Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When login-in via token, let a chance for user to set the password #3008

Merged
merged 3 commits into from
Nov 15, 2017

Conversation

Carreau
Copy link
Member

@Carreau Carreau commented Nov 2, 2017

When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running jupyter notebook password on the command
line.

The experience can likely be better, but just submitting that as a POC
for feedback

When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running `jupyter notebook password` on the command
line.

The experience can likely be better, but just submitting that as a POC
for feedback
Copy link
Member

@minrk minrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a good idea to me.

Potential downsides:

  • there is no mechanism to disallow setting a password, for token-only auth
  • combined with Hash cookie secret with user hashed password. #3009, setting a password means that the next login will be logged out because the cookie secret will have changed. I'm not sure this is a big deal, but it could be annoying.

self.set_login_cookie(self, uuid.uuid4().hex)
elif self.token and self.token == typed_password:
self.set_login_cookie(self, uuid.uuid4().hex)
if self.new_password:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extra self.

@@ -85,6 +85,22 @@
<p>
Cookies are required for authenticated access to notebooks.
</p>
<h3>{% trans %}Setup a Password{% endtrans %}</h3>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This whole block should be conditional on password not being set already. And there should probably be a set_password_available for explicit disabling, as well.

@Carreau
Copy link
Member Author

Carreau commented Nov 3, 2017 via email

@Carreau
Copy link
Member Author

Carreau commented Nov 11, 2017

Updated w/ documentation and options to disable.

allow_password_change = Bool(True, config=True,
help="""Allow password to be changed at login for the notebook server.

While login-in with a token, the notebook server UI will give the opportunity to
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

logging in

</div>
<div class="form-group">
<input type="password" name="new_password" id="new_password_input"
class="form-control" placeholder="New password" required>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we get the user to type the new password twice, and check that it's the same?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it is necessary, they can still issue jupyter notebook password to reset.

@takluyver
Copy link
Member

Can you show a screenshot of the new login page?

Document the changing of password.
@Carreau
Copy link
Member Author

Carreau commented Nov 13, 2017

In the end I think we want a change-password page that may or may not be available, and potentially pre-fill the token if it is given in the URL (and not redirect).

Though I do not want to spend too much time on that as most user will not even see this change password field.

screen shot 2017-11-13 at 07 55 02

@takluyver
Copy link
Member

Thanks. I'm happy to merge this and see how it goes, but I'll give it a while for other people to have a look.

Copy link
Member

@minrk minrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).

command line.

The ability to change the password at first login time may be disabled by
integrations by setting the ``--NotebookApp.allow_password_change=True``
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

=False

@Carreau
Copy link
Member Author

Carreau commented Nov 15, 2017

Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).

Oops. Should be fixed.

@takluyver takluyver merged commit 74fbc5b into jupyter:master Nov 15, 2017
@Carreau Carreau deleted the autopawd branch August 25, 2018 19:26
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants