Use pluggable authentication system

[marcopenhacking]

The Mozilla Persona authentication system could reduce the administrative effort and might be more secure in some cases than dealing with passwords and e.g. sending them by email.

Libraries in General: https://developer.mozilla.org/en-US/Persona/Libraries_and_plugins Library for Rails: https://github.com/mvxcvi/browserid-rails

I tested the Mozilla Persona Wordpress Plugin and it works very fine and flawless. The only thing I'm a little confused is that after a successful login and logout the browser needs to be closed to avoid a login without re-entering the Mozilla Persona password. But this might be work as specified and can be communicated to the user. Plugin, see: https://wordpress.org/plugins/browserid

If Mozilla Persona has potential for the future is probably hard to say (Transitioning Persona to Community Ownership). Maybe there are alternatives..? I find it practical and it might save a lot of trouble using Foodsoft as well.

[wvengen]

Yes, other authentication mechanisms is something that cames up from time to time.

I'd like to switch to Devise for this, which would allow authenticating with a whole lot of other authentication providers, including browserid.

This may be a path to get there:

• [ ] Get authentication in Foodsoft working with Devise
• [ ] Migrate other account-related functionality from Foodsoft to Devise
• [ ] Make layout styles blend in nicely
• [ ] Migration of passwords
• [ ] Update documentation and database seed
• [ ] Make authentication work with external authn providers (like browserid)
• [ ] Allow foodcoop admin to configure authn provider(s)
• [ ] Make sure there's always a local admin login and document it

[marcopenhacking]

Good to hear that there is a comprehensive library that provides support on authenticating.

In the post post you linked, benni suggested a more simple approach than integrating device which might be worth to consider as well:

I would suggest, that you start with a simple sign_up controller, with an new and create action, which you use to let the users create own accounts. But before letting the users order, they have to be activated by the foodsoft administrators. This workflow is easy to implement, and we can add a configurable welcome message, in where the new members are asked to pay the membership fee by bank transfer or something else.

For me the following steps would simplify things and especially keeping password more secure as they are not need to transfered by mail or else - they stay on the server:

• Registration link on the login page
• Mail is sent to the user to confirm the given mail address with a link to Foodsoft
• Mail is sent to Admin that a new user has registered and needs to be approved
• Admin confirms or deletes new user
• Account activation Mail is sent to the user

In Wordpress this workflow can be activated with e.g. the plug-in "Register Plus Redux".

This doesn't solve the problem when using multiple software / logins, but at least reduces effort/ increases security handling passwords. Additionally there is no additional dependency to a service which might be not conform with local data security laws and might be down/stops the service some day. So I went back a step from my initial feature idea here..

[wvengen]

Signup has been implemented in the foodcoop-adam fork. I've been wanting to get this back in the main foodsoft version, but haven't gotten round to that yet (it needs to be rewritten, since I think it's doesn't really work well as a plugin). I have a preference for focusing on Devise (which includes signup (Registerable)), vs. trying to reimplement signup, and then move to Devise.

[decentral1se]

Repling to https://github.com/foodcoops/foodsoft/issues/439#issuecomment-768347911 here, I think, as I think this is the right ticket to continue for our current needs at Biobulkbende.

We've moved on from the Yunohost packaging and am now using a centralised Keycloak (https://www.keycloak.org) for a single sign on for the coop. In this case, it is your a) scenario. It would be amazing to reduce the admin burden if we could get a oauth login on Foodsoft. We are using other services like Nextcloud and Rocket.chat and they all use our SSO.

[wvengen]

Great, then https://github.com/foodcoops/foodsoft/issues/336#issuecomment-68516167 would be applicable here. This is probably quite some work, which would be very welcome in my eyes. While this is not my development focus now, I'd be happy to support anyone working on this.

[decentral1se]

We are warming up the engines to secure some funding over at https://biobulkbende.org and I would hope to be able to be able to share some compensation if someone would feel more comfortable having that in place before committing to a large piece of work. If someone is interested to chat further about this, we could try to estimate the work.