Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance login security #3168

Closed
15 tasks done
pronguen opened this issue Nov 23, 2022 · 0 comments
Closed
15 tasks done

Enhance login security #3168

pronguen opened this issue Nov 23, 2022 · 0 comments
Assignees
@Garfield-fr @PascalRepond
Labels
dev: security enhancement Improvement of an existing feature f: user management p-High High priority (to be solved in the 2-3 next months)

Comments

@pronguen
Copy link
Contributor

pronguen commented Nov 23, 2022
edited by PascalRepond
Loading

How it works

Login security can be enhanced.

Improvement suggestion

Software

  • Strengthen password requirements (see recommendations) : find a good library example : https://pypi.org/project/password-strength/
  • Add a function in the professional interface, user editor, for generating a strong password, seeing it, but then not editing it manually.
    • It generates a random alphanumeric sequence of 8 characters
    • When generating the password, it is automatically copied to the clipboard so that the librairian can then easily give it to the patron.
  • Modify feedback message in case of a failed attempt so that the user cannot know whether the user or the password is wrong (supercharge invenio-accounts failed login messages to return the same message). (security: uniformize failed login message #3189)
    • Modify json response on failed login so that we don't know the problematic field.
  • Add an enumeration value in the user field gender: no_information
  • A permanent message appears on the login screen during 3 months: Par mesure de sécurité, votre mot de passe a été réinitialisé le XX.XX.XXXX afin de respecter des contraintes plus exigeantes. Si vous ne parvenez pas à vous connecter, veuillez définir un nouveau mot de passe ou adressez-vous à votre bibliothèque.
    • This should be in a config so that different instances can show the message or not.
  • Change the login information for the test version

Tasks in production (see gitlab wiki)

  • All user's passwords are reset according to the new requirements
  • (nice-to-have) Restrict the number of consecutive accesses by IP to certain critical URLs to prevent exploits

Linked to this issue

#1534

Context

Issue suggested by Adrien Kunysz
@pronguen pronguen added enhancement Improvement of an existing feature dev: security f: user management p-High High priority (to be solved in the 2-3 next months) labels Nov 23, 2022
PascalRepond added a commit to PascalRepond/rero-ils that referenced this issue Jan 3, 2023
@PascalRepond
users: add an option "no_information" for gender
abe65d2 
* Part of rero#3168.

Co-Authored-by: Pascal Repond <[email protected]>
@PascalRepond PascalRepond mentioned this issue Jan 3, 2023
Merged
PascalRepond added a commit to PascalRepond/rero-ils that referenced this issue Jan 5, 2023
@PascalRepond
users: add an option "no_information" for gender
fa2e085 
* Part of rero#3168.

Co-Authored-by: Pascal Repond <[email protected]>
PascalRepond added a commit to PascalRepond/rero-ils that referenced this issue Jan 5, 2023
@PascalRepond
users: add an option "no_information" for gender
8266bf1 
* Part of rero#3168.

Co-Authored-by: Pascal Repond <[email protected]>
PascalRepond added a commit to PascalRepond/rero-ils that referenced this issue Jan 5, 2023
@PascalRepond
users: add an option "no_information" for gender
54eb5ac 
* Part of rero#3168.

Co-Authored-by: Pascal Repond <[email protected]>
PascalRepond added a commit to PascalRepond/rero-ils that referenced this issue Jan 5, 2023
@PascalRepond
users: add an option "no_information" for gender
4103a77 
* Part of rero#3168.

Co-Authored-by: Pascal Repond <[email protected]>
PascalRepond added a commit to PascalRepond/rero-ils that referenced this issue Jan 16, 2023
@PascalRepond
users: add an option "no_information" for gender
4f74b9b 
* Part of rero#3168.

Co-Authored-by: Pascal Repond <[email protected]>
PascalRepond added a commit that referenced this issue Jan 16, 2023
@PascalRepond
users: add an option "no_information" for gender
7516e05 
* Part of #3168.

Co-Authored-by: Pascal Repond <[email protected]>
PascalRepond added a commit that referenced this issue Jan 17, 2023
@PascalRepond
users: add an option "no_information" for gender
683067b 
* Part of #3168.

Co-Authored-by: Pascal Repond <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Garfield-fr Garfield-fr

@PascalRepond PascalRepond

Labels
dev: security enhancement Improvement of an existing feature f: user management p-High High priority (to be solved in the 2-3 next months)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Garfield-fr @pronguen @PascalRepond