Display an error message for blocked users #3560
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f145d1d to
d6f35e7
Compare
tillprochaska
commented
Jan 8, 2024
aleph/migration.py
Outdated
2092d3e to
f491754
Compare
catileptic
approved these changes
Jun 18, 2024
Contributor
catileptic
left a comment
There was a problem hiding this comment.
I couldn't stop anything eyebrow-raising. LGTM?
Both the password login and the OAuth flow didn't have a lot of tests, so I’ve added tests covering the most important cases before making changes
…rs at API route level Right now, both the password login logic and he OAuth handler return either a `Role` record in case of successful authentication or `None` in case of an authentication error. This makes it difficult to handle different authentication errors at a higher level in the actual API routes.
Move sub components into seprate render functions to make it easier to render them conditionally.
f491754 to
61cfd6b
Compare
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Aleph includes an option to block individual users. Blocking users effectively makes it impossible for them to sign in. Right now, a generic authentication failure message is displayed when a blocked user tries to sign in. As we’re considering blocking user accounts that have been inactive for some time, we want to display a specific error message (incl. instructions on how to reactivate the account) when a user has been blocked.
Implementation considerations
Rolerecord in case of successful authentication orNonein case of an authentication error. This makes it difficult to handle different authentication errors at a higher level in the actual API routes. Now, these handlers raise different exceptions depending on the authentication error so we can handle them differently in the API routes. Also take a look at the individual commit messages which have a few more details.How to test this locally
In order to test the password flow, just create a password user in your development environment and manually set the
is_blockedcolumn in theroletable.Testing the OAuth flow is slightly more complex and requires running an OpenID Connection provider in your development environment. Here’s a draft of a guide on how to set up a Keycloak instance for testing in your development environment:
Expand
How to Set Up an Identity Provider for Development
When making changes to the OAuth authentication flow in Aleph, it can be helpful to test changes against a real identity provider. This guide describes how to run the Keycloak identity provider in your local development environment and how to configure Aleph accordingly.
This guide describes how to set up Keycloak in a development environment. If you want to configure a production Aleph instance to use Keycloak as an identity provider, please refer to our operations guide.
Run and configure Keycloak
The official Keycloak documentation provides detailed instructions on how to run Keycloak using Docker. You can follow these instructions for the most part. However, you will have to make a few minor changes:
The default port used in the Keycloak documentation is
8080. In an Aleph development environment that port is already in use for the Aleph UI. Adjust the port mapping for the Keycloak container to use a different port:After creating a new realm in the Keycloak admin console, set the "Frontend URL" setting to
http://localhost:8888. This is necessary to ensure that Aleph redirects you to the correct URL during the authentication flow.When creating a new client using the Keycloak admin console, change the following settings:
http://localhost:8080/api/2/sessions/callbackhttp://localhost:8080/After creating a new client using the Keycloak admin console, switch to the "Credentials" tab and take note of the client secret.
Configure Aleph
Finally, you need to adjust Aleph’s configuration to use your local Keycloak instance instead of the default password authentication flow.
Set the following Aleph configuration options:
ALEPH_OAUTHtrueALEPH_OAUTH_KEYmyrealmALEPH_OAUTH_SECRETALEPH_OAUTH_METADATA_URLhttp://host.docker.internal:8888/realms/myrealm/.well-known/openid-configurationALEPH_PASSWORD_LOGINfalseRestart Aleph, visit the Aleph UI at
http://localhost:8080, and click on the "Sign in" button in the navigation bar to test the authentication flow.Todos
Configuration options
This PR adds three new configuration options to customize the contents of the error message per instance:
ALEPH_ROLE_BLOCKED_MESSAGE(This defaults to just "Your user account has been deactivated")ALEPH_ROLE_BLOCKED_LINK(Defaults toNone, i.e. no link is displayed.)ALEPH_ROLE_BLOCKED_LINK_LABELScreenshot
Here’s an example of the popup displayed when a user is redirected back from the identity provider. The message, button label and button link are configurable (see above).