Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Use first available membership for password reset #1448

Merged
merged 6 commits into from
Dec 22, 2020
Merged

Use first available membership for password reset #1448

merged 6 commits into from
Dec 22, 2020

Conversation

whaught
Copy link
Contributor

@whaught whaught commented Dec 22, 2020

Proposed Changes

  • Password reset occurs from a context that has no auth set and we allow realms to localize the email templates if using their own SMTP server
  • Select the first available membership realm for password reset so the user can get a localized email.
    • Not idea for members of many realms, but that is not expected for most users

Release Note

Select a realm-localized template for reset password

sethvargo
sethvargo suggested changes Dec 22, 2020
View reviewed changes
pkg/controller/login/reset_password.go
@@ -79,6 +81,20 @@ func (c *Controller) HandleSubmitResetPassword() http.Handler {
var resetComposer auth.ResetPasswordEmailFunc

membership := controller.MembershipFromContext(ctx)

// This is likely - most users reset password from un-authed context.
if membership == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The middleware sets CurrentMemberships (plural) too - you can use that instead of doing a lookup.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only for RequireAuth pages, which this is not. I don't believe the user will have a session (with currentmembership and realm set)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It gets populated by LoadCurrentMembership, not requireauth. And I'm pretty sure this route calls LoadCurrentMembership

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These do:

exposure-notifications-verification-server/internal/routes/server.go

Line 182 in 008e695

sub.Use(loadCurrentMembership)

this one is here:

exposure-notifications-verification-server/internal/routes/server.go

Line 168 in 008e695

sub.Handle("/login/reset-password", loginController.HandleSubmitResetPassword()).Methods("POST")

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah blarg. I messed up that ordering then. Do you have bandwidth to refactor the middleware to load memberships and require that middleware here?

Loading memberships is really expensive (it's an O(n+1) query), so I'd prefer to do it in middleware and cache it on the context once.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unauthenticated (the user types in their email address) so there is not user or membership yet. I've change this to be less expensive by db querying without loading all memberships.

sethvargo
sethvargo reviewed Dec 22, 2020
View reviewed changes
pkg/database/user.go Show resolved Hide resolved
pkg/database/user.go Outdated Show resolved Hide resolved
pkg/controller/login/reset_password.go Outdated Show resolved Hide resolved
sethvargo
sethvargo approved these changes Dec 22, 2020
View reviewed changes
Copy link
Member

@sethvargo sethvargo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

pkg/controller/login/reset_password.go
membership, err = user.SelectFirstMembership(c.db)
if err != nil {
if database.IsNotFound(err) {
logger.Infof("No membership found for %s", user.Email)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this Infow in another PR?

@google-oss-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sethvargo, whaught

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-robot google-oss-robot merged commit 8528d0a into google:main Dec 22, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sethvargo sethvargo sethvargo approved these changes

@yegle yegle Awaiting requested review from yegle

Assignees

@sethvargo sethvargo

Labels
cla: yes Auto: added by CLA bot when all committers have signed a CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@whaught @google-oss-robot @sethvargo