OAuth new user register in MWDB (approval requirement for new accounts)

[dor15]

Environment information

• MWDB version (from /about):
• 2.16.0
• Installation method:
  • mwdb.cert.pl service
  • From PyPi (pip install mwdb-core)
  • From docker-compose
  • Other (please explain)
• Plugins installed:

Behaviour the bug (what happened?)

when I'm using OAuth login and uthe ser doesn't exist on MWDB, but exists on the OAuth provider, i'm getting pop-up - "We couldn't find an account associated with your OAuth identity. Do you want to register using [privde_name]?", and if you approve it new user created on MWDB without even move to "pending registration".
In the user-password login-based, every new user moves to "pending registration" first.

As the user-password login-based, every new user needs to move to "pending registration" first and not create the user automatically.

try to login with OAuth option with user which not exist on MWDB or didn't bind the provider yet.

here you can see the user-password based login with "pending" option

mwdb-core/mwdb/resources/auth.py

Line 180 in c778ccf

user = User.create(login, obj["email"], obj["additional_info"], pending=True)

and here the OAuth "create_user"

mwdb-core/mwdb/resources/oauth.py

Line 454 in c778ccf

user = provider.create_user(id_token_claims["sub"], userinfo)

[dor15]

as I can see, user.Create function is already supports "pending" flag, so maybe you can add this var to
https://github.com/CERT-Polska/mwdb-core/blob/master/mwdb/core/oauth/provider.py#L118

        return User.create(
            username,
            user_email,
            user_description,
            pending=True
        )

[dor15]

Hey
It's kind of a blocker on our side, and we want to avoid doing a "fork".
Can you check it please and let me know if you're going to push it?

[psrok1]

Hi!

Yes, we can make an option to mark the user as pending but there is a small detail that along with account approval, the user will be notified via e-mail with password set link attached.

If password-based login is disabled, you need to replace the mail template with the version that doesn't contain the set password link: https://github.com/CERT-Polska/mwdb-core/blob/master/mwdb/templates/mail/register.txt

Would it be good enough for you? Have you already tested that approach somehow?

[dor15]

hey
instead of sending the "register" template, is not possible to use the "pending" template - https://github.com/CERT-Polska/mwdb-core/blob/d31a035e244294244c887c7da4a322881ee20ae5/mwdb/templates/mail/pending.txt?

[psrok1]

• pending.txt is used when someone registers using registration form and waits for approval. It's an additional notification in case someone provided wrong or someone else's e-mail
• register.txt is used when administrator approves an account and that template contains set password link.

It would a bit too complicated to additionally distinguish between OIDC and form registrations and it's only the UX issue when password-based authentication is disabled, as user will get a message "Password-based authentication is disabled by administrator" while trying to set one. The most simple way to fix that is to remove placeholder for set password link from the template.

[psrok1]

This will be released soon along with proper documentation in v2.17.0

[dor15]

thanks! let me know if I can help somehow