With https://jira.xwiki.org/browse/XWIKI-11205 we have recently introduced 2 new URLs for “reset password” and “retrieve username” UCs (see https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/13.1RC1/#HMiscellaneous).
Apparently these decisions were taken on a PR but I couldn’t find it (it’s not linked in the JIRA issue). All I could find was a branch but it doesn’t seem to exist so I couldn’t read the history of the discussions. In any case, when introducing some new APIs (and URLs are quite important introductions since they are both public and very visible), I think a proposal would be nice and would allow ensuring we all agree.
EDIT: I just saw that we also introduce public APIs such as
ResetPasswordManager. This is also needs agreement since it’s hard to change afterwards.
So I have the following points I’d like to bring:
- Why are the new URLs using the
authenticateURL Type? I don’t see the relationship with authentication (these URLs are clearly not doing any authentication).
- Related: Why don’t we have a single URL Type for each action since the actions are quite different: one is about resetting a user password, the other about find a the username of a user based on a provided email address.
- BTW, I see these actions related a lot more to “user” than to “authentication”, and I’d have put these in the user module instead. For example we should have a
setPassword()API in the User API and thus resetting the user password is for me very similar to setting the password and should be together.
- Question: do we already have a
/xwiki/authenticate/*URL for authenticating a user BTW?
- I don’t like the new URLs because IMO they cannot be understood just by reading them:
/xwiki/authenticate/reset: If I read this I read this is about authenticating a reset. Or maybe resetting an authentication. Reset what? an email? a username? a password? a wiki? the history of a document?
/xwiki/authenticate/forgot: Same problem (“I forgot to authenticate?”). Actually a bit worse since it’s now using a verb in the past tense for a future action, very weird
- Question: what happens when an email is associated with several users? (this is the case for me on xwiki.org or myxwiki.org where I have several accounts with the same email). Do we list all usernames? Isn’t that a security breach for an attack for ex?
- We seems to be missing documentation: I see on https://extensions.xwiki.org/xwiki/bin/view/Extension/Authentication%20Security%20Module/#HAuthenticateURLresourcetype that we listed the URLs but I don’t see anywhere where we have the screenshots of the UIs.
- The Release notes say that if you have custom code in the previous wiki pages you need to port it to Java. Don’t we have templates for the UI for these actions?
About 2) I can suggest some URLs:
/xwiki/user/reset/password(looks a bit more like
/xwiki/bin/view/Pagewith 4 levels)
We need to decide quickly because this was introduced in 13.1RC1 and we have only a few days to make changes if we want to do that without causing any problem to anyone (we don’t really have the concept of Unstable for URLs for ex).
PS: Apologies if these were all discussed but when I acted as RM and rewrote the RN for https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/13.1RC1/#HMiscellaneous, I couldn’t help but notice that the new URLs are a bit shaky.