search

CityOfBoston / digital

City of Boston javascript webapps managed by DoIT Digital Team.
https://www.boston.gov/digital
22 stars 10 forks source link

Access Boston Registration bug #888

Closed g-grozier closed 2 years ago

g-grozier commented 2 years ago

When a user sets up MFA they can choose to use email for their second factor (but it's a wee link at the bottom to discourage them). If they do choose to use email -- the system is supposed to check against the City's domains and NOT let them register using an City email (bpl.org, boston.gov, etc).

I'm looking at users who have enrolled for PingID with email as their primary second factor and all the Boston domains are in there....which if they are trying to use forgot password to get a code is going to be SUPER HARD to get. One of the tabs on Portal Content Google Sheet is the list of domains to be embargoed.

Need this fixed asap...please

g-grozier commented 2 years ago

specifically found bpl.org, boston.gov and bostonpublicschools.org in the registered email addresses

davidrkupton commented 2 years ago

The blacklist is as follows (from the portal in the first comment):

g-grozier commented 2 years ago

I just added bphc.org http://bphc.org to the list (on the Sheet). We are in the process of integrating with the Public Health Commission so as long as we are in there, let's just add them now.

On Wed, Apr 6, 2022 at 10:13 AM David Upton @.***> wrote:

The blacklist is as follows (from the portal in the first comment):

  • boston.gov
  • pd.boston.gov -bostonpublicschools.org
  • bpl.org
  • cityofboston.gov
  • ci.boston.ma.us
  • boston.k12.ma.us

— Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CityOfBoston_digital_issues_888-23issuecomment-2D1090321882&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618USIsT1gpGj0oRZK8FXgQnI&m=-_dasnTpUE5ckee_624k-sMQAGhldHrud8ppnzlimIs&s=WpwnSp5NHsicC_ans9eOAHDs7O4Idz0E4Tv9xCOH3XI&e=, or unsubscribe https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AVW7NS5OTZC77IQDPGETRBLVDWLXHANCNFSM5STVHCDQ&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618USIsT1gpGj0oRZK8FXgQnI&m=-_dasnTpUE5ckee_624k-sMQAGhldHrud8ppnzlimIs&s=Tlvf-hfmg8A2HnLxIesC9AaTpvsyvKpAa3ZThe2HbQg&e= . You are receiving this because you authored the thread.Message ID: @.***>

phillipbentonkelly commented 2 years ago

Est. 3hr

@g-grozier I am going to need to work with someone on your team to integrate and test this; that will require at least an hour meeting tomorrow or Friday. Last time I worked with Navan but you let know who's available that knows about this on your team and invite them. Also, they'll need to have a couple of accounts ready to test with.

cc: @davidrkupton, @rachelsater

davidrkupton commented 2 years ago

@g-grozier We have found this code in the main Access Boston application. We can add validation to the email address before it is submitted to Ping/FID to check the email address is not on the domains listed above. In order to test, could we have 3 usernames and passwords for accounts that are in the "Needs Registration" status on the Test environment.

phillipbentonkelly commented 2 years ago

@g-grozier, am picking up on this request again, trying to remember/confirm some details ... is this the page were applying this modification too?

https://access-test.boston.gov/storybook/?path=/story/registermfapage--email image

CC'd @stephaniemar so she's aware of the storybook templates for these pages, etc

ggrozierBOS commented 2 years ago

@phillipbentonkelly yes, should someone type in email address there we need to return error if it's a City of Boston associated domain (one of the ones listed above). @stephaniemar let me know if you need more details

stephaniemar commented 2 years ago

Ok. Thanks @g-grozier --seems pretty straight forward.

phillipbentonkelly commented 2 years ago

@ggrozierBOS I deployed the change to both DEV/TEST

In order to test, could we have 3 usernames and passwords for accounts that are in the "Needs Registration" status on the DEV or Test environments.

DineshBaddam commented 2 years ago

Hi Phill These are the Test user account you can try. Test Users 167525 Downtown341$ 167512 Puzzle950$ 167528 Rustic996#

phillipbentonkelly commented 2 years ago

Hi @DineshBaddam, the logins are not working, could they have expired by any chance ... also Are these for the DEV or TEST environment

DineshBaddam commented 2 years ago

Hi Phill,

Here are the Test Users in Test Environment 167525 February102$ 167512 United729$ 167528 Winter517$

Thanks, Dinesh.

phillipbentonkelly commented 2 years ago

@ggrozierBOS, @stephaniemar domain exclusion is verified on the TEST environment.

stephaniemar commented 2 years ago

Thanks @phillipbentonkelly @g-grozier Is this something we will need a Change Management form to deploy to PROD?

ggrozierBOS commented 2 years ago

I don't think it needs a change, but we will be doing testing too. Will let you know the results! G.

On Fri, Jun 24, 2022 at 12:17 PM stephaniemar @.***> wrote:

Thanks @phillipbentonkelly https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_phillipbentonkelly&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618ebA8kmOHXu-0szuzaWO3RQ&m=XYTtTFifC8V6lvX3LzxrCipUue9-7HWCgm0CHMHsnbanTxbxJZ4C3uzpsqdFPfYG&s=-ROzFgsVFRQs8YnOo6Sk_TR7uAVB73kFmy_DAEHfWcw&e= @g-grozier https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_g-2Dgrozier&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618ebA8kmOHXu-0szuzaWO3RQ&m=XYTtTFifC8V6lvX3LzxrCipUue9-7HWCgm0CHMHsnbanTxbxJZ4C3uzpsqdFPfYG&s=XFEpnNYeqN2-44zyGFT6FmdhPKw9EtATTy5REo9B46E&e= Is this something we will need a Change Management form to deploy to PROD?

— Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CityOfBoston_digital_issues_888-23issuecomment-2D1165727308&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618ebA8kmOHXu-0szuzaWO3RQ&m=XYTtTFifC8V6lvX3LzxrCipUue9-7HWCgm0CHMHsnbanTxbxJZ4C3uzpsqdFPfYG&s=BwCSOO2lo1Wi1EtegIs0Jtf_nrlqv6_ercuOb4S44gs&e=, or unsubscribe https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AY47APSG33RH7B47BCTAN5LVQXNP3ANCNFSM5STVHCDQ&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618ebA8kmOHXu-0szuzaWO3RQ&m=XYTtTFifC8V6lvX3LzxrCipUue9-7HWCgm0CHMHsnbanTxbxJZ4C3uzpsqdFPfYG&s=ktRh2ebIj_iLwVHkjY_-qK-PluFtnh3Wf3YiNkdhIQs&e= . You are receiving this because you were mentioned.Message ID: @.***>

ggrozierBOS commented 2 years ago

Tested will all the domains and not one of them would go through!

Image Image Image Image Image

stephaniemar commented 2 years ago

Great!

DineshBaddam commented 2 years ago

I have also validated the senario with all email endings, which is not accepting the work emails.

Thanks, Dinesh.

phillipbentonkelly commented 2 years ago

Deployed to PROD

ggrozierBOS commented 2 years ago

We are good to send this to Prod!

On Fri, Jun 24, 2022 at 2:55 PM DineshBaddam @.***> wrote:

I have also validated the senario with all email endings, which is not accepting the work emails.

Thanks, Dinesh.

— Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CityOfBoston_digital_issues_888-23issuecomment-2D1165847440&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618ebA8kmOHXu-0szuzaWO3RQ&m=8jxT9PoBcUxF8lvSFEx4N_FO22_WLwHuwN8CPJvtOjOE8H4hcl43_51KmZpwR_l9&s=_wJPBI6ejzt5LEFW1l2GfLohkX_aTxvC6KdjCdBoZnw&e=, or unsubscribe https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AY47APS6R3BLRLIURTJWDHTVQYADXANCNFSM5STVHCDQ&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=exO2fkHp3C8oRxaPdb618ebA8kmOHXu-0szuzaWO3RQ&m=8jxT9PoBcUxF8lvSFEx4N_FO22_WLwHuwN8CPJvtOjOE8H4hcl43_51KmZpwR_l9&s=su_DHekWNi4-cO4SBATTiOhislJGNyxSY4JUdaVu0Dk&e= . You are receiving this because you were mentioned.Message ID: @.***>