feat(setup): Zope root Basic -> cookie login form

Improve the Zope root ZMI login UX, avoid all the HTTP `Authorization: Basic ...` edge cases and hassles. Switch the default authentication challenge for the Zope root `/acl_users` from HTTP `Authorization: Basic ...` to the cookie auth plugins basic login form. This should be a much better UX overall and shouldn't cause any fundamental issues. One can still use HTTP `Authorization: Basic ...` manually by adding credentials to the URL: http://admin:secret@localhost:8080/manage_main But may cause issues where tests expect the HTTP `Authorization: Basic ...` challenge response or existing uses where new Zope instances are created as a part of normal use (SAAS?). We could also consider adding an upgrade step to make this change to existing installations but that would be disruptive to any existing installations that require HTTP `Authorization: Basic ...`. I can't imagine why that would be, but we should probably expect those use cases to come out of the woodwork once an upgrade step is released.
plone · Feb 14, 2022 · 7e6d9d5 · 7e6d9d5
1 parent 4bffb6a
commit 7e6d9d5
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 19 deletions.
diff --git a/src/Products/PlonePAS/setuphandlers.py b/src/Products/PlonePAS/setuphandlers.py
@@ -324,9 +324,14 @@ def migrate_root_uf(self):
     pas = uf.manage_addProduct['PluggableAuthService']
     plone_pas = uf.manage_addProduct['PlonePAS']
     # Setup authentication plugins
-    setupAuthPlugins(parent, pas, plone_pas,
-                     deactivate_basic_reset=False,
-                     deactivate_cookie_challenge=True)
+    setupAuthPlugins(
+        parent,
+        pas,
+        plone_pas,
+        deactivate_basic_reset=False,
+        # Switch from HTTP `Authorization: Basic ...` to cookie login form
+        deactivate_cookie_challenge=False,
+    )
 
     # Activate *all* interfaces for user manager. IUserAdder is not
     # activated for some reason by default.

diff --git a/src/Products/PlonePAS/tests/test_setup.py b/src/Products/PlonePAS/tests/test_setup.py
@@ -23,11 +23,11 @@ def setUp(self):
         self.app = self.layer["app"]
         self.root_acl_users = self.app.acl_users
 
-    def test_zope_root_default_challenge(self):
+    def test_zope_root_basic_challenge(self):
         """
-        The Zope root `/acl_users` default challenge plugin works.
+        The Zope root `/acl_users` basic challenge plugin works.
         """
-        # Check the Zope root PAS plugin configuration
+        # Make the basic plugin the default auth challenge
         self.assertIn(
             "credentials_basic_auth",
             self.root_acl_users.objectIds(),
@@ -39,6 +39,11 @@ def test_zope_root_default_challenge(self):
             HTTPBasicAuthHelper.HTTPBasicAuthHelper,
             "Wrong Zope root `/acl_users` basic auth plugin type",
         )
+        self.root_acl_users.plugins.movePluginsTop(
+            plugins_ifaces.IChallengePlugin,
+            [basic_plugin.id],
+        )
+        transaction.commit()
         challenge_plugins = self.root_acl_users.plugins.listPlugins(
             plugins_ifaces.IChallengePlugin,
         )
@@ -56,14 +61,14 @@ def test_zope_root_default_challenge(self):
         self.assertEqual(
             browser.headers["Status"].lower(),
             "401 unauthorized",
-            "Wrong Zope root `/acl_users` default challenge response status",
+            "Wrong Zope root `/acl_users` basic challenge response status",
         )
 
-    def test_zope_root_cookie_login(self):
+    def test_zope_root_default_login(self):
         """
-        The Zope root `/acl_users` cookie login works.
+        The Zope root `/acl_users` default login works.
         """
-        # Make the cookie plugin the default auth challenge
+        # Check the Zope root PAS plugin configuration
         self.assertIn(
             "credentials_cookie_auth",
             self.root_acl_users.objectIds(),
@@ -75,15 +80,6 @@ def test_zope_root_cookie_login(self):
             CookieAuthHelper.CookieAuthHelper,
             "Wrong Zope root `/acl_users` cookie auth plugin type",
         )
-        self.root_acl_users.plugins.activatePlugin(
-            plugins_ifaces.IChallengePlugin,
-            cookie_plugin.id,
-        )
-        self.root_acl_users.plugins.movePluginsTop(
-            plugins_ifaces.IChallengePlugin,
-            [cookie_plugin.id],
-        )
-        transaction.commit()
         challenge_plugins = self.root_acl_users.plugins.listPlugins(
             plugins_ifaces.IChallengePlugin,
         )