Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace basic authentication with a password page and a cookie. #324

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Replace basic authentication with a password page and a cookie. #324

wants to merge 2 commits into from

Conversation

frankieroberto
Copy link
Collaborator

Description

This replaces the "basic authentication" (a browser popup asking for a username and password) with a redirect to a page asking users to enter a password.

As well as being more user-friendly, this also helps avoid an issue where some corporate networks have turned of basic authentication in the Edge browser.

The code here heavily borrows from the work done by the GOV.UK Prototype Kit team in alphagov/govuk-prototype-kit#1182

Fixes #323

Screenshot

Screenshot of a page saying 'This is a prototype used for research. It is not a real service. You should only continue if you have been invited to test this prototype.' followed by a password box and a Continue button.

Checklist

  • Tested against our testing policy (Resolution, Browser & Accessibility)
  • CHANGELOG entry

@frankieroberto frankieroberto marked this pull request as draft July 8, 2024 21:45
@frankieroberto
Copy link
Collaborator Author

@anandamaryon1 @edwardhorsford @paulrobertlloyd fancy testing this out, including deploying it some hosting environments like Heroku?

@frankieroberto
Copy link
Collaborator Author

Possibly the password environment variable should be PROTOTYPE_PASSWORD not PASSWORD, for backwards-compatibility with the current kit? 🤔

@frankieroberto frankieroberto marked this pull request as ready for review July 12, 2024 13:56
@anandamaryon1
Copy link
Contributor

Looks like this how-to guidance will need to be updated to reflect this work: https://nhsuk-prototype-kit.azurewebsites.net/docs/how-tos/publish-your-prototype-online

@frankieroberto
Copy link
Collaborator Author

@anandamaryon1 yep! And I think we would also have to maintain guidance on how to set the username and password on previous versions (as not everyone will upgrade quickly?)

In which case, I think we could do something like this:

When running the prototype kit online, you must set password to stop anyone accidentally finding your prototype and mistaking it for a real service.

To do this, set an environment variable (called ‘Config vars’ on Heroku):

PROTOTYPE_PASSWORD=yourpassword123

If you are using an older version of the NHS Prototype Kit (before x.x) then you will also need to set a username. This can be the same of your service. For example:

PROTOTYPE_USERNAME=nameofservice

@sarawilcox
Copy link
Contributor

I'll see if I can find some designers who might be able to test this.

@Tosin-Balogun
Copy link
Contributor

@frankieroberto thank you for this. Just to save me a bit of time, are you able to share a heroku or github page preview so I can see how it works?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fenwick17 Fenwick17 Awaiting requested review from Fenwick17

@edwardhorsford edwardhorsford Awaiting requested review from edwardhorsford

@anandamaryon1 anandamaryon1 Awaiting requested review from anandamaryon1

@paulrobertlloyd paulrobertlloyd Awaiting requested review from paulrobertlloyd

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace basic authentication with a custom password page
4 participants
@frankieroberto @anandamaryon1 @sarawilcox @Tosin-Balogun