-
Notifications
You must be signed in to change notification settings - Fork 688
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Source Interface: Flow Inversion #6438
base: develop
Are you sure you want to change the base?
Conversation
4cab80e
to
6e5cb05
Compare
30aaae8
to
9e06c68
Compare
Towards #6211 Up until now, SecureDrop had an implicit "sign up" flow, in which sources were assigned a codename/passphrase before they were able to submit any messages/documents. This created a couple of technical pitfalls with regards to session management and (potentially) usability issues as well (user research pending). As sources were asked to write down their codenames/passphrases before they were able to do for what they came to the instance for, we made sure to remind them of their codename repeatedly. Flow inversion seeks to simplify both the backend implementation as well as the source interface's user experience.
Plus some cleanup
Needs discussion: is there a reason to keep the show codename button around? If so, we want to track it's state for the session so as to not confuse sources on page refreshes.
More optimisation wrt message validation vs. when to actually create a new source account, and start replacing codename with passphrase terminology
- updated interface strings - for consistency, updated CSS names as well - updated session key name
9e06c68
to
8440b53
Compare
(Rebased as the auto-rebase in CI was breaking tests due to pageslayout changes introduced elsewhere.) |
@@ -30,7 +30,7 @@ class SessionManager: | |||
"""Helper to manage the user's session cookie accessible via flask.session.""" | |||
|
|||
# The keys in flask.session for the user's passphrase and expiration date | |||
_SESSION_COOKIE_KEY_FOR_CODENAME = "codename" | |||
_SESSION_COOKIE_KEY_FOR_CODENAME = "passphrase" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be _SESSION_COOKIE_KEY_FOR_PASSPHRASE here. Nice rename btw 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Turns out the only thing in computer science more annoying than naming things is renaming them :)
Description of Changes
Up until now, SecureDrop had an implicit "sign up" flow, in which
sources were assigned a codename/passphrase before they were able to
submit any messages/documents.
This created a couple of technical pitfalls with regards to session
management and (potentially) usability issues as well (user research
pending). As sources were asked to write down their
codenames/passphrases before they were able to do for what
they came to the instance for, we made sure to remind them of their
codename repeatedly.
Flow inversion seeks to simplify both the backend implementation as well
as the source interface's user experience.
Towards #6211
Testing
TBD
Checklist
If you made changes to the server application code:
make lint
) and tests (make test
) pass in the development container