Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/epic 12881 self reset password #13096

Open
wants to merge 123 commits into
base: development
Choose a base branch
from

Conversation

daveotengo
Copy link

Fixes #12881

 updatePassword validate current password,
 check password strength and generate password
     Added a method to validate password
     Added a method to check password strength#12881
@sormas-vitagroup
Copy link
Contributor

2 similar comments
@sormas-vitagroup
Copy link
Contributor

@sormas-vitagroup
Copy link
Contributor

@daveotengo
Copy link
Author

Unable to review because the code formatting is changed so a lot of existing code looks to be changed. Please set up the code formatting in your IDE as described in the docs https://github.com/SORMAS-Foundation/SORMAS-Project/blob/development/docs/DEVELOPMENT_ENVIRONMENT.md#step-6-configure-code-formatting-and-import-settings, and reformat all the changed code.

Hi @leventegal-she,

Your issue with the existing code that looks to be changed is sorted so kindly check and give me feedback.

Thanks
David Oteng

@daveotengo
Copy link
Author

The easiest would be:

  • The button to reset password should be hidden, when keycloak is used as authentication provider.

If you want to have a more sophisticated approach:

  • Add a feature configuration for "Self reset password"
  • If Keycloak is the authentication provider the button should redirect the user to the "forgot password"-flow, which does actually the same as resetting the password.

The feature configuration should - be default - be false. If SORMAS admins want/need that functionality they can just enable it in the feature config

Hi @markusmann-vg,

Your request is done now the "Self reset password" has been added to the feature configuration and is set to false by default.

Also when Keycloak is the authentication provider i do a redirect to the forgot password flow.

Please you can check and give me feedback thanks.

Thanks

@daveotengo
Copy link
Author

daveotengo commented Oct 28, 2024

The easiest would be:

  • The button to reset password should be hidden, when keycloak is used as authentication provider.

If you want to have a more sophisticated approach:

  • Add a feature configuration for "Self reset password"
  • If Keycloak is the authentication provider the button should redirect the user to the "forgot password"-flow, which does actually the same as resetting the password.

The feature configuration should - be default - be false. If SORMAS admins want/need that functionality they can just enable it in the feature config

@markusmann-vg

I think the issue with your approach is that it does not make provision for the mobile app since password reset also happens on the mobile app.

So incase the authenticaionProvider=KEYCLOAK what happens on the mobile app should i make it invisible on the mobile app or i should create a similar method to handlePasswordResetEvent in the KeycloakService class and modify it to for it to fit that functionality.

If the former should be the case then can I add an "authenticationProvider" key with its value to the "sormas-app.properties" and use that to determine on the mobile app that if authenticationProvicer=KEYCLOAK then the the password resetbutton should not be seen. Incase you don't want me to use the "sormas-app.properties" file to handle that kindly let me know how you want us to handle it.

I will be waiting for your thoughts.

Thanks
David Oteng

@daveotengo
Copy link
Author

@markusmann-vg

I eventually used FeatureTypeProperty.AUTHENTICATION_PROVIDER in feature configuration with the FeatureType.SELF_PASSWORD_RESET so i am able to grab the value of the authentication provider in the mobile app and that makes the configuration more centralized.

So with this i hide the password reset option when FeatureTypeProperty.AUTHENTICATION_PROVIDER="KEYCLOAK" but show it when its "SORMAS" on mobile.
So kindly let me know if you are okay with that if not let me know your thoughts.

Thanks
David Oteng

@daveotengo
Copy link
Author

daveotengo commented Nov 1, 2024

@markusmann-vg,

After a careful thought i decided to check the feasibility of implementing the self reset password with keycloak to also be done on the mobile so that inspired the approach of not hiding the functionality anymore so now i have taken off the "redirect to forgot password" approach you suggested earlier from the web to use that same function making the self reset with keycloak work on both mobile and web now.

But with that approach you need to turn on "Direct access grant" on "sormas-backend" client on the keycloak admin console to allow the validation of current password to work" on the web.

As for the mobile current password validation is done using the local database or cached password after login is successful. I think that improves the user experience on both the mobile and web.

Mean while let me know if you still want me to switch back to the redirect implementation .. it will not take time to do so.

Thanks
David Oteng

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[EPIC] Password reset Merge back to SORMAS main branch.
7 participants