User:Clouserw/AMO/Auth

From MozillaWiki
Jump to navigation Jump to search
Draft-template-image.png THIS PAGE IS A WORKING DRAFT Pencil-emoji U270F-gray.png
The page may be difficult to navigate, and some information on its subject might be incomplete and/or evolving rapidly.
If you have any questions or ideas, please add them as a new topic on the discussion page.

Current flow and challenges

On AMO User is given a single button for login/register and a link underneath for admins/editors. Regular users click the "log in/register" button, go through Browserid flow, and are logged in. Privileged users click the link, are prompted with the local authentication form, and are logged in after that. This is a potentially confusing split for the end users and also leads to two code paths which I'd like to avoid.

On Builder users are given a form to log in. Builder takes those credentials and talks directly to the AMO database to verify them. We'd like to remove that direct access to the db and simplify this flow.

On forums.amo phpBB(!) takes those credentials and talks directly to the AMO database to verify them. We'd like to remove that direct access to the db as well as fix the auth problems phpBB has (capital letters, etc.).

Security has made it a requirement that privileged users on AMO must give an additional token (with more requirements) before they are authenticated to AMO so Browserid alone is not good enough there.

Proposed Solution

  1. [DONE] Builder flips to using Browserid as its only authentication (for both admins and regular users). Builder continues to retrieve account id, homepage, display_name, etc. from the AMO database directly. (Since both AMO and browserid have independently confirmed the user owns the address this remains secure).
  2. [DONE] AMO builds a simple API end point for user data including the information Browserid is using (and specifically *not* password data). This API endpoint is behind oauth and accessible only to specific oauth keys (in this case, builder's and the forums).
  3. bug 724648 Builder uses that API and we remove the direct database access from builder.
  4. We add Browserid support to the forums as the sole means of logging in.
  • Forums will be decoupled from AMO (no API/database access). People can modify their phpBB profiles as with any other forum site.
  • Maybe we can get a volunteer to write the phpBB+Browserid plugin. :D
  1. AMO switches to using Browserid as its primary authentication. The transition is:
  • User is shown a login/register button that launches Browserid
  • User authenticates
    • If the user authenticates successfully and had a local password set, we set the local password to null (or "browserid::" if we want to follow the current format)
    • Regular users are done at this point
  • If User is privileged they are shown a second form with a single password field[1]. This is their password that is currently in the database (sha hash)
    • User must authenticate here before they are allowed to continue. Failure to authenticate results in no session created.

This provides us with a single flow of code and fulfills the additional requirements the security team has requested. Once this has been implemented, we can increase the security of administrative accounts on AMO by converting them to bcrypt without affecting any other services. Setting the user's password to null means they can't go back to the old login form

[1] The single password field is for legacy reasons only. It would be possible to use other forms of verifying a users identity here also.

Open Questions

  • How can a user register for a new account on builder?
    • Possible to create an oauth API to make accounts automatically but would need a=legal and a=fligtar as there are some developer agreements that users need to see. In the short term you'd have to do what we do now: send the user to AMO to register first.
    • We may consider to NOT force syncing the Builder with AMO account. This is needed only for uploading the add-on to AMO. This feature might be enabled for synced accounts. If the user wishes to use the Builder without creating an account on AMO, some features will be disabled. If later on the user will create an account on AMO (possibly from the link near "upload to AMO") these features might be enabled. This does not require a lot of coding.
  • Administrative users on builder and the forums are not asked for additional credentials. Will this need to be added?
  • When someone first joins a privileged group on AMO they won't have a local password set. How do they log in?
    • In that case we should prompt them to set one right after the browserid auth.
Retrieved from "https://wiki.mozilla.org/index.php?title=User:Clouserw/AMO/Auth&oldid=394588"