Change to text input and use numeric mode for TOTP prompts. (#3154)

* Change to text input and use inputmode numeric for TOTP prompts. * Fix some typos.
2025-02-23 04:27:02 +01:00 · 2024-10-27 16:57:28 -07:00 · 2024-10-27 16:57:28 -07:00 · d2c329f330
parent 44ddfb98f1
commit d2c329f330
16 changed files with 27 additions and 25 deletions
--- a/book/src/developers/designs/domain_join_machine_accounts.md
+++ b/book/src/developers/designs/domain_join_machine_accounts.md
@ -7,10 +7,10 @@ support machine accounts also know as domain joining.

 ### Limiting Unix Password Auth

-Currently unix password authentication is targetted as the method for sudo. Initial access to the
+Currently unix password authentication is targeted as the method for sudo. Initial access to the
 machine should come from ssh keys (and in future, ctap2).

-In order to maintain compatability with LDAP style authentication, we allow "anonymous hosts" to
+In order to maintain compatibility with LDAP style authentication, we allow "anonymous hosts" to
 retrieve ssh public keys, and then perform sudo authentication.

 This has the obvious caveat that anyone can stand up a machine that trusts a Kanidm instance. This
--- a/book/src/developers/designs/kanidm-trust.rst
+++ b/book/src/developers/designs/kanidm-trust.rst
@ -38,7 +38,7 @@ There are different ways we can scope a trust out, each with pros-cons. Here are
 may implement some controls around which subject DN's to allow/deny, but this is pretty fraught
 with landminds. You don't know who exists until they login!
 * Azure AD individual account trusting. Instead of trusting a whole domain you allow a user from
- a remote tennant to access your resources. You don't trust everyone in their tennant, just that
+ a remote tenant to access your resources. You don't trust everyone in their tenant, just that
 one account that you can invite. You can then revoke them as needed.
 * Group-trust - FreeIPA does this with AD. It's still like kerberos, but you only trust a subset
 of the users determined by "groups" from the trusted site.
--- a/book/src/developers/designs/profile_display.md
+++ b/book/src/developers/designs/profile_display.md
@ -65,12 +65,12 @@ same. // TODO: Should a user be allowed to relabel their kanidm ssh keys ?

 Due to their long length they should be line-wrapped into a text field so the entirety is visible
 when shown. To reduce visible clutter and inconsistent spacing we will put the values into
-collapsable elements.
+collapsible elements.

 These collapsed elements must include:

 - label
- value's key type (ECDSA, rsa, ect..) and may include:
+- value's key type (ECDSA, rsa, etc..) and may include:
 - value's comment, truncated to some max length

 #### Editing keys
--- a/book/src/developers/designs/unixd_multi_resolver_2024.md
+++ b/book/src/developers/designs/unixd_multi_resolver_2024.md
@ -54,7 +54,7 @@ to improve it as a result. This will necesitate a major rework of the project.

 The current design treated the client as a trivial communication layer. The daemon/event loop
 contained all state including if the resolver was online or offline. Additionally the TPM and
-password caching operations primarily occured in the daemon layer, which limited the access of these
+password caching operations primarily occurred in the daemon layer, which limited the access of these
 features to the client backend itself.

 ### Future Features
@ -130,7 +130,7 @@ future.
 #### CTAP2 / TPM-PIN

 We want to allow local authentication with CTAP2 or a TPM with PIN. Both provide stronger assurances
-of both who the user is, and that they are in posession of a specific cryptographic device. The nice
+of both who the user is, and that they are in possession of a specific cryptographic device. The nice
 part of this is that they both implement hardware bruteforce protections. For soft-tpm we can
 emulate this with a strict bruteforce lockout prevention mechanism.

@ -384,7 +384,7 @@ and rely on sqlite heavily.
 We should migrate to a primarily in-memory cache, where sqlite is used only for persistence. The
 sqlite content should be optionally able to be encrypted by a TPM bound key.

-To obsfucate details, the sqlite db should be a single table of key:value where keys are uuids
+To obfuscate details, the sqlite db should be a single table of key:value where keys are uuids
 associated to the item. The uuid is a local detail, not related to the provider.

 The cache should move to a concread based concurrent tree which will also allow us to multi-thread
--- a/book/src/frequently_asked_questions.md
+++ b/book/src/frequently_asked_questions.md
@ -75,7 +75,7 @@ administrator. While they may not have direct access to the client/application s
 still use this `client_id+secret` to then carry out the authorisation code interception attack
 listed.

-For confidential clients (refered to as a `basic` client in Kanidm due to the use of HTTP Basic for
+For confidential clients (referred to as a `basic` client in Kanidm due to the use of HTTP Basic for
 `client_id+secret` presentation) PKCE may optionally be disabled. This can allow authorisation code
 attacks to be carried out - however _if_ TLS is used and the `client_secret` never leaks, then these
 attacks will not be possible. Since there are many public references to system administrators
--- a/book/src/integrations/oauth2/examples.md
+++ b/book/src/integrations/oauth2/examples.md
@ -261,7 +261,7 @@ using OAuth2:
    <dd>

    Upload a Kanidm or other organisational logo.
-    
+
    This will appear on the login form (with no text) to prompt users to sign
    in.

@ -480,7 +480,7 @@ with some limitations:

    It will set the user's preferred name on *first* log in *only*.

-To set up a *new* self-hosted Outline instance to authenicate with Kanidm:
+To set up a *new* self-hosted Outline instance to authenticate with Kanidm:

 1.  Add an email address to your regular Kanidm account, if it doesn't have one
    already:
--- a/examples/server.toml
+++ b/examples/server.toml
@ -23,7 +23,7 @@ bindaddress = "[::]:443"
 #   The path to the kanidm database.
 db_path = "/var/lib/private/kanidm/kanidm.db"
 #
-#   If you have a known filesystem, kanidm can tune the 
+#   If you have a known filesystem, kanidm can tune the
 #   database page size to match. Valid choices are:
 #   [zfs, other]
 #   If you are unsure about this leave it as the default
@ -45,7 +45,7 @@ db_path = "/var/lib/private/kanidm/kanidm.db"
 # db_arc_size = 2048
 #
 #   TLS chain and key in pem format. Both must be present.
-#   If the server recieves a SIGHUP, these files will be
+#   If the server receives a SIGHUP, these files will be
 #   re-read and reloaded if their content is valid.
 tls_chain = "/var/lib/private/kanidm/chain.pem"
 tls_key = "/var/lib/private/kanidm/key.pem"
--- a/proto/src/scim_v1/mod.rs
+++ b/proto/src/scim_v1/mod.rs
@ -11,10 +11,10 @@
 //! The [scim_proto] library, which is generic over all scim implementations.
 //!
 //! The client module, which describes how a client should transmit entries, and
-//! how it should parse them when it recieves them.
+//! how it should parse them when it receives them.
 //!
 //! The server module, which describes how a server should transmit entries and
-//! how it should recieve them.
+//! how it should receive them.

 use crate::attribute::Attribute;
 use serde::{Deserialize, Serialize};
--- a/server/core/templates/login.html
+++ b/server/core/templates/login.html
@ -36,7 +36,8 @@
 		class="d-none"
 		id="totp"
 		name="totp"
-		type="number"
+		type="text"
+		inputmode="numeric"
 		autocomplete="one-time-code"
 		value=""
 	/>
--- a/server/core/templates/login_totp.html
+++ b/server/core/templates/login_totp.html
@ -15,7 +15,8 @@
 			class="autofocus form-control"
 			id="totp"
 			name="totp"
-			type="number"
+			type="text"
+			inputmode="numeric"
 			autocomplete="one-time-code"
 			value="(( totp ))"
 			required=true
--- a/tools/cli/src/cli/person.rs
+++ b/tools/cli/src/cli/person.rs
@ -1219,7 +1219,7 @@ async fn sshkey_add_prompt(session_token: &CUSessionToken, client: &KanidmClient
                ClientErrorHttp(_, Some(DuplicateKey), _) => {
                    eprintln!("SSH Public Key already exists in this account");
                }
-                _ => eprintln!("An error occured -> {:?}", err),
+                _ => eprintln!("An error occurred -> {:?}", err),
            }
            break;
        } else {
@ -1249,7 +1249,7 @@ async fn sshkey_remove_prompt(session_token: &CUSessionToken, client: &KanidmCli
            ClientErrorHttp(_, Some(NoMatchingEntries), _) => {
                eprintln!("SSH Public Key does not exist. Keys were NOT removed.");
            }
-            _ => eprintln!("An error occured -> {:?}", err),
+            _ => eprintln!("An error occurred -> {:?}", err),
        }
    } else {
        println!("Successfully removed SSH Public Key");
--- a/tools/cli/src/opt/kanidm.rs
+++ b/tools/cli/src/opt/kanidm.rs
@ -1147,7 +1147,7 @@ pub enum Oauth2Opt {
    DisablePkce(Named),
    #[clap(name = "warning-enable-legacy-crypto")]
    /// Enable legacy signing crypto on this oauth2 client. This defaults to being disabled.
-    /// You only need to enable this for openid clients that do not support modern crytopgraphic
+    /// You only need to enable this for openid clients that do not support modern cryptographic
    /// operations.
    EnableLegacyCrypto(Named),
    /// Disable legacy signing crypto on this oauth2 client. This is the default.
--- a/unix_integration/pam_kanidm/src/core.rs
+++ b/unix_integration/pam_kanidm/src/core.rs
@ -140,7 +140,7 @@ pub fn sm_authenticate_connected<P: PamHandler>(
        let client_response = match daemon_client.call_and_wait(&req, timeout) {
            Ok(r) => r,
            Err(err) => {
-                // Something unrecoverable occured, bail and stop everything
+                // Something unrecoverable occurred, bail and stop everything
                error!(?err, "PAM_AUTH_ERR");
                return PamResultCode::PAM_AUTH_ERR;
            }
--- a/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service
+++ b/unix_integration/resolver/debian/kanidm_unix_int.kanidm-unixd.service
@ -7,7 +7,7 @@ After=chronyd.service nscd.service ntpd.service network-online.target
 Before=systemd-user-sessions.service sshd.service nss-user-lookup.target
 Wants=nss-user-lookup.target
 # While it seems confusing, we need to be after nscd.service so that the
-# Conflicts will triger and then automatically stop it.
+# Conflicts will trigger and then automatically stop it.
 Conflicts=nscd.service

 [Service]
--- a/unix_integration/resolver/src/idprovider/interface.rs
+++ b/unix_integration/resolver/src/idprovider/interface.rs
@ -159,7 +159,7 @@ pub enum AuthRequest {
    MFAPoll {
        /// Message to display to the user.
        msg: String,
-        /// Interval in seconds between poll attemts.
+        /// Interval in seconds between poll attempts.
        polling_interval: u32,
    },
    MFAPollWait,
@ -209,7 +209,7 @@ pub trait IdProvider {
    async fn attempt_online(&self, _tpm: &mut tpm::BoxedDynTpm, _now: SystemTime) -> bool;

    /// Mark that this provider should attempt to go online next time it
-    /// recieves a request
+    /// receives a request
    async fn mark_next_check(&self, _now: SystemTime);

    /// Force this provider offline immediately.
--- a/unix_integration/resolver/src/resolver.rs
+++ b/unix_integration/resolver/src/resolver.rs
@ -51,7 +51,7 @@ pub enum AuthSession {
        token: Option<Box<UserToken>>,
        cred_handler: AuthCredHandler,
        /// Some authentication operations may need to spawn background tasks. These tasks need
-        /// to know when to stop as the caller has disconnected. This reciever allows that, so
+        /// to know when to stop as the caller has disconnected. This receiver allows that, so
        /// that tasks which .resubscribe() to this channel can then select! on it and be notified
        /// when they need to stop.
        shutdown_rx: broadcast::Receiver<()>,