From ba37ec677df006d38a14589aa447c52866c0c133 Mon Sep 17 00:00:00 2001 From: Will Barton Date: Wed, 12 Jun 2024 14:05:41 -0400 Subject: [PATCH 1/2] Disable password reset and remove override template This change removes our custom password reset override template and disables password reset when SSO is enabled. --- cfgov/cfgov/settings/base.py | 3 + .../account/password_reset/confirm.html | 55 ------------------- 2 files changed, 3 insertions(+), 55 deletions(-) delete mode 100644 cfgov/wagtailadmin_overrides/templates/wagtailadmin/account/password_reset/confirm.html diff --git a/cfgov/cfgov/settings/base.py b/cfgov/cfgov/settings/base.py index 60a2017e304..68445e888ec 100644 --- a/cfgov/cfgov/settings/base.py +++ b/cfgov/cfgov/settings/base.py @@ -762,6 +762,9 @@ LOGOUT_REDIRECT_URL = reverse_lazy("cfgov_login") ALLOW_LOGOUT_GET_METHOD = True + # Disable Wagtail password reset + WAGTAIL_PASSWORD_RESET_ENABLED = False + # This OIDC client's id and secret OIDC_RP_CLIENT_ID = os.environ["OIDC_RP_CLIENT_ID"] OIDC_RP_CLIENT_SECRET = os.environ["OIDC_RP_CLIENT_SECRET"] diff --git a/cfgov/wagtailadmin_overrides/templates/wagtailadmin/account/password_reset/confirm.html b/cfgov/wagtailadmin_overrides/templates/wagtailadmin/account/password_reset/confirm.html deleted file mode 100644 index 98c5cf7994a..00000000000 --- a/cfgov/wagtailadmin_overrides/templates/wagtailadmin/account/password_reset/confirm.html +++ /dev/null @@ -1,55 +0,0 @@ -{% extends "wagtailadmin/admin_base.html" %} -{% load wagtailadmin_tags static i18n %} -{% block titletag %} - {% if validlink %} - {% trans "Set your new password" %} - {% else %} - {% trans "Invalid password reset link" %} - {% endif %} -{% endblock %} -{% block bodyclass %}login{% endblock %} - -{% block furniture %} -
- {% if validlink %} -

{% trans "Set your new password" %}

- - {% if form.errors %} -
-
    - {% for key, value in form.errors.items %} -
  • {{ value|striptags }}
    • - {% endfor %} -
-
- {% endif %} - -
- {% csrf_token %} - - {% rawformattedfield field=form.new_password1 %}{% endrawformattedfield %} - {% rawformattedfield field=form.new_password2 %}{% endrawformattedfield %} - -
- -
-
- {% else %} -

{% trans "Invalid password reset link" %}

- -
- {% if not validlink %} -
    -
  • - {% trans "The password reset link was invalid, possibly because it has already been used." %} -
    • -
- {% endif %} -
- -
- {% trans 'Request a new password reset' %} -
- {% endif %} -
-{% endblock %} From a15ffc20687aaaa39544e5641ff337991597e2e9 Mon Sep 17 00:00:00 2001 From: Will Barton Date: Wed, 12 Jun 2024 14:31:38 -0400 Subject: [PATCH 2/2] Move the SSO button to top and hide login fields This change moves our SSO button to the top and hides login fields behind an "Other ways to sign in" link if SSO is enabled. --- cfgov/login/templates/login/login.html | 30 +++++++++++++++++++++++--- cfgov/login/views.py | 4 ++++ 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/cfgov/login/templates/login/login.html b/cfgov/login/templates/login/login.html index 353424c3616..ff99346c1e6 100644 --- a/cfgov/login/templates/login/login.html +++ b/cfgov/login/templates/login/login.html @@ -1,12 +1,36 @@ {% extends "wagtailadmin/login.html" %} {% load wagtailadmin_tags %} -{% block below_login %} +{% block above_login %} {% if sso_enabled %} -
+ {# Link via button to the OIDC provider #}

Sign in with Single Sign-On

-
+ + {# Provide a link for alternative sign-in via username/password #} + {% if not others %} +

Other ways to sign in

+ {% else %} +
+ {% endif %} {% endif %} +{% endblock %} + +{% block login_form %} + {# If SSO is enabled and "others" is not in the context, hide the login form #} + {% if not sso_enabled or others %} + {{ block.super }} + {% endif %} +{% endblock %} + +{% block submit_buttons %} + {# If SSO is enabled and "others" is not in the context, hide the login form #} + {% if not sso_enabled or others %} + {{ block.super }} + {% endif %} +{% endblock %} + +{% block below_login %} +

This is a Consumer Financial Protection Bureau (CFPB) information system. The CFPB is an independent agency of the United States Government. CFPB information systems are provided for the processing of official information only. Unauthorized or improper use of this system may result in administrative action, as well as civil and criminal penalties.

Because this is a CFPB information system, you have no reasonable expectation of privacy regarding any communication or data, transiting or stored, on this information system. All data contained in CFPB information systems is owned by the CFPB, and your use of the CFPB information system serves as your consent to your usage being monitored, intercepted, recorded, read, copied, captured, or otherwise audited in any manner by authorized personnel, including, but not limited to, employees, contractors, and/or agents of the United States Government.

{% endblock %} diff --git a/cfgov/login/views.py b/cfgov/login/views.py index d4cc12e421b..dfaf94ee928 100644 --- a/cfgov/login/views.py +++ b/cfgov/login/views.py @@ -8,5 +8,9 @@ class LoginView(WagtailLoginView): def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) + + # If SSO is enabled, we do not render the username/password form + # unless "others" is given as a GET parameter. + context["others"] = "others" in self.request.GET context["sso_enabled"] = settings.ENABLE_SSO return context