polytechnique-org / xorgauth Goto Github PK

What happens to the account of dead users? Right now, in the model there are both a field for active/disabled accounts and one for alive/dead users. This allows keeping active the accounts of dead users and disabling the accounts of alive user (without removing any data).

I suggest:

• By default, the account of someone who died is disabled. If someone who still needs the account (for example a widow) contacts us, we can re-enable the account.
• Right now, there are active accounts for dead users. Keep them as they are.

What do you think of this suggestion?

By the way, the death dates still need to be propagate back to the main DB in a way, in order to disable the subscription to the newsletter we send...

When a new user comes to auth.polytechnique.org, she needs to create an account first. This currently takes place on www.polytechnique.org/register , and there is a slight delay between the registration and the activation on auth.polytechnique.org. Write this down on the website so that users do not need to ask to know this.

Many people are writing to the support because they fail to log in with "firstname.lastname.65", because their study year is 1965. Of course "firstname.lastname.1965" works, but they seem to like "firstname.lastname.65". We should support the 2-digit study year at least for the 19XX years.

Currently the system support "external accounts" (users who never studied at the Ecole polytechnique), in order to be compatible with polytechnique.net. These users can currently use the authentication system in order to log in in relying parties website. There may be a need to restrict such an access by default, and enable it for specific relying parties. How do we do this?

Some people may want to use uppercase in their usernames/emails. In order for this to work transparently, the comparison in the database needs to be case-insensitive, when looking for a user. This can be easily implemented thanks to Django's __iexact query modifier (https://docs.djangoproject.com/en/dev/ref/models/querysets/#iexact).

What do you think? Should I submit a PR implementing this?

The password change form has been broken since ec35e81 , fixed in #78 because the password change form calls a validate method on password validators and this method was missing. We should have a test in order to prevent this issue from happening again.

The new identity provider needs to support the current clients, which uses a different protocol that OIDC.

There are three way the authentication process may work:

1. It may launch a session which is kept open while the authentication cookies are still present in the browser.
2. It may launch a session which expires after few hours of inactivity.
3. It may launch a session which allows the OIDC client to request user information (with a token) but which forces a user to authenticate again when using an other service (this is useful on a shared computer).

I do not known whether Django sessions time out, and it may be a good idea to implement it if there is a config option for this (this makes forgetting to log out on a shared computer less harmful).
A checkbox which selects between options 2 and 3 when login for OIDC would be good idea to implement. Is it technically possible?

Currently, the authentication only allows full human-readable ID ("prenom.nom.promo") or full email address. When there is no homonym, "prenom.nom" could also be used.

A way to perform this would be to detect when "prenom.nom" has been given, query the account database for "prenom.nom.%" wildcards and use the result if it is unique.

The previous site had a warning:

Cocher cette case te permet d'être automatiquement reconnu à ta prochaine connexion depuis cet ordinateur.
Il n'est pas conseillé de cocher la case si cette machine n'est pas strictement personnelle.

Re-add this text (with proper translation) as a message (formatted as a bootstrap warning for example) that is hidden unless the user checks the "never" expiry option at login.

Support the Discourse authentication protocol for the forums.

In the README notes, there is:

Use https://testpypi.python.org/pypi/django-zxcvbn-password/2.0.0 for password entry

It seems a good idea to implement it.

Users may want to change their password. Craft a page which allows this operation.

When using UnboundedCharField(unique=True) with a MySQL database, the MySQL server raises an error, which breaks manage.py migrate:

python manage.py migrate
Operations to perform:
  Apply all migrations: accounts, admin, auth, authgroupex, contenttypes, oidc_provider, sessions
Running migrations:
  Applying accounts.0001_initial...Traceback (most recent call last):
  File "manage.py", line 22, in <module>
    execute_from_command_line(sys.argv)
[...]
  File "/usr/lib/python2.7/dist-packages/MySQLdb/cursors.py", line 174, in execute
    self.errorhandler(self, exc, value)
  File "/usr/lib/python2.7/dist-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
    raise errorclass, errorvalue
django.db.utils.OperationalError: (1170, "BLOB/TEXT column 'display' used in key specification without a key length")

This happens with Role.display, User.schoolid and AuthGroupeXClient.name. We should either drop the unique property from these fields or make them use a bounded varchar field.

When a user changes her password, the zxcvbn feedback is kept in English even though the website is in French. This is because django-zxcvbn-password does not internationalize zxcvbn.js in https://github.com/Pawamoy/django-zxcvbn-password/tree/v2.0.1/src/zxcvbn_password/static/zxcvbn_password/js

A similar project, django_password_strength, seems to internationalize the feedback in https://github.com/aj-may/django-password-strength/blob/1.2.1/django_password_strength/static/django_password_strength/js/password_strength.js but the project has not got any release since 2015.

As zxcvbn.js itself comes from coffescript project https://github.com/dropbox/zxcvbn, this file cannot be easily modified (internationalized) without some hacky tricks. I see 3 options to get French zxcvbn feedback messages:

• use django_password_strength if it works with recent Django releases (or make it work if not) ;
• copy django_password_strength indirection code in s/password_strength.js and add it to the static files so that it overwrites the file provided by django-zxcvbn-password ;
• translate zxcvbn.js by hand and provide it in a localized directory loaded through some Django-urls magic related to internationalization.

Choosing which option to take requires some work.

The password for the SMTPS/IMAPS/... services provided by Polytechnique.org has not been migrated and its configuration is in https://www.polytechnique.org/password/smtp . There should be a link on the profile page of auth.polytechnique.org, and a message on the password change page in order to warn users that the IMAP password is different from their Polytechnique.org password (some users are confused).

The website support English and French language. A user should be able to choose the language which is used.

Add a test which runs the commands in the README to make sure they work:

make update
make createdb
python manage.py importaccounts scripts/dev_data.json

In order to debug connection issues with users, and to record authentications, it would be useful to log successful connections and use of the authentication services (OIDC and authgroupex). A "standard" Django module might exist which performs this?

In the future, when there will be several OIDC clients, it will be useful when one has last been used, in order to know whether a key is still used for example. Currently django-oidc-provider records the creation date of a client, but not its date of last use (and the authgroupex endpoint records the date of last use).

This might requires some change in django-oidc-provider library.

On an iPhone screen, the language selection buttons overlaps with the login form, and the navigation bar takes three big rows! The look can surely be improved.

Some authgroupex clients use the groupe membership information in order to give admin rights on their websites. Right now the database can be synced with Polytechnique.org but this would erase passwords. The export script and the import commands need to be revisited in order to establish a working synchronization.

There are email aliases defined for each user. Allow using them when logging in.
cf. #1 (comment)

By default the Django session cookie does not have the secure attribute (to only send it over HTTPS). We should enable it on production mode (SESSION_COOKIE_SECURE setting).

The same issue exists for CSRF_COOKIE_SECURE, and while at it we can enable SECURE_SSL_REDIRECT even though the web server config already upgrades HTTP request to HTTPS.

Doc : https://docs.djangoproject.com/en/2.0/ref/settings/#session-cookie-secure

The first public page (the root one) is currently missing. It would usually never be used in an authentication flow (when a relying party wants to authenticate a user) but users may want to check whether there are still connected and which clients they consented to use, and they may want to change their password.

In this context, I believe the front page should be a login form to the "profile" page, which should include links to the available actions (PR #13 creates such a page).

A user using Dashlane to store his credentials reported that Dashlane filled the "login or email" field with "Firstname Lastname" instead of the username (or an address), on the login page. The field seems to be mis-identified, and this may be caused by something in the HTML code.

Is it possible to modify the code of the login form in order to fix Dashlane's autofill feature? Does this issue affect other password managers, like LastPass?

Allow a user who has forgotten her password to recover it, for example with a form asking for the birth date and an email validation link (like https://www.polytechnique.org/recovery).

• Decide which fields a user has to give in order to receive a recovery email (if the birth date, this information needs to be synchronized) and document (in the README's Notes section) this choice.
• Modify the database models accordingly.
• Implement a password-recovery process.

Sur la page d'identification WikiX, lorsque je clique sur "Me connecter", je suis redirigées vers une page d'erreur :
Redirect URI Error
The request fails due to a missing, invalid, or mismatching redirection URI (redirect_uri).

Cette même page indique pourtant que je suis connectée à Polytechnique.org...
Merci d'avance,

Knowing the birth date is useful when a user sends a mail to Polytechnique.org's team trying to recover her access to her account (along with other documents such as a scan of her ID card).

Moreover if the birth date is present in the database, we can ask for it in the password recovery form in order to slow down an attacker who would have access to the email inbox.

So I suggests adding a birth_date field to model User (which would be optional, as we do not know the birth date of some users), and importing it from the old database.

The website does not currently have a favicon (https://auth.polytechnique.org/). The one used on www.polytechnique.org should be copied...

While at it, the website would look a bit prettier with a logo in the top navbar.

Polytechnique.org's current website syncs the password with the Polytechnique.org-provided Google Apps. This is configured in specific profile pages (https://www.polytechnique.org/googleapps). xorgauth needs to provide this feature:

• Save a GApps-compatible password in the database when the password change
• Enable users to choose between "same password as their account" or a different one
• Import this setting (and the password) from the current database
• Transpose the script which syncs the account credentials with Google in order to use the new database (this is probably the more challenging aspect)

Some users can belong to several studies (e.g. an engineer who has done a PhD, and in the future a Bachelor who has become an engineer...). The authentication needs to return a list for the study years instead of a single value in such case.

In order to make relying parties aware of such an issue when they interact with the identity provider, we should transform the current value into a single-item list.

Not quite sure if posting here will solve anything but I have been trying to have support or contact for polytechnique.or deal with a lost password AND no access to reset email issue for the last 6 months... Hopefully someone will pick this up here ?

Add a .po file to make Django translate into French the custom messages which are rendered in HTML.

The human-readable unique identifier (HRID) is a useful information for client sites to identify a user. Some relying parties also want a "full_promo" description (X2010, M2042, D...).
Moreover an account may be associated with several promotions. We should decide whether we put a single one (the one also seen in the HRID) in the claims or all of them (in a list?). This also means deciding how to store this information in the database

To do:

• Attach promo information to the User model
• Present the HRID (User.hrid) in userinfo scope (this should be the ID used by relying parties to identify users)
• Present at least a promo in the same scope
• Export promos in scripts/export_platal_to_json.py
• Add promos in accounts in scripts/dev_data.json
• Import promos in xorgauth/management/commands/importaccounts.py

Some group websites (eg. https://x-nucleaire.polytechnique.org/ ) rely on the SSO to authenticate their users. When the group has members who are not alumni, these members have "external accounts" in the database, and they can use the authentication system.

Currently activated external accounts work fine (ie. external accounts who already have a password), but pending accounts are not transmitted between Plat/al and auth.polytechnique.org , cf.

sql = """
    SELECT  a.uid, a.hruid, a.password, a.type, a.is_admin,
            a.firstname, a.lastname, a.full_name, a.directory_name, a.display_name,
            a.sex, a.email,
            p.ax_id, p.xorg_id, pd.promo, pe.grad_year
      FROM  accounts AS a
 LEFT JOIN  account_profiles AS ap ON (ap.uid = a.uid AND FIND_IN_SET('owner', ap.perms))
 LEFT JOIN  profiles AS p ON (p.pid = ap.pid)
 LEFT JOIN  profile_display AS pd ON (pd.pid = p.pid)
 LEFT JOIN  profile_education AS pe ON (pe.pid = p.pid AND FIND_IN_SET(\'primary\', pe.flags))
     WHERE  a.state = 'active'
  GROUP BY  a.uid
"""

Could we change the WHERE clause to WHERE a.state IN ('active', 'pending')? Would such a change have nasty side effects?

For reference, the issue has been reported by a user, https://support.polytechnique.org/otrs/index.pl?Action=AgentTicketZoom;TicketID=125092 .

I have forgotten to export the AX ID of accounts in scripts/export_platal_to_json.py and this field does not exist in User model.

• Add AX ID to xorgauth.accounts.models.User
• Present it in a dedicated scope, which AX websites will use
• Export it in scripts/export_platal_to_json.py
• Add it in accounts in scripts/dev_data.json
• Import it in xorgauth/management/commands/importaccounts.py