[Bug]: UX issues when requesting share by mail password

[PVince81]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

At step 5 the user is more likely to quickly click the "Request password" button instead of the little arrow to submit the current one.

After step 7, an extra click is needed to go back.

Steps to reproduce

1. Share a folder by mail
2. Set a password for that share
3. Log out
4. Open the link from the email
5. Quickly enter the known password and click the submit button: here I often click the big button instead of the arrow out of reflex
6. Click on "Request password"
7. Enter email address and submit
8. Be frustrated to have to click "Back"

Expected behavior

At step 5, find a way to make the "Request password" button less visible. Or maybe allow the user to first enter a wrong password and only then show the button ? @jancborchardt thoughts ?

At step 7, as soon as the email is set, redirect back to the password field and show a message there "The password was sent by email". This way the user can copy paste and directly enter instead of having to go back.

Installation method

No response

Operating system

No response

PHP engine version

No response

Web server

No response

Database engine version

No response

Is this bug present after an update or on a fresh install?

No response

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

Enabled:
  - accessibility: 1.10.0
  - activity: 2.16.0
  - cloud_federation_api: 1.7.0
  - comments: 1.14.0
  - contactsinteraction: 1.5.0
  - dashboard: 7.4.0
  - dav: 1.22.0
  - federatedfilesharing: 1.14.0
  - federation: 1.14.0
  - files: 1.19.0
  - files_external: 1.16.1
  - files_sharing: 1.16.2
  - files_trashbin: 1.14.0
  - files_versions: 1.17.0
  - lookup_server_connector: 1.12.0
  - nextcloud_announcements: 1.13.0
  - oauth2: 1.12.0
  - photos: 1.6.0
  - provisioning_api: 1.14.0
  - recommendations: 1.3.0
  - serverinfo: 1.14.0
  - settings: 1.6.0
  - sharebymail: 1.14.0
  - survey_client: 1.12.0
  - systemtags: 1.14.0
  - theming: 1.15.0
  - twofactor_backupcodes: 1.13.0
  - updatenotification: 1.14.0
  - user_status: 1.4.0
  - viewer: 1.8.0
  - weather_status: 1.4.0
  - workflowengine: 2.6.0
Disabled:
  - admin_audit
  - bruteforcesettings
  - calendar
  - contacts
  - deck
  - email_template_example-0.0.1
  - encryption
  - files_3d
  - files_accesscontrol
  - files_antivirus
  - files_automatedtagging
  - files_downloadlimit
  - files_retention
  - files_texteditor
  - files_versions_s3
  - groupfolders
  - guests
  - mail
  - music
  - officeonline
  - password_policy: 1.14.0
  - previewgenerator
  - ransomware_protection
  - registration
  - richdocuments
  - shareimporter
  - sharepermissions
  - spreed
  - support: 1.7.0
  - suspicious_login
  - terms_of_service
  - testing
  - twofactor_totp
  - user_ldap
  - user_migration
  - user_saml
  - workflow_script

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

master is df14579

[StCyr]

At step 5 the user is more likely to quickly click the "Request password" button instead of the little arrow to submit the current one.

You're right, but I have no idea how to improve that. I hope for a good suggestion from @jancborchardt

After step 7, an extra click is needed to go back.

You're right, I'll see how I can improve that.

[PVince81]

I just got a few suggestions from him an hour ago, posting here:

• "Request password" button should be just a text link saying "Forgot password?" (just like on log in page) cause otherwise the button seems like the thing to click
• Same for "Back" – needs to be a text link because otherwise it’s clicked by mistake
• Would be nice to have a link in the "forgot password" email to directly be able to click => I believe having the password and the share link in the same email is not wanted, please confirm.
• Communicate expiration date:
  • Add line below "Password protect" input field in the share dropdown in files sidebar, saying "Password will expire after 1 hour"
  • Also in the email, adding to the sentence "It is protected with the following password:" – change to: "It is protected with the following password, which will expire after 1 hour:" => Changed to: "It is protected with the following password: xxxxxxxxxxxxxx. This password will expire at Thu, 14 Apr 2022 20:28:27 +0000"

[PVince81]

I already had a quick look and if you change the "button" to a "a href='#'" with no attribute it gets the same style like on the login page, so already looking good.

@StCyr great if you can look into those

[StCyr]

I just got a few suggestions from him an hour ago, posting here:

* [ ]  "Request password" button should be just a text link saying "Forgot password?" (just like on log in page) cause otherwise the button seems like the thing to click

Done

* [ ]  Same for "Back" – needs to be a text link because otherwise it’s clicked by mistake

Done

* [ ]  Would be nice to have a link in the "forgot password" email to directly be able to click

I believe that we don't want to communicate the share's link in the same email as the share's password. Could you please confirm?

* [ ]  Communicate expiration date:
  
  * [ ]  Add line below "Password protect" input field in the share dropdown in files sidebar, saying "Password will expire after 1 hour"

Done

  * [ ]  Also in the email, adding to the sentence "It is protected with the following password:" – change to: "It is protected with the following password, which will expire after 1 hour:"

Changed to:

It is protected with the following password:

ztI0KjBmKNrLwBN3yI+D

This password will expire at Thu, 14 Apr 2022 20:28:27 +0000

[PVince81]

@StCyr thanks a lot for the PR!

I believe that we don't want to communicate the share's link in the same email as the share's password. Could you please confirm?

yeah, you're right, we should keep them separate

[StCyr]

Hi @blizzz ,

Isn't it still possible to push these changes in NC24?

[PVince81]

@StCyr we're already past feature freeze and in RC2, so we only merge critical changes to avoid destabilizing the build

these changes are only cosmetic, so we can ship them with 24.0.1 later in May

[Jerome-Herbinet]

I just got a few suggestions from him an hour ago, posting here:

* [x]  "Request password" button should be just a text link saying "Forgot password?" (just like on log in page) cause otherwise the button seems like the thing to click

* [x]  Same for "Back" – needs to be a text link because otherwise it’s clicked by mistake

* [x]  Would be nice to have a link in the "forgot password" email to directly be able to click => **I believe having the password and the share link in the same email is not wanted, please confirm.**

* [ ]  Communicate expiration date:
  
  * [ ]  Add line below "Password protect" input field in the share dropdown in files sidebar, saying "Password will expire after 1 hour"
  * [x]  Also in the email, adding to the sentence "It is protected with the following password:" – change to: "It is protected with the following password, which will expire after 1 hour:" => Changed to: "**It is protected with the following password: xxxxxxxxxxxxxx. This password will expire at Thu, 14 Apr 2022 20:28:27 +0000**"

@PVince81 , i think all these suggestion are very relevant and really necessary so that the person receiving the share understands that the password received is temporary, otherwise there will definitely be confusion. I will add one last suggestion:
When the person types in the password and it has expired, the warning message should not say that it is simply wrong, but rather that it has expired and that a new one should be requested.

In any case, this feature is very interesting, relevant and reassuring. Great work!

NB: I'm taking part in this discussion because I'm testing this feature and I'm writing a blog post about the new features of Nextcloud 24.

[PVince81]

When the person types in the password and it has expired, the warning message should not say that it is simply wrong, but rather that it has expired and that a new one should be requested.

Usually for security it is sometimes best to not tell the user whether the password is invalid or has expired.

Maybe the message could be changed to something like "the password is wrong or has expired, please request a new one"

@StCyr @jancborchardt thoughts ?

[Jerome-Herbinet]

When the person types in the password and it has expired, the warning message should not say that it is simply wrong, but rather that it has expired and that a new one should be requested.

Usually for security it is sometimes best to not tell the user whether the password is invalid or has expired.

Maybe the message could be changed to something like "the password is wrong or has expired, please request a new one"

@StCyr @jancborchardt thoughts ?

This would be a good compromise.