Re: [galaxy-dev] Authentication: email addresses are not validated prior to account creation

2013-03-05 Thread James Taylor 
repoze.who would seem like the best candidate these days, it would be great
to see that integrated, but I worry it would also cause lots of
unintentional breakage in the corner cases.
On Mar 5, 2013 12:27 PM, "Paul Boddie"  wrote:

> On 05/03/13 17:09, James Taylor wrote:
>
>> On Mar 1, 2013, at 10:39 AM, Vipin TS  wrote:
>>
>>  Hello members,
>>>
>>> I believe currently there is no process to validate email address
>>> provided during user account creation. We are experiencing a huge fake
>>> account creation attack on our public facing galaxy instance.
>>>
>>> Does anybody who has been managing a public instance, implemented an
>>> on-demand account creation activation by sending an email containing a
>>> link, which when clicked, validate the account creation request. Or any
>>> plans from dev-team to add this in future release?
>>>
>> How about some kind of captcha support?
>>
>
> Recently, there has been increased awareness of some of the pitfalls
> involved in managing identity and authentication-related information in
> Python-based applications - not specifically to do with Python itself, but
> more to do with the community and the perceived best practices - and I'd
> really like to see a bit more collaboration around those things as well as
> around anti-spam mechanisms. Having looked at the authentication aspects of
> Galaxy, I can't help wondering if there shouldn't be some kind of generic
> "shell" for such functionality that is separate from the core functionality
> of Galaxy and would be used for other systems as well. Certainly, using
> Apache is one solution, but people do seem to want a more controlled kind
> of integration between that and the underlying applications.
>
> At the very least, one would hope to reuse and integrate existing
> components, perhaps at the WSGI level. Failing that, there might be some
> generic libraries that could support such reusable components. Perhaps the
> most significant challenge would be to cleanly integrate the user interface
> aspects of such components with the Galaxy output.
>
> Certainly, one could just extend the registration mechanism with captcha
> support, but I'd be worried about the maintainability of the code. Unless
> things have progressed fairly recently, there was already a lot of
> special-cased stuff in the area of authentication, and I'd be worried about
> unintentional breakage.
>
> Paul
>
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Re: [galaxy-dev] Authentication: email addresses are not validated prior to account creation

2013-03-05 Thread Paul Boddie 

On 05/03/13 17:09, James Taylor wrote:

On Mar 1, 2013, at 10:39 AM, Vipin TS  wrote:


Hello members,

I believe currently there is no process to validate email address provided 
during user account creation. We are experiencing a huge fake account creation 
attack on our public facing galaxy instance.

Does anybody who has been managing a public instance, implemented an on-demand 
account creation activation by sending an email containing a link, which when 
clicked, validate the account creation request. Or any plans from dev-team to 
add this in future release?

How about some kind of captcha support?


Recently, there has been increased awareness of some of the pitfalls 
involved in managing identity and authentication-related information in 
Python-based applications - not specifically to do with Python itself, 
but more to do with the community and the perceived best practices - and 
I'd really like to see a bit more collaboration around those things as 
well as around anti-spam mechanisms. Having looked at the authentication 
aspects of Galaxy, I can't help wondering if there shouldn't be some 
kind of generic "shell" for such functionality that is separate from the 
core functionality of Galaxy and would be used for other systems as 
well. Certainly, using Apache is one solution, but people do seem to 
want a more controlled kind of integration between that and the 
underlying applications.


At the very least, one would hope to reuse and integrate existing 
components, perhaps at the WSGI level. Failing that, there might be some 
generic libraries that could support such reusable components. Perhaps 
the most significant challenge would be to cleanly integrate the user 
interface aspects of such components with the Galaxy output.


Certainly, one could just extend the registration mechanism with captcha 
support, but I'd be worried about the maintainability of the code. 
Unless things have progressed fairly recently, there was already a lot 
of special-cased stuff in the area of authentication, and I'd be worried 
about unintentional breakage.


Paul
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

 http://lists.bx.psu.edu/

Re: [galaxy-dev] Authentication: email addresses are not validated prior to account creation

2013-03-05 Thread James Taylor 
How about some kind of captcha support?

-- jt 

(composed on my phone)

On Mar 1, 2013, at 10:39 AM, Vipin TS  wrote:

> Hello members, 
> 
> I believe currently there is no process to validate email address provided 
> during user account creation. We are experiencing a huge fake account 
> creation attack on our public facing galaxy instance. 
> 
> Does anybody who has been managing a public instance, implemented an 
> on-demand account creation activation by sending an email containing a link, 
> which when clicked, validate the account creation request. Or any plans from 
> dev-team to add this in future release? 
> 
> thanks in advance, 
> --/Vipin
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> 
>  http://lists.bx.psu.edu/
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Re: [galaxy-dev] Authentication: email addresses are not validated prior to account creation

2013-03-05 Thread Dannon Baker 
Vipin,

I don't know of anyone who's done this, but if anyone wants to take a stab
at it, it's definitely something that we could include (as long as it's
optional, configurable in universe_wsgi.ini) in Galaxy.

-Dannon

On Fri, Mar 1, 2013 at 10:39 AM, Vipin TS  wrote:

> Hello members,
>
> I believe currently there is no process to validate email address provided
> during user account creation. We are experiencing a huge fake account
> creation attack on our public facing galaxy 
> instance
> .
>
> Does anybody who has been managing a public instance, implemented an
> on-demand account creation activation by sending an email containing a
> link, which when clicked, validate the account creation request. Or any
> plans from dev-team to add this in future release?
>
> thanks in advance,
> --/Vipin
>
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>
>   http://lists.bx.psu.edu/
>
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

[galaxy-dev] Authentication: email addresses are not validated prior to account creation

2013-03-01 Thread Vipin TS 
Hello members,

I believe currently there is no process to validate email address provided
during user account creation. We are experiencing a huge fake account
creation attack on our public facing galaxy
instance
.

Does anybody who has been managing a public instance, implemented an
on-demand account creation activation by sending an email containing a
link, which when clicked, validate the account creation request. Or any
plans from dev-team to add this in future release?

thanks in advance,
--/Vipin
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/