You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2022/01/12 15:44:44 UTC

[GitHub] [trafficcontrol] ocket8888 opened a new issue #6509: Newly registered users aren't required to have a password - which only works sometimes

ocket8888 opened a new issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509


   ## This Bug Report affects these Traffic Control components:
   - Traffic Ops
   - Traffic Portal
   
   ## Current behavior:
   When a new user is registered, Traffic Portal doesn't indicate that the password for that user must be set - which is actually true because Traffic Ops doesn't require it either. So, the form can be submitted without setting a password, and that makes the token get dropped from the database, leaving the user with no way to authenticate, and since users can't be deleted and their emails must be unique, that's not fixable without either direct database manipulation to be able to resend registration or some other user setting that user's password (as admins are allowed to do). Also their cookie is immediately invalid so that the very next request 401's and there's no way to obtain a new cookie.
   
   ## Expected behavior:
   "Local" users must have either a token or a password, because they need to be able to log in. The problem is that OAuth and LDAP users can't have a local password. Or, rather, LDAP users _can't_ and OAuth users _need not_. Solving this problem will therefore necessitate finding a different way to tell how a user is supposed to authenticate which will involve database and API changes, and putting a way to select how the user will authenticate in the user registration form.
   
   ## Steps to reproduce:
   1. Register a user
   2. go to the link in the email
   3. set the full name as indicated by the form as being required, then submit the form.
   4. If you just wait like a minute a "newcount" logs request will be made that will cause a "user not found" error to be returned from the API and you'll be dropped back on the login page with no way to log in since you don't have a password.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 edited a comment on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 edited a comment on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018638403


   > Not directly related, but it would also be nice if there was a way to "resend registration email" e.g. for users whose spam filters dropped a registration email before they could see it.
   
   @rimashah25 implemented that:
   
   https://tp.domain.tld/#!/users/999
   
   ![image](https://user-images.githubusercontent.com/251272/150571202-caaf1386-3d22-44d5-9ae0-16e759fedec9.png)
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
ocket8888 commented on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018740581


   > i don't know the right answer tbh because i don't believe there's any indicator on a user to tell you which approach is being used.
   
   Right, as I said:
   
   > "Local" users must have either a token or a password, because they need to be able to log in. The problem is that OAuth and LDAP users can't have a local password. Or, rather, LDAP users can't and OAuth users need not. Solving this problem will therefore necessitate finding a different way to tell how a user is supposed to authenticate which will involve database and API changes, and putting a way to select how the user will authenticate in the user registration form.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 commented on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 commented on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018638403


   > Not directly related, but it would also be nice if there was a way to "resend registration email" e.g. for users whose spam filters dropped a registration email before they could see it.
   
   pretty sure there is. i think @rimashah25 implemented that.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 edited a comment on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 edited a comment on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018709414


   @ocket8888 - this is a bit of a tricky one. when should passord be required because
   
   1. if you are authenticating via ldap, local password is ignored therefore is not needed
   2. if you are not authenticating via ldap, local password is needed :)
   
   i don't know the right answer tbh because i don't believe there's any indicator on a user to tell you which approach is being used.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 commented on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 commented on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018750612


   @ocket8888 - like you said, 3 ways to authenticate (ldap, oauth, local) has made this a bit of a mess (each having different requirements). in desperate need of a refactor imo. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
ocket8888 commented on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1011180985


   Not directly related, but it would also be nice if there was a way to "resend registration email" e.g. for users whose spam filters dropped a registration email before they could see it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 removed a comment on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 removed a comment on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018638090


   > 3\. set the full name as indicated by the form as being required, then submit the form.
   
   pretty sure there is. i think @rimashah25 implemented that.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 commented on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 commented on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018638090


   > 3\. set the full name as indicated by the form as being required, then submit the form.
   
   pretty sure there is. i think @rimashah25 implemented that.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 commented on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 commented on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018709414


   @ocket8888 - this is a bit of a tricky one. when should passord be required because
   
   1. if you are authenticating via ldap, local password is ignored therefore is not needed
   2. if you are not authenticating via ldap, local password is needed :)
   
   i don't know the right answer tbh.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] mitchell852 edited a comment on issue #6509: Newly registered users aren't required to have a password - which only works sometimes

Posted by GitBox <gi...@apache.org>.
mitchell852 edited a comment on issue #6509:
URL: https://github.com/apache/trafficcontrol/issues/6509#issuecomment-1018709414






-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org