Create admin user from app?

[michielbdejong]

Right now, the user must first create an admin password on http://192.168.0.42/, before they connect to http://app.knilxof.org (or wherever we will host the app in this repo). That makes the whole discovery mechanism in this app pretty useless :)

possible solution: send the user straight to app.knilxof.org and do the admin user creation from there, but that's something we should discuss, because:

• Will we also allow third-party apps to create the admin user?
• If so, will we whitelist the origins from which this is allowed?

[ferjm]

I'd prefer to keep the /users/setup endpoint same origin. Instead of allowing 3rd party apps to create the admin user (or any user in the future) I'd prefer if we could just redirect http://app.knilxof.org to the box URL. This is how it should work once we have authorization anyway.

[michielbdejong]

Yes! Good idea. So we can add a 'Create account' link to the login page, and that would redirect to the user to the Box that was discovered through nupnp.

[arcturus]

I will go for @ferjm option. Actually @gmarty and myself were discussing this, on detecting if the box went through the ftu and redirecting.

Should we check what kind of document we get when asking for the box root? Doesn't looks like the best way to me xD

[michielbdejong]

I have been thinking the redirect would still not be very safe, especially if you get redirected back to the app after user creation completed.

It's probably necessary to "hide" the Box a little bit from random web pages. For the three discovery mechanisms:

• mDNS: only native apps and web pages that scan the QR code can discover the Box
• public local DNS: we can harden this by making sure the Box only responds if you get its hostname right (e.g. on https://192.168.0.42/index.html you would see nothing, only if you have the exact long URL from the QR code)
• registration-server: I think we should add a step where the user enters a serial number with at least 8 or 16 bits of entropy, before pinging the registration-server, so that brute-force polling of the registration-server can be detected and prevented.

@cr what do you think?

[michielbdejong]

add a step where the user enters a serial number with at least 8 or 16 bits of entropy, before pinging the registration-server

See fxbox/registration_server#3 (comment) about this.

[michielbdejong]

I'll prepare a PR with the redirect from the login page to the Box URL for (admin) user creation.

[ferjm]

I forgot to mention that the setup and login flows on the box already supports redirection fxbox/foxbox@39307e6

[michielbdejong]

yes, just noticed. cool! will ping you on irc if I need help with the whole flow.

[michielbdejong]

This is the hyperlink I added to make the screenshots which I'm about to send out to the mailing list: https://github.com/fxbox/app/compare/master...michielbdejong:user-creation-poc?expand=1

As discussed on irc, we probably want to remove the login from from the app altogether, and use this redirect_url / session_token flow for the login (the app would consume the sessions token from the URL once the user has been redirected back).

[arcturus]

I think we can close this one right?

[michielbdejong]

Yes! :)