jupyterhub / the-littlest-jupyterhub

Simple JupyterHub distribution for 1-100 users on a single server
https://tljh.jupyter.org
BSD 3-Clause "New" or "Revised" License
1.05k stars 343 forks source link

Make it more clear in the docs how setting a password for the first time works and how a user can change its password #481

Open iapyeh opened 4 years ago

iapyeh commented 4 years ago

Describe the bug I would like to let user to set their own password

To Reproduce

  1. open the url http://tljh.jupyter.org/en/latest/howto/auth/firstuse.html
  2. do "sudo tljh-config set auth.type firstuseauthenticator.FirstUseAuthenticator" and "sudo tljh-config reload", (But even user logout-and-login again, he does not been asked to provide a new password as what described in about url)
  3. follow the steps : 1. delete user 2. request to login again

Expected behavior

The deleted user can set his own password as described in the document.

But before it is deleted, the user can login without password. After it is deleted by admin, the user always failed to login.

If the user is added again, it seems nothing changed. the user can login without password. The user still failed to find a place to set his password.

Compute Information

GeorgianaElena commented 4 years ago

Hey @iapyeh! The way FirstUseAuthenticator works is that it allows setting a password when a user (added by the admin) first logins. Until https://github.com/jupyterhub/firstuseauthenticator/pull/21 gets merged and a new release is made, setting an empty password is valid.

This step is needed when one wants to switch back to FirstUseAuthenticator from a different authenticator, because FirstUseAuthenticator is TLJH's default authenticator.

The user is not explicitly asked to set a new password (through a special login page or anything like this). The password the user uses when they first login is their password from then on (including no password at all).

The reason why the user can login without a password is because when they first logged into TLJH they haven't set any password (i.e. in the login page they just entered their username and the password field was empty).

This usually happens when the user account wasn't manually created and TLJH isn't allowed to create users by itself (ref: http://tljh.jupyter.org/en/latest/howto/auth/firstuse.html#allowing-anyone-to-log-in-to-your-jupyterhub)

This is the intended behavior. The place for a new user to set their password, is the login page.

Tip: If a user has set an empty password by mistake or wants to change its password, it can also be done by accessing <your_server_ip>/hub/auth/change-password.

We should definitely make it more clear in the TLJH docs the way the authenticator works and also have an easy-to-find section about changing the password through /hub/auth/change-password, so thanks a lot for opening this issue :sun_with_face: