Page MenuHomePhabricator

Optional registration system
Closed, ResolvedPublic444 Estimated Story Points

Description

We need some form where people can sign up to get a unique string emailed to them that they can include to get credit. It's unlikely that people will want to try to forge them, but we can hide them from visibility unless people know what to search on. We can also let the session key automatically include the signature tokens so people don't have to paste them.

When someone fills out a /register form (new app endpoint, Python function, and template to GET, fill out, submit/POST, then it should email you a token and set it in the session key. Whenever a registration token is not set, the layout template should have a form where you can paste it in from email, or get it from form input type=text autocomplete (down arrow key?) and then when it is submitted it just shows your associated email address and a login link which clears it when clicked. Anyway, when you enter a question with a token set, then someone submitting an implementation in response to a /recommend POST will send you an email with all that question's filenumber's files. And when they are set they will silently append after the last \n in all your /ask, /answer, and /recommend work, and you can query them with /inspect?r=token ... The token should probably be the SHA-512 of the registration email? We can make a new directory registered/ which has files with those hexadecimal keys in them, and inside they have email on the first line, then name, etc, and whatever they put in the registration form.

When the registration token is automatically added past the last line it should be like --REGISTRATION-ID:[sha-512 hexadecimal]-- on the very last line but prior to display, delete all \n--REGISTRATION-ID:[0-9a-f]*--$ with regexp sub() when they occur at the very end of the string ('...$') only. I think there is some regexp modifier we need to use to make it match across lines, then '$' means the very end and you can put a '\n--R...' at the front so it will never match user text, because if the registration token isn't set the file will end in '\n' instead of '...--'

Event Timeline

Use a secure hash of their email and a salt, I.e. Base64(SHA-512("some 'salt' string"+emailaddr))) and store it in the session cookie like the "flash" messages which show feedback, and use it to populate a new field in the /answer form so that once they enter it, it stays until they clear or change it.

Jsalsman triaged this task as Unbreak Now! priority.Aug 5 2016, 5:57 PM
Jsalsman set the point value for this task to 444.

@prnk28 do you need to substitute something for slashes to make filenames out of base64?

Aklapper lowered the priority of this task from Unbreak Now! to High.EditedAug 7 2016, 12:45 PM

Decreasing priority as adding an optional system does not sound like something that requires fixing within the next 2-3 days (the "now" in "Unbreak now").

This was a big task. Apart from the the deliverables of this task, I have also added username and email validation. Sub-tasks completed are the following:

  • Wrote the register() function and register.html templates. Functionality for sending salted SHA-512 of the email address to registered reviewers, which they can use as a token while answering questions
  • New directory called 'registered' with filenames as token for each user . File contains user info and files he/she worked on
  • Set the token in the session key
  • Appended tokens to files when token is set in session key
  • Username and email validation. Checked if clashes in the existing registered users
  • Checking and setting tokens in new end-point /token

Commit for this task can be found here.