-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial auth key implementation #57
Conversation
This is currently a draft because I want to make sure the deployment scripts properly install and configure relevant packages (e.g., postfix) |
do so on service updates, and to easier make local/dev deployments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the approach. It's quite some machinery though to get this up and running (postfix). But I don't see a better generic way either... :-/
Yeah, I was worried about the same thing. But then I managed to set postfix up on my laptop fairly easily and it worked surprisingly well. I'll deploy this on a test server so we can test it out. One thing that would be nice is a mailing list to send admin requests to. |
…faults), but back them up
…got a bit more complex.
…, and it wasn't that necessary before either, so remove it.
This should now be ready for review. You should use For the SDK, most of this story won't matter and you'll have to request a key manually at A note: AWS automatically blocks egress on port 25, so I had to use a mail gateway. However, I got them to remove the block on the LLNL AWS instances and I'll try to configure postfix to send mails directly, but probably not tonight. |
This implements a workflow for requesting authentication keys through email.
The flow starts with an authentication token request page, which is a capthca-protected email entry. By default, free email services are rejected, but the user is given the opportunity to ask for an exception by justifying, in plain language, why an exception should be made. An admin email then receives the respective text and can approve or deny the request. If using an institutional email or if the exception request is approved, an email with a token is sent to the user. The user is given instructions on how to save and use the token.
Tokens are stored salted and hashed in the database, so a compromise to the database does not mean that the tokens are compromised.