search

cloud-gov / cg-uaa

DEPRECATED / DO NOT USE. This repo contains an old version of UAA with known security vulnerabilities. Use the upstream version
Apache License 2.0
2 stars 5 forks source link

Give EPA/GSA users a helpful link to the login docs when they try to reset their cloud.gov password #29

Open brittag opened 8 years ago

brittag commented 8 years ago

In order for cloud.gov users to have a smooth experience logging into their cloud.gov accounts from both the web UI and CLI (including if they've forgotten a bit about how to use it): if they try to reset their password, the automatic error message should give them a helpful link to our docs that explain how to use SSO in the UI and CLI (https://docs.cloud.gov/getting-started/accounts/ and/or https://docs.cloud.gov/getting-started/setup/).

Right now, when people at GSA/EPA try to reset their password, the error message says

Your account credentials for login.cloud.gov are managed by an external service. Please contact your administrator for password recovery requests.

This message is confusing. What it should really say is more like this (just sample language; I'd want to rework this a little more when we actually implement it):

Hi! We received a password reset request for your cloud.gov account. Your cloud.gov account access is handled by your agency's account system, so there is no cloud.gov-specific password that you can reset. To log into the cloud.gov web interface or command line interface, use your agency credentials by using these instructions and commands: https://docs.cloud.gov/getting-started/accounts/

The default message comes from a Cloud Foundry template: https://github.com/18F/cg-uaa/blob/master/server/src/main/resources/templates/mail/reset_password_unavailable.html

Info about changing this from this Slack message:

We have overridden UAA templates for login pages, etc. on our fork via a hack to check the web/cg directory since there’s no native functionality to overload the templates as it stands. Seems like we need to do the same for mail.

And:

Would have to look at the commit history to see where [we] did the hack to look in the cg directory. Probably easy to extend/replicate.

berndverst commented 8 years ago

Is there a reason we can't modify the template directly? Can someone tell me where the template is being overwritten right now?

mogul commented 8 years ago

Modifying the templates in situ will make it harder to merge upstream changes, particularly as UAA is expected to grow its own template overriding method at some point. We want to keep our UAA fork as mergeable as possible in case of security issues fixed upstream.

So just copy a template you want to change into the cg/ subdirectory and do your mod there.