On Wed, Jan 22, 2014 at 2:16 PM, Bruno Oliveira <bruno(a)abstractj.org> wrote:
Morning, answers inline.
--
abstractj
On January 22, 2014 at 8:26:25 AM, Sebastien Blanc (scm.blanc(a)gmail.com)
wrote:
>
> Hi,
> Since the User Management PR has been submitted [1] there has
> been of a lot
> of useful and interesting feedback, thanks Matzew and Abstractj
> for that.
>
> Some valid concerns has been raised, in particular 2 of them that
> I would
> like to expose here and to discuss to see how we can deal witth them
> for
> the 0.10.0 release :
>
> 1.
> Currently the password register/reset link that is generated
> is persisted.
> This is a point of concern[2]. The fact is that with the current
> flow, we
> can not go against that:
>
> - An admin create an user, a link is generated.
> - The admin send this link to the new user.
> - The user browse to link -> at this moment we need to be able to
retrieve
> the stored link to check for its validity.
I completely understand that you guys need to release it by the end of
this month and I’m not against it. The goal was just to alert about the
risks and maybe create new Jiras for it (only to people know that we are
aware of it).
Well, even if it takes a bit longer (e.g. early Feb.), I think that is fine
to have a few more days/weeks to get the 'User Management' in. Was supposed
to be the 'big' item for 0.10 :) Other than that there were a few fixes and
UI polish things. So IMO waiting a bit is perfectly valid - my personal
opinion.
I am glad we are following up on these items, and eventually we create
JIRAs :-) Thanks for the heads-up, Bruno!
>
> Some points :
> - The token/register link is presisted without any relation
> with the newly
> created user, so an hacker could not make a connection between
> the 2.
Maybe is my misunderstanding about the big picture, but the token has no
relation with the newly created user, why do we have something like this?
https://github.com/aerogear/aerogear-unifiedpush-server/pull/118#discussi...
> - The new created user, as long he has not registered through the
> link,
> can not log into the system as he has no password, as Bruno suggested
> me to
> do on the ML.
>
> How shall we deal with that for 0.10.0 ? We can improve in 0.11.0
If we are aware of the improvements to the next release, why not?
that would be fine w/ me as well
Just make sure to remove any relation between users and tokens (at
least
for password reseting) and also make it clear to the “admin” that with
"great power comes with great responsibility”.
+1
I would suggest to point them to Jiras at our docs, we can always improve.
> and also
> keeping in mind that keycloak could come into the party quite
> soon.
We need to keep our eyes in Keycloak, but they are still under
development, the best approach is to make clear our needs, ideas and send
some code to the project, IMO.
yep, I agree!
>
> 2.
> Currently, to generate the register link, we use a private key.
> This key is
> located in the project[3]. This should not be in the github project
> as
> pointed by Bruno [4] which make totally sense. I will remove the
> private
> key from the repo and add instructions to tell how and where to
> put your
> private key.
>
> But I don't know how to deal for the UPS cartdridge, since we ship
> a war,
> the private key will be missing. Any ideas input on that is welcome.
I can help on it and change my priorities if necessary, just not sure
about the timing for you guys (I can do it today and make it available
tomorrow for testing).
IMO not worth rushing for today/tomorrow, as said above; If you can help
that would be extremely awesome, but let's not change all of your
priorities because of this :-)
-Matthias
Some ideas:
- Automagically generate the property file with the secret key, into this
way that would be per application.
- If we don’t have too much time, provide a script with the steps to
upload the keys on OpenShift (maybe the first step is less confuse)
> For 0.10.0, we could just ship a war containing a private key and
> add a
> warning and maybe add instruction on how to clone the app locally,
> change
> the key and push again (which is not really user friendly when
> you expect
> to have a cartdridge that "just work”).
+1 in the worst case scenario
>
> Notice that there is ticket to be able to manage your private key
> from the
> Admin console[5]
That would be nice
>
> Again, in the future, keycloak could be used also to manage the
> keys.
>
> Besides that, the current PR, in terms of functionnalities works
> : you can
> create and manage users like specified in the specs.
>
> So for the (very soon) 0.10.0 release how shall we deal with these
> concerns
> ?
Looking at UPS roadmap (
https://issues.jboss.org/browse/AGPUSH) the date
for 0.10.0 is Wed, right? I think independent of our decision now, the
timing is too tight to merge your PR and release it tomorrow, maybe we
should release it on the next week? Or do not merge that PR?
>
> Sebi
>
>
>
> [1]
https://github.com/aerogear/aerogear-unifiedpush-server/pull/118
> [2]
>
https://github.com/aerogear/aerogear-unifiedpush-server/pull/118#discussi...
> [3]
>
https://github.com/aerogear/aerogear-unifiedpush-server/blob/register_lin...
> [4]
>
https://github.com/aerogear/aerogear-unifiedpush-server/pull/118#discussi...
> [5]
https://issues.jboss.org/browse/AGPUSH-518
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Matthias Wessendorf
blog:
http://matthiaswessendorf.wordpress.com/
sessions:
http://www.slideshare.net/mwessendorf
twitter:
http://twitter.com/mwessendorf