Friday, June 14, 2013

Operation Flawless Login

No booze, no caffeine, training,
bad wifi, jetlag, and 100+ users
on every type of device under
the sun who couldn't reliably
log onto the system. PAIN.
I was going to do the whole play it cool thing and wait 3 days for the next post but I am just so excited about this new "blogging" trend. I'm hoping to make it a Friday tradition (preceded by 2 cups of drip coffee and followed by a nap).

One thing I'm super excited to start working on as part of the migration away from cpy/cpt is redoing login. As far as Plone goes, you are likely in 1 or 2 camps: 
  1. Works fine for me!
  2. Rot in hell you !@#$ old code
I suspect most of you are in camp 1, or just have no opinion whatsoever so I'm hoping I can convince you to jump over to camp 2. Most of the following was originally written with an intense amount of pain (see photo) so if it seems like I'm shouting at times its because I was: I probably qualified as temporarily insane. Here we go!

Ryan Foster (@dextermilo) recently proposed this beautiful, simple, login page for a client which has all css/js/etc embedded making it load very fast (1 template + logo). Tell me you don't want this login page HARD. I know I do.

Login as a First Impression

For sites that are completely blocked off by default, login is the first experience with a new system/site. For anyone who is invited to a system, its the same case. In fact, I would argue that a seamless login is the most important introduction to any web based system. It should be flawless. Absolutely flawless. 

And this is where "we the Plone" fall flat on our face. A sampling of the issues, mostly focused on the ones dear to my heart at the moment:
  • The login, registration, password reset pages are too slow from relying on a framework that it doesn't need, causing more complications with frustrated users. We can't login 100 people at once even with load balancing. Trainers around the world know exactly what I'm talking about. How can you ramp up a system that people can't login to fast and accurately?
  • We are 100% not ready for mobile. There are some issues with random phones that we will never be able to address but we also need to catch up with HOW people use mobile devices. The best example is the shitty network experience. What happens when you click on a  registration link and the network goes out before you can complete? You go back to the email invite and RE-CLICK. But wait… whats that? Plone only allows you to click once and the link expires? 1999 called and wants their user restrictions back. 
  • The messaging/wording of invite and password reset emails is robotic and offers no indication to what the user just signed up for or were invited to. They get the email and have questions like "Wait, so how to I get to the home page?" and "What is my username?" and "Who is admin?". If you have signed up for basically any service at any point lately I'm sure you know what a great invite email feels like.
  • Testing? What's that? 
  • Have you seen this code? I mean seriously (WARNING: NSFW) look at that shit. It's 10 years of whacked out random bug fixes that no one has any idea if its ok to rip out or not. Its 20+ different files spewed throughout the code in portal_skins style that requires a diagram the size of my kitchen table to print out. Bugs languish in the tracker for years because everyone is terrified to touch it. It is officially unmaintainable code. Don't get me wrong, it was great in its hay day. But I'm sorry, it's time for us to go our separate ways.
  • Customization. Ugh. Enough said.
  • There is no OOB way to block off a site.
  • and so much more… I don't have time to list them all. Have a favorite login gripe? Comment below!
Summary: It's a liability to Plone and more importantly my projects, and my job these days is to minimize liability. I'm coming for you login!

Battling the login monster one head at a time takes too long. Instead we cut out the heart, then roast the heads in olive oil for 8 hours, top with a dollop of creme freche and a sprinkle of truffle oil. Serve immediately with a spicy Triple.

I Love You but I've Chosen Rewrite

In good faith of open source complaining, I am determined to help fix it. In fact, Matt Hamilton has already agreed to help and get this handled and I secretly suspect that he has more deep down pain than I since he is taking off with it and already planning a quick weekend sprint to kick it off. Are you one a member of the login burned? Help us out!

Here is a brain dump of the things I personally want to accomplish with login rework:
  • Login gets dirt fast. It should handle 100 simultaneous logins on 1 site, 1 box, standard hardware. I want to say 300 but 100 is a good target and we can't have mass training sessions without this. I think a lot of the other options can help on this. I am tired of pointing to caching as the solution. There are a lot of transaction issues in this but we have to start somewhere. The skeletons oh the skeletons!
  • Stop basing on main template (this also applies to 404, 500, etc). If a site is closed off and resources were just recooked, thats 20+ resources the browser has to load and thats the immediate impression for the users. Get this down to less than 3 files (a login splash type thing, ideally 1 page with embedded resources). Ability to customize VERY easily (diazo?) but more importantly having a good default. 
  • Mobile. Responsive, quick. Avoid redirects at all costs and where they are make it sane. I recently saw password reset on initial login fail on a variety of mobile devices. We are doing something wrong/old school/something. 
  • Integrate iw.rejectanynmous to core. 
  • Sane invite messages. Default system invite messages are horrid. They don't have site urls, nor indicate the username or who or what or… anything really. Ideally this message can be customized TTW (e.g. welcome to the site. this is our new intranet and I want you to use it like x,y,z your login is x the url is y and I am your new overlord)
  • Forgotten password. Oh god. Expire on click is a disaster, and the methodology is generally buggy.
  • Tests. Tests everywhere.  I want robot going crazy too.
  • Security. Lots of it.
  • Login/reset/all forms rewritten as z3c. This allows us to extend and add things like site agreements. 
  • Simplicity. There are too many options to be sane at the moment. We need to not even look at the code, and think "what do people REALLY need to configure in login" (especially that can't be done in PAS). We need to worry about our 80% use case first. I will be rabid about this. Login, login, login. And that's it. For now.
  • Rip out openid as it is. A simple pluggable solution is the answer to proper integration.
  • Default captcha for open registration.
  • Integrate some of the login api work that has been done. 
And on my "after that is done" wish list:
  • Must reset password is weird and has never worked properly as I have wanted it implemented. The ability to expire passwords from some control panel has been on a wish list for many clients over the years. Time based expiration as well. That works, not that is a hack into the current whacky code base.
  • Tracking for site admins. Who hasn't logged in in 2 weeks? 1 month? Who has NEVER logged in? How can I make sure people are actually using the site? What kind of data do we need to capture to answer security compliance questions? We can't hide behind LDAP integrations for that forever. Also not first pass, but the ability to generate these reports must be considered.
In the category of "really dreamy some day if I can find the time":
  • Plone as oauth consumer. It's 2013 and "login with Facebook" isn't going away. *sigh*. I don't know that this should be in core but the ability to do setup oauth is HAWT.
  • Plone as an authentication provider. 
We are ripping out portal_skins piecemeal so that we can get the new stuff out to integrators ahead of time to test then merge it back into core for the release. Login is its own package, plone.future.login and anyone is welcome to help the rewrite. The theme is release early, release often, simple, fast, extensible.

Easy enough right?


  1. + a million for this initiative!
    the login story is horrid, i agree.

    some more ideas:

    - let's throw events at sensible times. e.g. ILoginFailedEvent, ILoginSuccessEvent, ILogoutEvent, ... AFAIK, this is not consistently the case.

    - let's create a "who is online" portlet. this is not only fun for community portals but also valuable information for site admins to track the website's activity.

    - let's make the options "many groups" and "many users" in @@usergroup-controlpanel unnecessary by clever batching and paginating.

    did someone experience an unthemed plone site at the welcome page after the login redirect in diazo themed plone sites? maybe this issue is gone now, but that annoyed me quite some time.

  2. let's create a "who is online" portlet. this is not only fun for community portals but also valuable information for site admins to track the website's activity.