Custom Login Pages
You can create your own login pages for the following situations to replace the Fieldpine default versions. As login pages are generally available to all without being logged in, this allows you to customise branding. You cannot override the security controls required by Fieldpine, only how you collect details.
- The login page for a Fieldpine One account, such as Example Store
- Login pages used by self hosted Store Servers. ie The pages seen by staff, customers, suppliers when they connect to any public facing pages you may have opened to the internet
- Internal login pages for you LAN/Intranet
As always, Fieldpine is not concerned with your selection of frameworks, CSS or HTML, you may use whatever you wish. We are only interested in the flow of data over APIs
This page is not yet complete and is still being written and expanded
Simple Version
In the simplest form, you need to collect a username and password. This is then submitted to the authorisation url
Collect Username and Password | ---» | Submit to login URL | ---» | Redirect to homepage |
var send = { Name: myForm.UserName.value, PassPlain: myForm.Password.value, Realm: 'site' }; document.getElementById("status").innerHTML = " Checking"; fetch("/login", { body: JSON.stringify(send), method: 'POST', headers: { 'Content-Type': 'application/json' }}) .then( function (resp) { return resp.json(); }) .then(function (dx) { var d = dx.data; if (d.valid !== 1) { document.getElementById("status").innerHTML = " Login Failed"; var o = document.getElementById("ln"); if (o) o.focus(); return; } document.location = d.HomePage; });
Notes
- Obviously, this exchange should all happen over HTTPS secured connections.
- The "realm" given in the JSON helps the server understand which area you are broadly trying to authenticate against. In this case "site" means general access to Fieldpine application.
- The URL "/login" is an endpoint defined in the firewall. The firewall remaps that URL to the actual internal endpoint. We recommend that you call it something less common to protect against bulk scanning robots. For example "/bobslogin" rather than simply "/login"
- Login Processes do not automatically redirect to a homepage. You must explicitly redirect using Javascript. This is by design to allow login pages to save return details to SessionStorage or other places. It also verifies Javascript is enabled.
- This simple version is intended to be simple for documentation purposes. You should expand this to include protection against various attack methods
Handling 2FA
When 2FA is required for an account the flow changes to require the 2FA before you can login
Collect Username and Password | ---» | Submit to login URL | ---» | Please collect/submit 2FA | ---» | Submit to login URL | ---» | Redirect to homepage |
Collect Username, Password and 2FA | ---» | Submit to login URL | ---» | Redirect to homepage |
Notes
- Depending on server side options, you might receive a "please collect 2FA" even though the initial user/password are invalid.
Sending Encrypted Passwords
TBS
Login NONCE and Replay Attacks
TBS