-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When login-in via token, let a chance for user to set the password #3008
Conversation
When token is enabled, the login page will present a form to the user asking them if they want to set a password at the same time. This is almost equivalent to running `jupyter notebook password` on the command line. The experience can likely be better, but just submitting that as a POC for feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like a good idea to me.
Potential downsides:
- there is no mechanism to disallow setting a password, for token-only auth
- combined with Hash cookie secret with user hashed password. #3009, setting a password means that the next login will be logged out because the cookie secret will have changed. I'm not sure this is a big deal, but it could be annoying.
notebook/auth/login.py
Outdated
self.set_login_cookie(self, uuid.uuid4().hex) | ||
elif self.token and self.token == typed_password: | ||
self.set_login_cookie(self, uuid.uuid4().hex) | ||
if self.new_password: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
extra self.
notebook/templates/login.html
Outdated
@@ -85,6 +85,22 @@ | |||
<p> | |||
Cookies are required for authenticated access to notebooks. | |||
</p> | |||
<h3>{% trans %}Setup a Password{% endtrans %}</h3> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This whole block should be conditional on password not being set already. And there should probably be a set_password_available
for explicit disabling, as well.
Yep I thought to most of those. I'm even considering redirecting users to
the login screen immediately if they set a password to be sure it works.
I'll work on that this week-end or next week. Thanks !
…On Nov 3, 2017 03:22, "Min RK" ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In notebook/templates/login.html
<#3008 (comment)>:
> @@ -85,6 +85,22 @@
<p>
Cookies are required for authenticated access to notebooks.
</p>
+ <h3>{% trans %}Setup a Password{% endtrans %}</h3>
This whole block should be conditional on password not being set already.
And there should probably be a set_password_available for explicit
disabling, as well.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#3008 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAUez1m-FiumTBm5vjmyfmz-qBAZxkEHks5syulbgaJpZM4QQLYK>
.
|
Updated w/ documentation and options to disable. |
notebook/notebookapp.py
Outdated
allow_password_change = Bool(True, config=True, | ||
help="""Allow password to be changed at login for the notebook server. | ||
|
||
While login-in with a token, the notebook server UI will give the opportunity to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
logging in
</div> | ||
<div class="form-group"> | ||
<input type="password" name="new_password" id="new_password_input" | ||
class="form-control" placeholder="New password" required> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we get the user to type the new password twice, and check that it's the same?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think it is necessary, they can still issue jupyter notebook password
to reset.
Can you show a screenshot of the new login page? |
Document the changing of password.
Thanks. I'm happy to merge this and see how it goes, but I'll give it a while for other people to have a look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comment that I think the flag for disabling password change is True where it should be False, but 👍 to merge with that typo fixed (or my understanding corrected).
docs/source/public_server.rst
Outdated
command line. | ||
|
||
The ability to change the password at first login time may be disabled by | ||
integrations by setting the ``--NotebookApp.allow_password_change=True`` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
=False
Oops. Should be fixed. |
When token is enabled, the login page will present a form to the user
asking them if they want to set a password at the same time. This is
almost equivalent to running
jupyter notebook password
on the commandline.
The experience can likely be better, but just submitting that as a POC
for feedback