clef / clef-wordpress Goto Github PK

Right now, I don't think that the little pointer to the Settings tab is enough direction for an easy setup experience. We should do a window on the dashboard that you can setup Clef from.

We need to be able to localize the Clef button to any language (that's been added).

http://wordpress.org/support/topic/localize-the-login-button

I run my own blog and I would love for Clef to be the default login choice when I attempt to login to wp-admin/.

What do you think about adding a new option to make Clef the default and have a link at the bottom of the page to show the regular WP login?

Right now, Clef can be installed on multisite, but every site needs to be setup individually with it's own Clef application — this is not the way it should be.

This may need serious involvement from Clef to make it work, which we'll be happy to do!

Right now, we have the option to disable username and password login, but many users have asked for the ability to show only Clef for login.

@lolux started work on this here, but we'd love to get it merged into master.

We've seen a fair amount of issues with verifying the Clef SSL certificate on user hosts where the machine SSL certs are out of date.

We should include the Clef SSL certificate and pin it for all Clef API request — this adds the increased security of a pinned SLL cert and addresses the bad verify issue.

It's a secret, so the input type should be "password" :P

Hey! The description on Girhub should spell WordPress correctly.

Cheers!

Right now, the plugin is a mess. To accommodate easier development (and general developer happiness), we need to reorganize the repository into some sort of standard structure.

I'm thinking that we should base it off of MP6's structure, seeing as that's the new standard for core development.

If you hide the login URL using the "Hide Backend" option in Better WP Security Plugin, the override URL no longer works.

If you're using a different email on Clef than your Wordpress account, when you disable passwords, you're redirected to the Users page to connect your Clef account.

After you've done so, you aren't redirected back to Settings to actually save the fact that you want to disable passwords.

It would be nice to mitigate this confusion by redirecting back to Settings automatically (or just disabling passwords automatically) after the user has connected with Clef when they were trying to disable passwords.

I'm putting a $100 bounty on anyone can figure out this bug. Payable via cash (or Bitcoin or Dogecoin or any object of comparable value) for any information that leads to solving this issue.

Of late, we've seen an uptick in users setting Clef applications up through the [getclef.com/developer](developer site). This process sucks — that's why we built the easy WordPress setup wizard, which basically does everything for you (and connects your account). This leads to confusion and more often than not misconfiguration.

At first, we though this was just chance, but then last night someone wrote a blog post that clearly shows the setup wizard not showing up.

This is the failure case:

It should look more like this:

Possible clues:

• according to one user, the setup wizard was there, but then "disappeared." The user claims that the page did not refresh, but I have a hard time believing this.
• I changed the code which handles checking whether the application is configured recently, but this code was shipped in 1.9.1 (it's not in 1.9) and this bug manifests in the above tutorial in 1.9.
• the above tutorial shows that the text that's supposed to show above the iframe is not showing, which likely means that it's not just the iframe being blocked.
• NOTE: in 1.9.1, we switched the header form "Clef Settings" to "Clef" and added social buttons. This commit is here.

Relevant pieces of code:

• this is where we check whether the setup wizard should be shown.
• this is the check whether the application is configured
• this is the tutorial template.

If you want to help with the bug hunt, I'll be hanging out in our support room all day trying to figure this out.

Yeah...we need tests ASAP.

It's a little confusing that

1. Logging out on your phone means you have to re-sync the Clef wave and that you are logged out from you WordPress sites
2. You don't have to re-sync the Clef wave when you are still logged in on your phone and signing into another of your WordPress sites

We should be highlighting this at the end of the onboarding and on the Settings page in general, since it's a pretty big advantage of using Clef.

Could you svn-remove development files like Gruntfile.js?

Occasionally, when I log in with Clef, it redirects me to the login page and makes me login again. I'm not sure why, need to figure it out.

We've had this feature requested a few times, including in our support forum, should add sometime this week.

http://wordpress.org/support/topic/restrict-clef-option

We should add some info below the "Password Settings" header that explains how Clef locks down password logins.

It should be clear that Clef actually disables password logins completely, instead returning an error message and not even looking at the passwords for users that have disabled them.

We should also highlight that this means users don't need to worry about previous weak passwords that they have set or automated login attempts for their account, if they have checked the option to disable passwords.

http://codex.wordpress.org/Function_Reference/unregister_setting

This is better than what we currently do.

People can't find it in the Your Profile section.

This will be partially addressed by the automatic account connection, but should still be done.

@BoiteAWeb has pointed out that a lot of the things in the 2.0 version of this plugin rely on JS and Ajax to work. Ideally, we'd have a plugin that worked beautifully with JS and works functionally without it.

I've already pushed some changes that lets the main settings page work without JS, but lots of other things break without JS. It would be great to fix those too :)

If a site has custom roles, these roles are currently incompatible with our role-based password disabling and invite sending.

To make this change, I think that we should switch to a model where you select (with a checkbox) the roles that you want to disable passwords for. With this model, we should be able to just iterate over all roles and display them as options for disabling and sending invites.

Right now, the Clef settings do not apply to the XMLRPC API. This means that even if passwords are disabled by Clef, a user can still access site data through the API with their username and password.

This is not the correct functionality and should be resolved.

If the app ID or app Secret is empty, you're obviously not going to be logging in. Therefore, we should clear these settings.

This was triggered by me clearing my app ID, but leaving that no passwords option — giving me just a blank white screen on the login page.

:(

Besides the enhanced setup that I mention in #11, I think that we should have a widget that displays something about Clef.

I'm not quite sure what this something should be, but I have a few ideas:

• number of passwords you've been saved from typing (and time etc)
• number of attempted attacks on your blog by bots
• sharing buttons (we need the love :D)

Thoughts?

Right now, to fix this issue, you can add the following lines to your .htaccess:

RewriteCond %{QUERY_STRING} !clef_logout [NC]

That's not a longer term solution — we need one.

Clef recently added the ability to specify the logout hook on a per-login basis.

We should hook into this API to allow multisite logout to work across domains (solving issues like those mentioned in #92).

The link position is confusing b/c it looks like it's important, but the WP settings are mostly managed from the plugin itself.

The logout hook is blocked by Sucuri.

It'd be nice to have the option to disable the Waltz notifications for your users, if you want.

Right now, it's a pain in the butt to debug users issues with Clef for WordPress. We've improved this ability over the last week by adding more informative error messages (pro tip: using "something went wrong" for every error message is a horrible, horrible idea), but it needs to get better.

I'm not sure what the standard is for this, so I'd love some input — should we have a debug option in the plugin?

NOTICE: wp-content/plugins/wpclef/includes/lib/Settings_API_Util.inc:228 - Undefined index: clef_password_settings_force
NOTICE: wp-content/plugins/wpclef/includes/lib/Settings_API_Util.inc:228 - Undefined index: clef_password_settings_xml_allowed

Thank you!

Incorrect WP auth failure error message displayed on the following password settings configuration:

• Disable passwords for Clef users: true
• Disable passwords for all users with privileges greater than or equal to: disabled
• Disable passwords for all users and hide the password login form: true
• Always allow passwords for XML API (necessary for things like the WordPress mobile app): false
• Set override key: yes (key entered)

On these settings user login fails from override URL.

If one sets Disable passwords for all users and hide the password login form to false, logins via override URL are successful.

Right now, it's unclear that a user should clear their settings by deleting their app ID and app secret.

This should either be more explicit or we should add an option to clear the settings.

That creates lots of problems.

Your app messes up Better WP Security custom login url. When clef plugin
is enabled login url changes back to wp-admin. For me, this is a major
security issue. I wont be using your plugin utnil this changes.

Recreate via @landakram

1. Ensure your Clef account is not connected
2. Go to the Clef Settings page
3. Check the "Disable passwords for all users box"
4. Click save

Expected behavior: setting is not saved and error message is displayed
Current behavior: setting is not save and no error message is displayed

I was not able to replicate this issue.

@landakram what plugins do you have enabled? I remember something like this cropping up with W3 Total Cache activated.

Since a second link CTA popup gets shown after clicking "Not right now", the Badge CTA doesn't get dismissed if you navigate away from the dashboard and then back to it.

Instead, it should not be shown after you navigate back to the dashboard, regardless of your action in the second link CTA.

I feel like we shouldn't be opening it every time the plugin gets loaded; it's also interfering with our new unit tests.

Uninstall Process

1. Deactivate plugin.
   • WPC is deactivated, and normal password log in form appears on wp-login.php.
   • WPC’s settings are saved in the database (can verify via re-activation: pre-deactivation settings should re-appear).
2. Remove previous version of WPC via WP’s plugin uninstaller to ensure a clean install.
   • WPC’s files are deleted.
   • WPC’s database settings are deleted.

Install Process

Activation

1. Clone the repository and checkout the appropriate branch
   1. git clone git://github.com/clef/wordpress.git wpclef
   2. cd wpclef
   3. git checkout two-point-oh
2. Activate WPC via WP’s Dashboard > Plugins > Installed Plugins
3. SW loads automatically

Setup Wizard

• "Skip setup" link takes you immediately to settings page

(A) SW State 1: Not logged in to Clef

• "Get started" takes you to Clef Wave screen
  • Text Clef App link successfully.
  • Sync Clef Wave and arrive at "One more click!" screen.

(B) SW State 2: Logged in to Clef

• "Get started" takes you to "One-click setup!" screen.

(C) SW Tests for Both States

• Execute "one-click setup" and arrive at "Invite" screen.
  • Send invite e-mail to Everyone.
  • Send invite e-mail to roles >= Contributor.
  • Send invite e-mail to roles >= Author.
  • Send invite e-mail to roles >= Editor.
  • Send invite e-mail to roles >= Administrator.
  • Send invite e-mail to roles >= Super Administrator.
  • E-mail preview text matches actual e-mail.
• Arrive at "3 tips" screen after send invite or skip invite.
• Arrive at "Get Waltz" screen.
  • "Try Waltz" loads http://getwaltz.com in new tab.
  • "Go to Clef Settings" loads settings page with graceful slide up.

Setup Wizard Multi-Site Iterations

State 1: Network-wide WPC install on shared domain name

• Run SW tests (A), (B), and (C) on Super Admin site.
• Run SW tests (A), (B), and (C) on one sub-site.

State 2: Network-wide WPC install with custom domain names

• Run SW tests (A), (B), and (C) on Super Admin site.
• Run SW tests (A), (B), and (C) on one sub-site.

State 3: Site-specific install on shared domain name

• Run SW tests (A), (B), and (C) on Super Admin site.
• Run SW tests (A), (B), and (C) on one sub-site.

State 4: Site-specific install on shared domain name

• Run SW tests (A), (B), and (C) on Super Admin site.
• Run SW tests (A), (B), and (C) on one sub-site.

Password Settings (and log in and log out actions)

WP-Login.php Legend:

• CA: Clef App
• CB: Clef button (i.e., “Log in w/ your phone”)
• LE: "Lost your password?" e-mail
• LF: "Lost your password?" form (i.e., wp-login.php?action=lostpassword)
• LL: "Lost your password?" link
• PF: Password form (i.e., the ordinary user/pass form displayed at wp-login.php)

Settings Page Legend

• P1: Disable passwords for Clef users
• P2: Disable passwords for all users with roles greater than or equal to
• P3: Disable passwords for all users and hide the password login form
• P4: Allow passwords for API
• O1: Override key
• O2: Generate secure override url link
• O3: Override url button
• O4: Override preview
• SS: "Setting saved" AJAX notification (appears then fades).

Start the following tests from fresh install state (i.e., all settings except API keys should be null, false, or “disabled”).

Disable passwords: P1 = true, P2–P4 = null.

• SS fades.
• P4 appears.
• Override settings section appears.
  • O1 = null.
  • O4 = hidden.
• selecting 02
  • shows SS,
  • inserts key in O1,
  • and shows O4.

1. Non-Clef user login
   • wp-login.php displays PF + CB with LL.
   • Log in via PF.
2. Non-Clef user reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
3. Clef user login
   • wp-login.php displays PF + CB with LL.
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
4. Clef user reset password via LF
   • Disabled. Returns error notification.
5. XML-RPC login
   • Disabled. Returns error notification.

Disable passwords: set P2 = not null, P3–P4 = null.

• wp-login.php displays PF + CB with LL.

When any non-null P2 option is selected

• SS fades.
• P4 appears.
• Override settings section appears.
  • O1 = null.
  • O4 = hidden.
• selecting 02
  • shows SS,
  • inserts key in O1,
  • and shows O4.

P2 = “Contributor”

1. Subscriber role login
   • Log in via PF.
2. Subscriber role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
3. Contributor role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
4. Contributor role reset password via LF
   • Disabled. Returns error notification.
5. Author role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
6. Author role reset password via LF
   • Disabled. Returns error notification.
7. Editor role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
8. Editor role reset password via LF
   • Disabled. Returns error notification.
9. Administrator role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
10. Administrator role reset password via LF
    • Disabled. Returns error notification.
11. Super Administrator role login
    • Log in via PF disabled. Returns error notification.
    • Log in via CB.
    • Log out via CA.
12. Super Administrator role reset password via LF
    • Disabled. Returns error notification.
13. XML-RPC login
    • Disabled. Returns error notification.

P2 = “Author”

1. Subscriber role login
   • Log in via PF.
2. Subscriber role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
3. Contributor role login
   • Log in via PF.
4. Contributor role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
5. Author role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
6. Author role reset password via LF
   • Disabled. Returns error notification.
7. Editor role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
8. Editor role reset password via LF
   • Disabled. Returns error notification.
9. Administrator role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
10. Administrator role reset password via LF
    • Disabled. Returns error notification.
11. Super Administrator role login
    • Log in via PF disabled. Returns error notification.
    • Log in via CB.
    • Log out via CA.
12. Super Administrator role reset password via LF
    • Disabled. Returns error notification.
13. XML-RPC login
    • Disabled. Returns error notification.

P2 = “Editor”

1. Subscriber role login
   • Log in via PF.
2. Subscriber role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
3. Contributor role login
   • Log in via PF.
4. Contributor role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
5. Author role login
   • Log in via PF.
6. Author role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
7. Editor role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
8. Editor role reset password via LF
   • Disabled. Returns error notification.
9. Administrator role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
10. Administrator role reset password via LF
    • Disabled. Returns error notification.
11. Super Administrator role login
    • Log in via PF disabled. Returns error notification.
    • Log in via CB.
    • Log out via CA.
12. Super Administrator role reset password via LF
    • Disabled. Returns error notification.
13. XML-RPC login
    • Disabled. Returns error notification.

P2 = “Administrator”

1. Subscriber role login
   • Log in via PF.
2. Subscriber role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
3. Contributor role login
   • Log in via PF.
4. Contributor role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
5. Author role login
   • Log in via PF.
6. Author role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
7. Editor role login
   • Log in via PF.
8. Editor role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
9. Administrator role login
   • Log in via PF disabled. Returns error notification.
   • Log in via CB.
   • Log out via CA.
10. Administrator role reset password via LF
    • Disabled. Returns error notification.
11. Super Administrator role login
    • Log in via PF disabled. Returns error notification.
    • Log in via CB.
    • Log out via CA.
12. Super Administrator role reset password via LF
    • Disabled. Returns error notification.
13. XML-RPC login
    • Disabled. Returns error notification.

P2 = “Super Administrator”

1. Subscriber role login
   • Log in via PF.
2. Subscriber role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
3. Contributor role login
   • Log in via PF.
4. Contributor role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
5. Author role login
   • Log in via PF.
6. Author role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
7. Editor role login
   • Log in via PF.
8. Editor role reset password
   • LF sends password reset e-mail.
   • Set new password.
   • Receive site admin notification e-mail.
9. Administrator role login
   • Log in via PF.
10. Administrator role reset password
    • LF sends password reset e-mail.
    • Set new password.
    • Receive site admin notification e-mail.
11. Super Administrator role login
    • Log in via PF disabled. Returns error notification.
    • Log in via CB.
    • Log out via CA.
12. Super Administrator role reset password via LF
    • Disabled. Returns error notification.
13. XML-RPC login
    • Disabled. Returns error notification.

Disable passwords: set P3 = true, P4 = null.

• SS fades.
• P4 appears.
• Override settings section appears.
  • O1 = null.
  • O4 = hidden.
• selecting 02
  • shows SS,
  • inserts key in O1,
  • and shows O4.
• wp-login.php displays CB only (no PF and no LL).
• LF disabled for all users. Returns error notification.
• Log in via CB.
• Log out via CA.

Disable passwords: set P4 = true (assumes P1, P2, and/or P3 are not null).

• SS fades.
• Log in via XML-RPC.

Support Clef settings

• Set to “Badge”
  • flashes SS
  • and prints img and functioning a in site footer.
• Set to “Link”
  • Flashes SS
  • Prints functioning a in site footer.
• Set to “Disabled”
  • Flashes SS
  • Removes img and/or a from site footer.

Support Clef timed pop ups

1. State 1a: after first login via CB.
   • Selecting “Badge” prints img and functioning a in site footer and saves the setting (verify on setting page).
2. State 1b: after first login via CB.
   • Selecting “Link” prints functioning a in site footer and saves the setting (verify on setting page).
3. State 2: Waltz not installed.
   • After 3 successful logins, show numbered badge in Clef settings menu title.
   • After 3 successful logins, show dismissible Waltz notification on Clef settings page.
   • After 15 successful logins, if Clef settings Waltz notification hasn't been dismissed, show a one-time notification on the Dashboard.
4. State 3: Waltz installed.
   • No Waltz notifications after 3 successful logins.
   • No Waltz notification on Dashboard after 15 successful logins.

Browser Iterations

Setup Wizard

• Successful run through in Chrome.
• Successful run through in FireFox.
• Successful run through in Safari.
• Successful run through in IE.

AJAX-Powered Settings Page

• Functioning in Chrome.
• Functioning in FireFox.
• Functioning in Safari.
• Functioning in IE.

Translations

• All new translatable text blocks placed in appropriate wrapper functions.

BruteProtect

• One-click install & activate successful.

The End

To the precious few who make it this far: treat yo self to a 💥.

• 💥

/wp-admin/admin.php?page=connect_clef_account

TypeError: style is null
parseInt(style.getPropertyValue('padding-left'),10)-

in https://clef.io/static/gen/button.js?cded9379

(fresh WordPress install)

When a user sees an SSL error message (Peer certicate...) they should see a link to the Github thread with the fix.

I have a suggestion. It's a little complicated for "not programmer" users, but I think it's ok for me:

I can help translating the website to Brazilian Portuguese.

Here's a usability issue:

Say you've disabled password login for all users. If you want to add another user who isn't nearby and doesn't use the share the same email between Clef and WordPress, then they have no way of associating their Clef account, because they can't log into WordPress.

My multisite: http://yoyo.io/admin login works perfectly! Amazing work BTW!

However if a client wants to login on their subsite: http://loslonelyboys.com/admin they get the notice below:

Something went wrong!
Invalid redirect URL.
Please refresh and try again.

Sure, the client can login at the Network root and get to their subsite that way, but some have a years logging in at their domain, which I can respect there wishes for.
Any thoughts? Is this WIP right now?