Skip to content

Login-related changes - needed for TOTP #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: FRAMEWORK_6_0
Choose a base branch
from
Open

Login-related changes - needed for TOTP #21

wants to merge 2 commits into from

Conversation

@amulet1
Copy link
Contributor

@amulet1 amulet1 commented Jun 23, 2025
edited
Loading

Proposed changes:

  • Redesign code related to $loginParms handling in login.inc template
  • Move mode selector and most other hardcoded parameters and checks from the template to login.php
  • Add support for extra properties via optional 'extra' parameter
  • Add support for optional div wrapper via 'div' parameter
  • Add autocomplete=off for OTP (second factor) input

@amulet1 amulet1 changed the title fix: Correctly set error message coming from TOTP check Login-related changes Jun 24, 2025
@amulet1
Copy link
Contributor Author

amulet1 commented Jun 24, 2025

@ralflang, please review.

@ralflang ralflang self-requested a review June 24, 2025 03:41
@ralflang
Copy link
Member

ralflang commented Jun 24, 2025

Let's unbundle the login redesign from the fix.
If I find time I will split it off myself.
The fix part is OK and easy to merge.

The feature needs more review and I don't want to merge it right now.

  • smartmobile mode login screen is ignored
  • If display options are wrong in the inc file, they are wrong in the login.php file, too. Both variants cannot be unit tested easily.
  • Language selection already reacts to a config file.
  • Let's not mix the specifics of display with the availability of options on the feature level in new / refactored code.
  • Templates directory can be outsourced to another dir via the registry. This allows admins to locally override defaults. Moving business logic from templates to code is mostly good but moving display logic to the non-customizable part calls for trouble. One can move building the widgets to a view_helper class though.
  • Inline styling should move to css files as much as possible

ralflang
ralflang requested changes Jun 24, 2025
View reviewed changes
@ralflang ralflang mentioned this pull request Jun 24, 2025
Merged
@ralflang
Copy link
Member

ralflang commented Jun 24, 2025

Split off "fix" part into PR #22 and tested separately. Please rebase and let's think about this more before spending more work.

  • What is the intended effect of the remaining feature on administrators or developers
  • Do you need this for your own site?
  • Do we need this before GA release?

@amulet1 amulet1 force-pushed the login_totp2 branch 2 times, most recently from 50ce895 to 690a505 Compare June 24, 2025 11:43
@amulet1
Copy link
Contributor Author

amulet1 commented Jun 24, 2025
edited
Loading

Please rebase and let's think about this more before spending more work.

Done.

What is the intended effect of the remaining feature on administrators or developers

It should make things easier for administratos and developers.

Do you need this for your own site?

No. Note, autocomplete=off is needed for everyone.

Do we need this before GA release?

Absolutely.

It all started with the plan to simply add autocomplete=off for the second factor box. I looked inside of login.inc and realized that it is a collection of hardcoded checks, and the only way to add what i need without redesign would requre to add yet another hardcoded thing like <?php echo $key == 'horde_secondfactor' ? ' autocomplete="off"' : '' ?>, which makes it rely on exact naming coming from login.php, which is not good.

Instead we can now inject custom properties by using extra parameter, as simple as this:
'extra' => [ 'autocomplete' => 'off' ]

Not only this is cleaner, but also the code also applies htmlspecialchars [to the values].

The whole idea is to make login.inc unaware of exact names/parameters as much as possible by making sure all the custom things are kept in $loginParms. As I mentioned, the only hardcoded part that is left (which would be to trivially change too) is related caps-lock warning.

I would like to reiterate, that the proposed changes do not affect the existing logic or the resulted HTML output, just make things cleaner and easier to customize.

I tested it and compared original and new version output byte-by-byte with several scenarios (including type=hidden type). There are only minor white-space differences.

@amulet1 amulet1 requested a review from ralflang June 24, 2025 12:18
@amulet1
Copy link
Contributor Author

amulet1 commented Jun 24, 2025
edited
Loading

See #12 also. While this PR does not attempt to fix it, I believe it needs to be done before GA release.

@amulet1
Copy link
Contributor Author

amulet1 commented Jun 26, 2025

@ralflang, any chance you can merge this?

@ralflang
Copy link
Member

ralflang commented Jun 26, 2025

This needs more testing. In my local instance the smartmobile login screen no longer worked after this patch.

@ralflang ralflang self-assigned this Jun 26, 2025
@amulet1
Copy link
Contributor Author

amulet1 commented Jun 26, 2025

This needs more testing. In my local instance the smartmobile login screen no longer worked after this patch.

I just re-tested - the smartmobile login screen worked just fine for me.

As far as I can see, it is not affected by this PR (it uses smartmobile.html.php, not login.inc).

@amulet1
Copy link
Contributor Author

amulet1 commented Jun 26, 2025
edited
Loading

There is also room for further enhancements:

  • move caps-lock warning stuff to $loginParms
  • move language selector to $loginParms (it is already in $loginParms for smartmobile mode, so it is only logical)

@amulet1 amulet1 changed the title Login-related changes Login-related changes - needed for TOTP Jul 9, 2025
@amulet1
feat: Redesign login page
9d25672 
 * Redesign code related to $loginParms handling in login.inc template
 * Move mode selector and most other hardcoded parameters from the template to login.php
 * Add support for extra properties via optional 'extra' parameter
 * Add support for optional div wrapper via 'div' parameter
 * Add autocomplete=off for OTP (second factor) input
@amulet1
Copy link
Contributor Author

amulet1 commented Jul 10, 2025

@ralflang: please merge.

@amulet1
Copy link
Contributor Author

amulet1 commented Aug 6, 2025

@TDannhauer, please could you approve/merge?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ralflang ralflang Awaiting requested review from ralflang

Assignees

@ralflang ralflang

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amulet1 @ralflang