Closed prayagd closed 5 months ago
@ebma @vadaynujra @TorstenStueber @annatekl Have kept the login flow simple, just basic login and logout. Do we also need account management as in Change Password?
Hey team! Please add your planning poker estimate with Zenhub @b-yap @bogdanS98 @ebma @gianfra-t @TorstenStueber
Just to clarify
The Login flow is simple, with no account management. Basic login and logout, not password change.
'no account management' just means that editing the account data (eg. changing the password) is not in scope for now?
Also
- Show a pop-up with two fields
- "Email" - only emails should be accepted here and no other text
- If email does not exists, show error "Email does not exists, Please sign-up"
- "Password" - only passwords should be accepted in this field
- If password wrong, show error "Incorrect password"
- Show error below the Password field
- Show a "Login" button below these two fields, the button should be enabled only after the two fields are filled and correct
The check for a valid email and password should only happen upon submission. Otherwise, an adversary could just fiddle with the form fields all day to find existing email addresses and passwords. By checking this after the submission we can add spam protection.
'no account management' just means that editing the account data (eg. changing the password) is not in scope for now?
Yes this is the suggestion from my end, lets see what other stakeholders also say here
The check for a valid email and password should only happen upon submission. Otherwise, an adversary could just fiddle with the form fields all day to find existing email addresses and passwords. By checking this after the submission we can add spam protection.
Valid point, made changes
on clicking the "Login" button from the pop-up, if successful
@prayagd all that comes after this should be part of another ticket.
Due to GDPR we need to use secure practices that do not expose whether an email address is in our system.
emailValidated
(or better: a timestamp field emailValidatedAt
)emailValidated
(or emailValidatedAt
) field in the user table@prayagd I wrote "for a feature we will implement later" a few times in the above message. Could you already extract this into a new, low priority ticket (could be called "Improve Login/Singup UX")
Another comment: please don't make signup and login just popups, but make them dedicated pages/paths in the frontend, e.g., /login and /signup. Many good UX reasons for this.
@TorstenStueber thanks for the comments, update the main description with your suggestions and will create a new ticket for the "for a feature we will implement later"
@prayagd Thanks, and please link to the new ticket(s) here.
@prayagd we should move this to icebox.
This ticket is meant for an obsolete prototype. Closed.
As a user, i should be able to login on the web app
Acceptance criteria
/login
show two fieldsNote
Standard secure Login/Signup flow
Due to GDPR we need to use secure practices that do not expose whether an email address is in our system.
General principles
Lo-fi wireframes