Merge lp:~deryck/launchpad/support-pape-max-auth-age into lp:launchpad
Status: | Merged |
---|---|
Approved by: | Deryck Hodge |
Approved revision: | no longer in the source branch. |
Merged at revision: | 15759 |
Proposed branch: | lp:~deryck/launchpad/support-pape-max-auth-age |
Merge into: | lp:launchpad |
Diff against target: |
102 lines (+35/-7) 3 files modified
lib/lp/services/webapp/login.py (+14/-3) lib/lp/services/webapp/tests/test_login.py (+20/-1) versions.cfg (+1/-3) |
To merge this branch: | bzr merge lp:~deryck/launchpad/support-pape-max-auth-age |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Abel Deuring (community) | code | Approve | |
Review via email: mp+117781@code.launchpad.net |
Commit message
Add support for PAPE extension max_auth_age to Launchpad login, which will allow us to force users to refresh their logins.
Description of the change
This branch is a first step in fixing bug 363916. That bug notes that we need to re-authenticate users when they try to update their email, gpg, or ssh info. In order to redirect them to Ubuntu SSO and refresh their login, we need to make use of PAPE extensions in our login process and set max_auth_age to 0.
This branch updates the login process to accept a reauth=1 query parameter. If that param is present when you redirect a user to +login, then the user will be prompted to re-authenticate and get a fresh login.
This work is being landed in isolation. There is a test to confirm this works, but otherwise, it's unused at this point. The branch to make use of it for updating email addresses was growing large, so I split this off by itself.
We also need a newer version of python-openid that supports pape extensions, so I've updated versions.cfg, too. This version of python-openid was committed to download-cache sometime ago, when I started in this work. I confirmed with wgrant that we had our patch in the fork version applied upstream. So we're fine to run a regular release now.
In terms of LOC change, this branch adds lines of code, but I have other branches that preceded this that changed doctests or dropped tests altogether which has given me some LOC credit for this work. Those tests were related to updating emails and didn't play well with re-authenticating, so the doctests were dropped in favor of unit tests, which gave me about 350 LOC credit.
I had a couple pre-implementation style calls with Francis about this work when I started work on it.
The branch is lint free.
looks good