robby1066 / keepposted-help

Documentation, Issue Tracker, and Repository of Knowledge For Keep Posted (www.keepposted.io) — A way to keep teams informed and connected without disrupting their focus.

https://www.keepposted.io

1 stars 0 forks source link

Have a sign in path that starts from the root domain #69

Closed robby1066 closed 3 years ago

robby1066 commented 3 years ago

What's the problem you're hoping this new feature will solve?

If someone doesn't remember their subdomain, they won't be able to log in to Keep Posted

Description of feature

From the root domain https://www.keepposted.io, there should be a path for someone to log into their account that redirects them to the correct subdomain.

Alternatives and workarounds

There is no obvious workaround for this other than remembering your subdomain.

robby1066 commented 3 years ago

In progress. A few of the cases that need to be handled:

sign in with email and password, land on the correct subdomain
attempt to sign in with incorrect credentials and message appropriately
sign in from the root domain when already signed in to the subdomain

robby1066 commented 3 years ago

This is a challenge to do seamlessly without opening up some security holes that I don't want to mess with. The slightly degraded experience that preserves security may be to force the user to authenticate twice. Once to redirect to the proper subdomain, and then again to establish a session once they've arrived there.

If the user has previously chosen to remain logged in on the subdomain, this will still be a seamless experience. Given that, plus the possibility that browsers will retain login info and autocomplete the subsequent form, I'm more inclined to go this route than try to manage a cross-domain POST request and the security fallout it would create.

robby1066 commented 3 years ago

I have the sign in (as described above) working in dev, and it's clear that it needs some explanation for the case that someone has to enter their credentials twice. I'm adding text at the top that reads:

Enter your email and password to find your account's url. It looks something like: your-account.keepposted.io You may need to log in again once you reach your account's url.

robby1066 commented 3 years ago

While adding this, I realized that if the goal is to make it easy for someone who has forgotten their account url to get logged in, the app needs to also cover the case of a forgotten password from the root domain as well. That is now implemented.

robby1066 commented 3 years ago

Doing some final testing and will deploy this afternoon.

robby1066 commented 3 years ago

Tested in production. Closing this issue.