User registration and password reset are broken due to the last_authenticated value being null#6458
Conversation
ocket8888
left a comment
ocket8888
left a comment
There was a problem hiding this comment.
This appears to fix the issue it's trying to fix, but I've discovered something troubling: the user is not required to set a password. The form can be submitted without setting a password, and that makes the token get dropped from the database, leaving the user with no way to authenticate, and that's not fixable without direct database manipulation. Also their cookie is immediately invalid so that the very next request 401's and there's no way to obtain a new cookie.
To reproduce: register a user, then go to the link in the email, set the full name as indicated by the form as being required, then submit the form. If you just wait like a minute a "newcount" logs request will be made that will cause a "user not found" error to be returned from the API and you'll be dropped back on the login page with no way to log in since you don't have a password.
This should be fixed, but if you think it's out-of-scope for this PR/just don't want to do it, I'll just merge it and open a new issue.
ocket8888
added
bug
|
Solving that problem is more complicated than I initially thought, because of LDAP and OAuth users. I'll open an issue for it probably tomorrow. This PR doesn't need to try to fix the problem. |
zrhoffman
added
the
authentication
4 participants
This PR closes #6457
Which Traffic Control components are affected by this PR?
What is the best way to verify this PR?
Run TP and TO, and verify that you can successfully register new users and reset passwords of existing users.
If this is a bugfix, which Traffic Control versions contained the bug?
PR submission checklist