[Bug 23011] New: AuthenticatePatron could alert if password is not safe
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Bug ID: 23011 Summary: AuthenticatePatron could alert if password is not safe Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: arthur.suzuki@biblibre.com QA Contact: testopia@bugs.koha-community.org Target Milestone: --- I work on a portal solution called Bokeh and we need to get the information from the webService that the patron's password is not safe and should be renewed. Reply from the webservice could look like this : <?xml version="1.0" encoding="UTF-8"?> <AuthenticatePatron> <patronId>4</patronId> <error>PatronPasswordNotSecure</error> <securePasswordPattern>^(?=.*[A-Za-z])(?=.*\d).{6,}$</securePasswordPattern> <securePasswordLabel>Password must be at least 6 character long and include a letter and a digit</securePasswordLabel> </AuthenticatePatron> That would allow the borrower to authenticate but provide the portal software with information about the rules to define a new password. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |arthur.suzuki@biblibre.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #1 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 93512 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=93512&action=edit Bug23011 : Add new tests (AuthenticatePatron error codes) This bug add new tests to the AuthenticatePatron ILS-DI service. It tests new error codes patron might get when successfully connecting but with a password which doesn't match Koha security rules. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #2 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 93517 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=93517&action=edit Bug23011 : Have AuthenticatePatron method send more information We want AuthenticatePatron to send some more information upon successful login, especially in the case where password is not safe and should be renewed. The goal is to let a third-party app catch thoses codes and display a warning to the users. Test plan : 1 / apply tests patch 2 / run tests, verify failure 3 / apply C4/ILSDI/Service.pm patch 4 / run tests again, verify green -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Julian Maurice <julian.maurice@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Failed QA CC| |julian.maurice@biblibre.com --- Comment #3 from Julian Maurice <julian.maurice@biblibre.com> --- Tests are failing, but it's just the number of tests that is wrong
Parse errors: Bad plan. You planned 9 tests but ran 10.
QA tool reports some errors as well:
FAIL C4/ILSDI/Services.pm FAIL forbidden patterns forbidden pattern: tab char (line 382) forbidden pattern: tab char (line 386) forbidden pattern: tab char (line 384) forbidden pattern: tab char (line 383) forbidden pattern: tab char (line 385)
Commit title does not start with 'Bug XXXXX: ' - de967f9fc0 Commit title does not start with 'Bug XXXXX: ' - 23cd5391bc
Otherwise it works well, but I'm a bit concerned by the fact that the patch duplicates the password regexp. If someone modify it in is_password_valid, there are high chances that they will forgot to modify it in ILSDI code. Also, it's not the only thing checked in is_password_valid (there is also a check on whitespaces). Is it really needed to return the regexp ? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #4 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- The regex is needed by the client app we use to provide some client side input validation before sending any new (and possibly wrong) password to koha. i'm thinking of the following solution : is_password_valid could return the regex in addition to the boolean and error. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #5 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 96560 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=96560&action=edit Bug 23011: Have AuthenticatePatron method send more information We want AuthenticatePatron to send some more information upon successful login, especially in the case where password is not safe and should be renewed. The goal is to let a third-party app catch thoses codes and display a warning to the users. Test plan : 1 / apply tests patch 2 / run tests, verify failure 3 / apply C4/ILSDI/Service.pm patch 4 / run tests again, verify green -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #6 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 96561 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=96561&action=edit Bug 23011: Add new tests (AuthenticatePatron error codes) This bug add new tests to the AuthenticatePatron ILS-DI service. It tests new error codes patron might get when successfully connecting but with a password which doesn't match Koha security rules. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #96560|0 |1 is obsolete| | --- Comment #7 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 96562 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=96562&action=edit Bug 23011: Have AuthenticatePatron method send more information We want AuthenticatePatron to send some more information upon successful login, especially in the case where password is not safe and should be renewed. The goal is to let a third-party app catch thoses codes and display a warning to the users. Test plan : 1 / apply tests patch 2 / run tests, verify failure 3 / apply C4/ILSDI/Service.pm patch 4 / run tests again, verify green -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #93512|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #93517|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - low |P4 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Emmi Takkinen <emmi.takkinen@outlook.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #96561|0 |1 is obsolete| | --- Comment #8 from Emmi Takkinen <emmi.takkinen@outlook.com> --- Created attachment 100423 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100423&action=edit Bug 23011: Add new tests (AuthenticatePatron error codes) This bug add new tests to the AuthenticatePatron ILS-DI service. It tests new error codes patron might get when successfully connecting but with a password which doesn't match Koha security rules. Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #9 from Emmi Takkinen <emmi.takkinen@outlook.com> --- Created attachment 100424 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100424&action=edit Bug 23011: Have AuthenticatePatron method send more information We want AuthenticatePatron to send some more information upon successful login, especially in the case where password is not safe and should be renewed. The goal is to let a third-party app catch thoses codes and display a warning to the users. Test plan : 1 / apply tests patch 2 / run tests, verify failure 3 / apply C4/ILSDI/Service.pm patch 4 / run tests again, verify green Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Emmi Takkinen <emmi.takkinen@outlook.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #96562|0 |1 is obsolete| | Attachment #100423|0 |1 is obsolete| | Attachment #100424|0 |1 is obsolete| | --- Comment #10 from Emmi Takkinen <emmi.takkinen@outlook.com> --- Created attachment 100425 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100425&action=edit Bug 23011: Add new tests (AuthenticatePatron error codes) This bug add new tests to the AuthenticatePatron ILS-DI service. It tests new error codes patron might get when successfully connecting but with a password which doesn't match Koha security rules. Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #11 from Emmi Takkinen <emmi.takkinen@outlook.com> --- Created attachment 100426 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=100426&action=edit Bug 23011: Have AuthenticatePatron method send more information We want AuthenticatePatron to send some more information upon successful login, especially in the case where password is not safe and should be renewed. The goal is to let a third-party app catch thoses codes and display a warning to the users. Test plan : 1 / apply tests patch 2 / run tests, verify failure 3 / apply C4/ILSDI/Service.pm patch 4 / run tests again, verify green Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Emmi Takkinen <emmi.takkinen@outlook.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |emmi.takkinen@outlook.com Status|Needs Signoff |Signed Off --- Comment #12 from Emmi Takkinen <emmi.takkinen@outlook.com> --- Forgot to obsolete last patch when signing off first time. But patch works as intended. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #13 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- I have the feeling that what you need here is a password_policy method that would return the different rules. For instance only checking for minPasswordLength is wrong, there is a default to 3 if the pref is not set (or < 3) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #14 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Yeay, thanks for signing off this patch Emmi =) Arthur -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #15 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Waiting for an answer. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #100425|0 |1 is obsolete| | --- Comment #16 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 106565 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106565&action=edit Bug 23011: Add new tests (AuthenticatePatron error codes) This bug add new tests to the AuthenticatePatron ILS-DI service. It tests new error codes patron might get when successfully connecting but with a password which doesn't match Koha security rules. Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #100426|0 |1 is obsolete| | --- Comment #17 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 106566 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106566&action=edit Bug 23011: Have AuthenticatePatron method send more information We want AuthenticatePatron to send some more information upon successful login, especially in the case where password is not safe and should be renewed. The goal is to let a third-party app catch thoses codes and display a warning to the users. Test plan : 1 / apply tests patch 2 / run tests, verify failure 3 / apply C4/ILSDI/Service.pm patch 4 / run tests again, verify green Signed-off-by: Emmi Takkinen <emmi.takkinen@outlook.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 --- Comment #18 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Created attachment 106567 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=106567&action=edit Bug 23011: QA follow-up -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff --- Comment #19 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- (In reply to Jonathan Druart from comment #15)
Waiting for an answer.
Bonsoir Jonathan :) I've implemented a password_policy method in charge of submitting the regex. KR, Arthur -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #20 from David Cook <dcook@prosentient.com.au> --- I think that sending the securePasswordPattern is not a good idea, as it's not the API consumer's job to handle the password. Sending "code" and "securePasswordLabel" is fine as that communicates the message from Koha to the API consumer. On my TODO list, I'm actually planning more complex password security than just a regex. I want to add a customizable list of passwords that users cannot use (e.g. "password", "123456", "Password1", "koha", etc). We could also add rules like the password and username cannot match. These aren't "patterns" per se, but would rather be communicated by "code" and "securePasswordLabel" I think. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Patch doesn't apply CC| |lucas@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23011 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Patch doesn't apply |RESOLVED Resolution|--- |WONTFIX --- Comment #21 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- Not really needed anymore since most development effort are now put on the rest-api. ILSDI is going to be deprecated sometime anyway. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org