Commit 4d54cdaf authored by Leonard Techel's avatar Leonard Techel
Browse files

Add loose planning

# Planning
Here I collect the proposed features, the order of the corresponding TODOs etc pp
## Components
### Core
* Multilang: Has to support at least English and German
* Multilang: Determine language from: 1. LDAP preference 2. User preference (cookie) 3. Browser preference
* Security: Correct CSRF handling (Especially for logout, …)
* Security: Correct LDAP escaping
* Security: Disable iframe stuff
GET / No session: Redirect to /user/login. Has session: Redirect to /user/overview
### Basic authentication
* Registration: Get user mail address, check LDAP constraints (does this address belong to our university + right department of study), send confirmation mail, set initial password via web interface
* Authentication/login via LDAP using username + password
* Password lost: Send recovery to email
* Authorization: Store LDAP roles within the session
* Authenticated: Form to change the password and primary language
GET /user/create Registration form. Redirect to /user/overview if already logged in
POST /user/create
GET /user/login Login form. Redirect to /user/overview if already logged in
POST /user/login
POST /user/logout
GET /user/lostpw Lost password form
POST /user/lostpw
GET /user Account settings overview: Name, E-Mail addresses, preferred language, … (See Changable values in a form
POST /user
### Admin
* List LDAP users (simple)
* Alter LDAP users (simple)
### oAuth 2: central authentication
* Admin: Add new providers/apps
* Apps can be form-free --> Directly give out an access token without user confirmation
* Apps can be revoke-free --> Users cannot manually revoke app access
* Implement all the oauth2 stuff
GET /oauth2/authorize
POST /oauth2/authorize
POST /oauth2/token
### OpenID Connect: central identity
* Implement OpenID connect core
* Implement OpenID Connect Back-Channel Logout: If user logs out on one page, log out on all pages
* Build simple client library so we can super easily spin up new services
* Integrate into gogs for GIT usage:
GET /connect/userinfo
POST /connect/backchannel_logout
### Mailman integration
* Overview of possible mailing list subscriptions
* Control multiple e-mail addresses in one LDAP account
* Choose which mailing lists are subscribed to which address
### Two factor auth
* Support TOTP (RFC 6238) using e.g. Google Authenticator
* Support Fido U2F
## Order
1. Always think of Core
2. Basic authentication
3. oAuth 2
4. OpenID Connect
5. Admin
6. Mailman integration
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment