

It's actually somehow related to https://git.happy-dev.fr/startinblox/solid-spec/issues/12

I don't think so.

I do agree it would be nice !

So is this still Priority?

Yes it is related to startinblox/solid-spec#12 because both issues ask how we know where the user needs to be redirected from the backend. It's two different issues, but probably they should share a common mechanism.

@calummackervoy The priority is not to have the Log in button redirecting @Marjolaine to the backend interface. If implementing the preferred app feature is fast, then do it.

I'm not so sure we're done with specifying it though.

Another candid question: Shouldn't we display a button saying : Access https://xyz.abc.com ?

My fear is that if we automatically redirect the user to a URL that isn't the one she expects, it might become confusing very quickly. We might want to ignore that fear for now though.

By Alexandre on 2020-01-21T13:14:58 (imported from GitLab project)

I've almost got this working, and then I stop and think "is this what we want to be doing?"

so the reason that it redirects to this page is because when you reset password there is no next parameter set in the URL.. so it defaults to settings.LOGIN_REDIRECT_URL (by default 'accounts/profile/')

okay, this is fine, so store the default_redirect_uri on the user, and set this to the last known value for next (the last app they accessed). If they don't have one, take them to the admin panel or present them a screen saying 'sorry, we don't know where you want to go'

but what if, in my app, I've set settings.LOGIN_REDIRECT_URL on purpose? Or if this is supposed to be 'accounts/profile/'.. I don't think DjangoLDP-Account should make assumptions about the server which is using the module? This is a concern for the specific instance surely?

possibly, it could offer this behaviour if the LOGIN_REDIRECT_URL is explicitly set to None on the instance running it? @alexandre @sylvain @jbpasquier @balessan @Marjolaine

Well, your last login location can be the one that's set on settings.LOGIN_REDIRECT_URL. If you reset your password, you may come from somewhere, maybe we can trace the user from this point.

my point is that another application that isn't Startin' Blox might want to redirect to "not-login-url.com" and will be very confused when our library breaks Django's LOGIN_REDIRECT_URL functionality?

But if they set it to None then they are communicating that they want it to find the user's preference?

Maybe more a new parameter to (de)activate such mechanism? I think that we must leave as much native as possible, some people may be experienced with the use of settings.LOGIN_REDIRECT_URL as is.

I think it should de-activated by default (unless you clone a Startin' Blox instance) and the setting should be to activate it

wouldn't it make sense to provide a route that does the redirection, and let the user set it as the LOGIN_REDIRECT_URL if it's what they want?

Is the conclusion that we add a preferred app URL parameter on the user's model and use that as the redirect URL, or something else then?

Just trying to follow :-)

By Alexandre on 2020-01-23T06:27:29 (imported from GitLab project)

yep :) to summarise,

• default_redirect_uri on the User model, which is updated on login, and can be set to an initial value in the admin panel
• On login: if they have a next set then follow this, if not redirect them to the default_redirect_uri.. if they don't have this set, either, redirect admins to the admin panel, and other users to "sorry, we don't know where to send you!"

MR open for this in DjangoLDP-Account: https://git.happy-dev.fr/startinblox/djangoldp-packages/djangoldp-account/merge_requests/37

In order for it to work, I'll need to set LOGIN_REDIRECT_URL = '/redirect-default/' on Startin' Blox instances' settings.py (automatically/by default)

@plup @jbpasquier how do I do this?

This https://git.happy-dev.fr/startinblox/devops/sib/issues/73

is this for changing settings.py for fresh installs, or just for updating settings.py on existing servers when they change?

This issue is for updating settings.py on servers on upgrading them. For now, we'll have to do this hand made everywhere. :)

Sounds good to me.

@balessan Does anything sound shitty to you here?

By Alexandre on 2020-01-23T17:24:48 (imported from GitLab project)

mentioned in issue #370 (closed)

By Alexandre on 2020-01-28T07:34:37 (imported from GitLab project)

Something blocking us here?

I'm asking because the issue occurs in the same manner when a user tries to create an account herself. I have created a dedicated issue here, but the problem is the same I believe: https://git.happy-dev.fr/startinblox/applications/sib-app/issues/370

By Alexandre on 2020-01-28T07:34:59 (imported from GitLab project)

MR https://git.happy-dev.fr/startinblox/djangoldp-packages/djangoldp-account/merge_requests/37 was merged last week, so it just needs deployment and..

LOGIN_REDIRECT_URL = '/redirect-default/' in settings.py

running ./manage.py collectstatic because I added a new template for "sorry, we don't know where to send you!"

My bad, I didn't get that we're at this step. I'll update servers this afternoon. ;-)

closed

removed 1 deleted label