OpenUserJS/OpenUserJS.org

Login page should be more verbose regarding authentication failures

mll0 opened this issue · 5 comments

mll0 commented

What happened?

I forked a script on OUJS years ago. I recently came back to update it, but couldn't log in.

  1. went to https://openuserjs.org/login
  2. Entered mll as username, and (default preferred authentication) as third-party site (tried chosing explicitely reddit or github subsequently, but to no avail). Also checked the privacy warning checkbox
  3. Most of my attempts on (default preferred authentication), I was sent on reddit. I seem to have been sent to github once.
  4. Whatever the attempts, upon authorizing, I wans sent back to https://openuserjs.org/login with the added string ?authfail#_ in the URL. No explanation message is displayed.

It turns out that I have 2 accounts on reddit, and I used the secondary one years ago to access OUJS. Attempting to log in with the other account, or another website, fails.

What should have happened?

This is completely understandable, but the page https://openuserjs.org/login?authfail#_ should provide us with some helpful info to help us understand why it fails, shouldn't it ?

Martii commented

... It turns out that I have 2 accounts on reddit, and I used the secondary one years ago to access OUJS
...
but the page https://openuserjs.org/login?authfail#_ should provide us with some helpful info to help us understand why it fails, shouldn't it ?

Nope... that's how passport works. There is no possible way to know what you did/have on your end. If the token isn't accepted then it fails... if it is accepted then that token is used. Nothing we can do about it. You are the one responsible for knowing which reddit account you used.

mll0 commented

I see, thanks. Maybe however, some red text would help, mentioning that the website or account used doesn't match the ones used upon OUJS registration with the provided username.

Martii commented

Maybe however, some red text would help, mentioning that the website or account used doesn't match the ones used upon OUJS registration with the provided username.

You are assuming your error is the only error.

Few rules for that page for any enhancement:

  1. Has to run without JavaScript.
  2. One landing page for logging in only.
  3. Minimal client-side scripts.
  4. Only possible use case would be to add it as a client side script and check the QSP existance... but see item 1.
  5. Multiple pages on our site call that page with different results and some are "fuzzy" so there would be no way to give an accurate notice. Best you could hope for is "Authorization fail" or short "authfail".
  6. Maintenance for this one request would probably bloat the views a bit more and take more back-end memory... If you've given any reading consideration to all of the past issues it's a lot about optimization. EDIT Also most are redirects so options won't work... basically can't do anything about that due to the structure of MVC and express / mustache ... so not even possible.
  7. Only use case for possible improvement of a DOM element would be for portable devices... and the login screen is pushing those limits already... however most of those browsers show the url, so one could just read it.
  8. Back to the assumption that your authfail is the only use case... it isn't. Duplicated code again... see 6.
  9. Has to work with existing .user.js that some authors have done for this page and if not noticed by the one doing it (provided it's in our code and not just a .user.js).

These are just the ones that I can think of off the top of my head.

I will think about it but it is highly unlikely that I will come up with something due to the multiple constraints. It's quite possible a captcha may be added at some point due to the abuse of the site and that has higher priority than any "bling" along with the time of year it is... major migration time is fast approaching which is well documented in the README.md links.

If you think you can handle it we do accept PRs... but note the login page is quite finicky since it can be called from anywhere in the site... plus you'll have Active Maintainer discretion/evaluation to deal with (me) and above... and I have very little time at the moment to dedicate to a "bling" enhancement (including thinking about it at this time).

Martii commented

So I actually can do a variant of 6, 7 and 8. Been a really long time since I did the GDPR stuff and it's indirectly possible as an enhancement. If you want the text clearer submit a PR and it will be reevaluated when there is available time.

Also note authfail is one of those fuzzy ones... and we're not going to write a novel reminder notice on what could be, guessing what is, the issue. It's currently a default when all the known issues are trapped and not those. There are a few other ones as well that are fuzzy too.

mll0 commented

So I actually can do a variant of 6, 7 and 8. Been a really long time since I did the GDPR stuff and it's indirectly possible as an enhancement. If you want the text clearer submit a PR and it will be reevaluated when there is available time.

Thanks. That's an improvement, even in its concise way.
I guess I won't submit a PR, since first the sentences are OK like this, and... I wouldn't know oh to achieve that (believe it or not, I'm not knowledgeable in this git tech).