Set CONFIG parameter for session backend. Otherwise it tries to use localhost:6379 as a back end. In production we have nodes dedicated as a redis host so this needs to be a variable.

See
https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/ext.py#L67

We need something like.

r = redis.StrictRedis(host=config['SESSION_REDIS_HOST'], port=config['SESSION_REDIS_PORT'], db=config['SESSION_REDIS_DB'])

We already have CACHE_REDIS_HOST as a config param. If we could use this by default, that would be great. The only annoying thing is that the port and db have to be specified, so the host can't be the full connection string.

• check existing API functionality
• add missing important API functionality
• check API function signatures and parameters
• enhance API docstrings (param, returns, raises, versionadded)
• plug API functions to existing docs

Reiteration on #29

CLI conventions:

• Max 2 levels
• Command naming:
  • no compound names (e.g. usercreate)

Open questions:

• Plural vs singular?

$ inveniomanages user create
$ inveniomanages role add

vs.

$ inveniomanages users create
$ inveniomanages roles add

See:
https://github.com/zenodo/invenio/blob/zenodo-master/invenio/modules/accounts/forms.py#L252
https://flask-wtf.readthedocs.org/en/latest/config.html#recaptcha
https://pythonhosted.org/Flask-Security/customizing.html#forms

Example on Zenodo:
https://zenodo.org/youraccount/register

Suggested fix: don't run the e2e tests in every build-job. Partial build matrix dimension for e2e tests, something like what @lnielsen has done for Zenodo (https://github.com/zenodo/zenodo/blob/master/.travis.yml)

Upgrade to Flask-Security 1.7.5 which was just released.

• unpin Flask-Login from 0.2.11 to 0.x
• current_user.is_authenticated() -> current_user.is_authenticated
• Check all other invenio packages the the same problems.

9c61ca0 removed the -e option in favour of email argument to the CLI. This change should be released and propagated to dependent modules (both in tests and in documentation):

• Invenio-Access
• ....

Issue: On mac when redis is run in a docker machine the host ip is the one of the virtual box vm, not localhost. The default value of ACCOUNTS_SESSION_REDIS_URL is hard coded (

Solution: load ACCOUNTS_SESSION_REDIS_URL from environment if it is set. This solution is already used in invenio-search (https://github.com/inveniosoftware/invenio-search/blob/f19a3c743ad9d578d0840a416e7dd76e6fffca06/invenio_search/config.py#L58)

Calling testutils.py:create_test_user without any arguments twice cause an error to be thrown as it attempts to create a second user with the default email address.

Fix: generate random email address when none is given instead of using a static default.

• Move code from:
  • https://github.com/inveniosoftware/invenio/blob/maint-2.1/invenio/ext/passlib/__init__.py
  • https://github.com/inveniosoftware/invenio/blob/maint-2.1/invenio/ext/passlib/__init__.py#L98
  • https://github.com/inveniosoftware/invenio/blob/maint-2.1/invenio/testsuite/test_ext_passlib.py
• Flask-Security: https://github.com/mattupstate/flask-security/blob/develop/flask_security/core.py#L93-L103
• Invenio-Accounts: https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/ext.py#L123-L124

• include *.mo files
• exclude *.po and *.pot

related to #45

Q Should we update cookiecutter-invenio-module with these rules as default?

Starting inveniomanage database create, I receive this error on id_user index:

>>> problem with creating userEXT#############################      ] 85% 0:00:00.086719 
--------------------------------------------------------------------------------
ERROR in database [/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/base/scripts/database.py:195]:
userEXT
--------------------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/base/scripts/database.py", line 191, in _creator
    creator(table)
  File "/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/base/scripts/database.py", line 204, in <lambda>
    lambda table: table.create(bind=db.engine))
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/sql/schema.py", line 725, in create
    checkfirst=checkfirst)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1856, in _run_visitor
    conn._run_visitor(visitorcallable, element, **kwargs)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1481, in _run_visitor
    **kwargs).traverse_single(element)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/sql/visitors.py", line 121, in traverse_single
    return meth(obj, **kw)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/sql/ddl.py", line 769, in visit_table
    self.traverse_single(index)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/sql/visitors.py", line 121, in traverse_single
    return meth(obj, **kw)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/sql/ddl.py", line 788, in visit_index
    self.connection.execute(CreateIndex(index))
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 914, in execute
    return meth(self, multiparams, params)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/sql/ddl.py", line 68, in _execute_on_connection
    return connection._execute_ddl(self, multiparams, params)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 968, in _execute_ddl
    compiled
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1146, in _execute_context
    context)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1341, in _handle_dbapi_exception
    exc_info
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/util/compat.py", line 199, in raise_from_cause
    reraise(type(exception), exception, tb=exc_tb)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1139, in _execute_context
    context)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/default.py", line 450, in do_execute
    cursor.execute(statement, parameters)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/MySQLdb/cursors.py", line 205, in execute
    self.errorhandler(self, exc, value)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
    raise errorclass, errorvalue
OperationalError: (_mysql_exceptions.OperationalError) (1280, "Incorrect index name 'id_user'") [SQL: u'CREATE UNIQUE INDEX id_user ON `userEXT` (id_user, method)']

• remove || exit 1 and use set -o errexit

• unify helper and utils functions into utils.py

The package contains examples/app.py example application, but there is no test
for it in tests/test_example_app.py. It should be added. See existing examples:

• https://github.com/inveniosoftware/invenio-records/blob/master/tests/test_example_app.py
• https://github.com/inveniosoftware/invenio-marc21/blob/master/tests/test_example_app.py

@jirikuncar commented on Fri Jul 17 2015

Backport support for Gravatar and email verification icon to upstream.

• https://github.com/inspirehep/inspire-next/blob/master/inspire/base/templates/accounts/settings/profile.html

cc @jmartinm @tiborsimko

Flask-Login changed is_authenticated() and is_anonymous() to properties in >0.3 versions. This will causes issues as the development version of Flask-Security pin Flask-Login to >0.3 version. For now, I've commented out Flask-Security from the development requirements. When the new version is released, we should pin the version to the new one and amend calls to is_authenticated and is_anonymous.

Related:

• PR #37
• pallets-eco/flask-security#433

Currently the flask-security blueprints are loaded in both API and UI.
After some discussions with @lnielsen and @jirikuncar there were two solutions:
1/ Load the blueprint only in one of the applications.
2/ Load them in both application but make the default content-type different: json for API and HTML for UI.

For the time being we chose to go with option 2. This remains as TODO but does not have a high priority right now.

Document JWT
Document session activity tracking.
...

This issue has been previously discussed as inveniosoftware/invenio#2564.

• see https://raw.githubusercontent.com/zenodo/zenodo/master/zenodo/modules/accessrequests/tokens.py
• remove invenio.modules.access dependency

cc @lnielsen

So that we can create users for example for inveniomanage, e.g.

inveniomanage user createsuperuser --u eamonn --p mypassword --e [email protected]
inveniomanage user createuser --u eamonn --p mypassword --e [email protected]

• do not use Flask-Security datastore for managing SessionActivity
• verify that commit is called at after request when session is created/deleted

• accounts_session_activity table
• user_logged_in signal for populating activity table

/ cc @lnielsen

Problem

It looks like that when you click on "logout" button the current user session is cleaned on Redis but not on database.

Solution

A solution could be find the right hook and call the delete_session().

• remove dependency on invenio.module.access.local_config

Using hardcoded style="color: #28a745;" is not overlay friendly. It would be nicer to use classes instead.

--
Previous discussion on https://github.com/inveniosoftware/invenio-accounts/pull/182/files#r104355101

https://github.com/inveniosoftware/invenio-accounts/blob/next/invenio_accounts/ext.py#L87

or perhaps use pkg_resources to detect if celery is installed.

As for the other modules a REST API will be needed here.

The main features would be:

• searching/listing users
• getting a user's information
• updating a user's information
• searching roles
• creating roles
• assigning roles to users or unassigning them.

It would also need a shortcut URI for the currently authenticated user.

There is however one question. Do we want this in invenio-accounts or do we create an API for both invenio-accounts and invenio-userprofiles at the same time? Not being able to search users by name would be a strange limitation.

@inveniosoftware/triagers

Running example app leads to:

flask -a app.py npm
app
/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_sqlalchemy/__init__.py:800: UserWarning: SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future.  Set it to True to suppress this warning.
  warnings.warn('SQLALCHEMY_TRACK_MODIFICATIONS adds significant overhead and will be disabled by default in the future.  Set it to True to suppress this warning.')
Traceback (most recent call last):
  File "/home/simko/.virtualenvs/invenio-accounts/bin/flask", line 11, in <module>
    sys.exit(main())
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_cli/cli.py", line 495, in main
    cli.main(args=args, prog_name=name)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_cli/cli.py", line 343, in main
    return AppGroup.main(self, *args, **kwargs)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/click/core.py", line 696, in main
    rv = self.invoke(ctx)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/click/core.py", line 1055, in invoke
    cmd_name, cmd, args = self.resolve_command(ctx, args)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/click/core.py", line 1094, in resolve_command
    cmd = self.get_command(ctx, cmd_name)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_cli/cli.py", line 316, in get_command
    rv = info.load_app().cli.get_command(ctx, name)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_cli/cli.py", line 191, in load_app
    rv = locate_app(self.app_import_path)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_cli/cli.py", line 89, in locate_app
    __import__(module)
  File "/home/simko/private/src/invenio-accounts/examples/app.py", line 135, in <module>
    InvenioTheme(app)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/invenio_theme/ext.py", line 48, in __init__
    self.init_app(app, **kwargs)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/invenio_theme/ext.py", line 55, in init_app
    self.menu_ext.init_app(app)
  File "/home/simko/.virtualenvs/invenio-accounts/local/lib/python2.7/site-packages/flask_menu/__init__.py", line 50, in init_app
    raise RuntimeError("Flask application is already initialized.")
RuntimeError: Flask application is already initialized.

e.g. https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/templates/invenio_accounts/login_user.html#L41 should be

{{ render_field(form.email, icon="fa fa-user", autofocus=True, errormsg=False) }}
{{ render_field(form.password, icon="fa fa-lock", errormsg=False) }}

• check gitignore
• check manifest

The wheel built on Python 2.7 and uploaded on PyPI cannot be installed on Python 3 due to dependency on ipaddr (which in setup.py is only added in 2.7, but the wheel doesn't care)

Change CLI to flat structure:

from:

inveniomanage accounts users create
inveniomanage accounts users activate
inveniomanage accounts users deactivate
inveniomanage accounts roles add
inveniomanage accounts roles create
inveniomanage accounts roles remove

to

inveniomanage accounts createuser
inveniomanage accounts activateuser
inveniomanage accounts deactivateuser
inveniomanage accounts addrole
inveniomanage accounts createrole
inveniomanage accounts removerole

• introduce new documentation structure inveniosoftware/cookiecutter-invenio-module#56
• document user perspective
• document signals (if not done)
• document example app (if not done)

Can we remove the parameter use_celery?
Because it looks like not really used and superseded by ACCOUNTS_USE_CELERY

WDYT @jirikuncar @lnielsen ?

• Possible usage: {{ '/logout' | next_url(default='/') }} == /
• see TODO in https://github.com/inveniosoftware/invenio-oauthclient/pull/32/files#diff-4765035b4a26097bb7e4ccd3ad336f33R54

WDYT @lnielsen @JavierDelgadoFernandez

When you try to change the password, invenio-accounts will send a task to celery to send an email. The task however seems to be registered to the wrong Celery application, hence it tries to connect to AMQP instead of the defined value in BROKER_URL.

In B2SHARE, our login service provides a 'nickname' for each user. For UI is nicer to show the nickname of the user and not the email address.

1. Login with a user
2. Go to http://localhost:5000/reset

The bottom part of the form should only be available when the user is not authenticated.

From inveniosoftware/invenio#2614 - do we want to add this?

Once Invenio-Admin is integrated, add admin interface for managing users.

1. Support for batch actions: active/deactivate user.
2. User deactivation must ensure that user get's logged out immediately (i.e. kill session).
3. By default sort by last_login
4. Add filters to quickly filter list of users.

Open Question:

• Will we support the old "Become user" feature? (ping @tiborsimko @jirikuncar) IMHO it's not good that an admin can impersonate a user.

If you use different way to create user.

With the /signup/ url, or the admin interface, or the cli. It seems they all ignore each others.

For example if I create 4 users with admin it will allocate 1-4 for ids then if I use the CLI I will have to crash it four times to make it create a user with the id 5.

Way to create, ID
Admin UI, 1
Admin UI, 2
Admin UI, 3
CLI, 1 -> crash
CLI, 2 -> crash
CLI, 3 -> crash
CLI, 4

• user email should always be -e/--email
• should role name in roles be repeatable? if not then it would be better to use argument name instead of -r option

/cc @lnielsen

We need the ability to destroy a valid session without the user making a request (this is useful to e.g. ban users immediately #44). Also, this can be used to allow users to see a list of their active sessions (e.g. from multiple devices, and logout a specific device). This is only really possible when sessions are stored server-side (i.e #51). We also need to associate a session (for a logged in user) with a user id (Flask-Session/KVSession use uuids as session ids).

• Model: user, session, timestamp (UTC), country, browser, os (deduced from ip and user agent)
• Connect to Flask-Login's user_logged_in signal to store the session activity when a user logins.
• Celery cron task to clean up session activity table.
• Account settings item "Security", with a panel that list Sessions (see e.g. DropBox as an example). Allow a user to remove a session plus "Log me out of all devices". I would also include "Change password" on the same page.
• Model: +country, browser, browser version, os (deduced from ip and user agent)
• Configuration: Allow 1) tracking only user/session/timestamp and not country, browser and os 2) completely switching off the session activity feature.
• Admin interface (needs very restrictive permissions). Browse, remove, filter by user. (related to #33)

EncodeError: can't serialize <flask_mail.Message object at 0x10cb0f310>

File "/Users/eamonnmaguire/.virtualenvs/hepdata3/src/invenio-accounts/invenio_accounts/ext.py", line 63, in delay_security_email
    send_security_email.delay(msg)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/celery/app/task.py", line 453, in delay
    return self.apply_async(args, kwargs)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/celery/app/task.py", line 560, in apply_async
    **dict(self._get_exec_options(), **options)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/celery/app/base.py", line 354, in send_task
    reply_to=reply_to or self.oid, **options
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/celery/app/amqp.py", line 305, in publish_task
    **kwargs
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/kombu/messaging.py", line 165, in publish
    compression, headers)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/kombu/messaging.py", line 241, in _prepare
    body) = dumps(body, serializer=serializer)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/kombu/serialization.py", line 164, in dumps
    payload = encoder(data)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/contextlib.py", line 35, in __exit__
    self.gen.throw(type, value, traceback)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/kombu/serialization.py", line 59, in _reraise_errors
    reraise(wrapper, wrapper(exc), sys.exc_info()[2])
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/kombu/serialization.py", line 55, in _reraise_errors
    yield
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/kombu/serialization.py", line 164, in dumps
    payload = encoder(data)
  File "/Users/eamonnmaguire/.virtualenvs/hepdata3/lib/python2.7/site-packages/msgpack/__init__.py", line 47, in packb
    return Packer(**kwargs).pack(o)
  File "msgpack/_packer.pyx", line 223, in msgpack._packer.Packer.pack (msgpack/_packer.cpp:223)
  File "msgpack/_packer.pyx", line 225, in msgpack._packer.Packer.pack (msgpack/_packer.cpp:225)
  File "msgpack/_packer.pyx", line 184, in msgpack._packer.Packer._pack (msgpack/_packer.cpp:184)
  File "msgpack/_packer.pyx", line 213, in msgpack._packer.Packer._pack (msgpack/_packer.cpp:213)
  File "msgpack/_packer.pyx", line 220, in msgpack._packer.Packer._pack (msgpack/_packer.cpp:220)
EncodeError: can't serialize <flask_mail.Message object at 0x10cb0f310>

Need test(s) that verify that a user, once deactivated, immediately has their session(s) invalidated and are unable to log in.

Test description:

1. Create user X
2. log in as X
3. deactivate user X
4. try to do things as user X. Result should be the same as trying to do so as any anonymous/unauthenticated user

Problem

Invenio-Access is installed in Invenio, but it's not required in PACKAGES. However the models get loaded and are causing troubles during account deletion in tests.

• https://github.com/inveniosoftware/invenio-accounts/blob/master/.travis.invenio.cfg#L34

At present, there is no ability to override this config option since this line in ext always sets the variable depending on the mode the app is running in.

https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/ext.py#L76

@lnielsen commented on Mon Aug 04 2014

Goal:
Allow users to delete their account via the account settings.

Additional info
The account deletion facility should check any attached baskets, any predefined alerts, any submitted records, messages etc.

Overlays must be able to hook into the deletion process, to do custom processing via e.g. pre/post delete signals.

Open questions:
Do we delete the account or simply mark it as deleted for record keeping?

See also issue #1973

@jirikuncar commented on Mon Aug 04 2014

Overlays must be able to hook into the deletion process, to do custom processing via e.g. pre/post delete signals.

I think we can rely on SQLAlchemy signals for User model.

@tiborsimko commented on Wed Aug 13 2014

Do we delete the account or simply mark it as deleted for record keeping?

I think the account inactivation and marking-as-deleted would be good for record keeping. We do it already for records in the same way. (via 980 $c DELETED)

@aw-bib commented on Wed Aug 13 2014

I think one point needs to be addressed here which shares probably some parts with #2022.

Today, the more common case with email addresses in research institutions and universities is, that the email address as such get's recycled. So you may have a naming scheme like [email protected] (say [email protected]). Now if you have only one [email protected] he gets this address. Now, [email protected] may leave the company. Later a another one joins in some John Doe, and he gets [email protected]...

To make the long story short: IRL email addresses do not make a good primary key anymore :(

@tiborsimko commented on Wed Aug 13 2014

@aw-bib Yes, e.g. Yahoo email addresses may also get recycled now... http://yahoo.tumblr.com/post/52805929240/yourname-yahoo-com-can-be-yours