Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update login form display strategy #669

Merged
merged 2 commits into from
Feb 9, 2024
Merged

Update login form display strategy #669

merged 2 commits into from
Feb 9, 2024

Conversation

Sae126V
Copy link
Contributor

@Sae126V Sae126V commented Nov 9, 2023
edited
Loading

Prevents access to the login form.

Need to prevent access to the login form when admin has decided to disable(Set to false) both localAuthenticationVisible and showLinkToLocalAuthn.

rmiccoli
rmiccoli reviewed Nov 9, 2023
View reviewed changes
Copy link
Contributor

@rmiccoli rmiccoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I think the behaviour is already like that, isn't it? See https://github.com/indigo-iam/iam/blob/develop/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp#L76.

@Sae126V
Copy link
Contributor Author

Sae126V commented Nov 9, 2023

Hi, I think the behaviour is already like that, isn't it? See https://github.com/indigo-iam/iam/blob/develop/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp#L76.

Say, When Admin has set loginPageMode to Hidden (Might Happen edge case: Users who know the route link will still be able to access the login form even though admin doesn't want users to enter credentials to login). Does that make sense?

@rmiccoli
Copy link
Contributor

rmiccoli commented Nov 9, 2023

Hi, I think the behaviour is already like that, isn't it? See https://github.com/indigo-iam/iam/blob/develop/iam-login-service/src/main/webapp/WEB-INF/views/iam/login.jsp#L76.

Say, When Admin has set loginPageMode to Hidden (Might Happen edge case: Users who know the route link will still be able to access the login form even though admin doesn't want users to enter credentials to login). Does that make sense?

Ok, clear now. Yes, it makes sense to me.

@Sae126V Sae126V force-pushed the restrict-access-to-login-form branch from f192d11 to 2247a1c Compare November 10, 2023 13:58
rmiccoli
rmiccoli requested changes Nov 17, 2023
View reviewed changes
Copy link
Contributor

@rmiccoli rmiccoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-thinking about this issue, the 'HIDDEN case' is already used in production and we don't want to break it. Then, you can add another property, such as DISABLED to reproduce your behavior.

@Sae126V
Copy link
Contributor Author

Sae126V commented Nov 17, 2023

No worries. I thought the DISABLED Case is same as HIDDEN. If it is make no sense. I am happy to close this PR :)

@enricovianello
Copy link
Member

Prevents access to the login form.

Need to prevent access to the login form when admin has decided to disable(Set to false) both localAuthenticationVisible and showLinkToLocalAuthn.

My only comment is that I'd change the "title" of this PR/fix. We're not preventing access, we're changing (in a correct way) the logic that hides a form. The login endpoint still login you if you present your right credentials (through a curl e.g.). Then, I'll update the PR title in order to be more clear about this. Something like "Update login form display strategy" e.g.

@Sae126V Sae126V changed the title Prevent unauthorized access to the users Update login form display strategy Dec 1, 2023
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Dec 1, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@federicaagostini
Copy link
Contributor

LGTM

@federicaagostini federicaagostini removed their request for review February 8, 2024 16:15
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Feb 8, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@rmiccoli
Copy link
Contributor

rmiccoli commented Feb 8, 2024
edited
Loading

Hi @Sae126V,

we were reviewing your PR that is fine.
Currently, by setting the following properties:

  • IAM_LOCAL_AUTHN_LOGIN_PAGE_VISIBILITY = hidden
  • IAM_LOCAL_AUTHN_ENABLED_FOR = none

The local authentication is still shown by adding sll=y parameter, but the functionality is disabled (see the attached screenshot).
Screenshot from 2024-02-08 17-50-51

Let's decide together which behavior is preferred.

@federicaagostini federicaagostini mentioned this pull request Feb 8, 2024
Closed
@rmiccoli rmiccoli merged commit 0d02aa0 into develop Feb 9, 2024
4 checks passed
@rmiccoli rmiccoli deleted the restrict-access-to-login-form branch February 9, 2024 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rmiccoli rmiccoli rmiccoli approved these changes

@enricovianello enricovianello enricovianello approved these changes

Assignees
No one assigned
Labels
component/dashboard
Projects
No open projects
v1.8.4
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Sae126V @rmiccoli @enricovianello @federicaagostini