UI/UX: SMTP Auth fields

[andrewboring]

UI/UX: Incorrect SMTP Auth fields

Description

SMTP auth requires a username and a password. Fusionauth displays the username field, but does not display password field.

In order to configure an SMTP Auth password, the "Change password" switch must be toggled, which does not indicate the correct behavior (the password isn't being changed, it's being set for authentication).

Affects versions

1.19.6-1

Steps to reproduce

1. Deploy new fusionauth instance.
2. Go to Tenants -> Edit Tenant -> Email
3. Try to enter in SMTP information.
4. Enter standard SMTP info that requires authentication (username/password). Note there is no password field UNLESS you select Change Password.

Expected behavior

I expected both SMTP Username and SMTP Password fields, or a switch for "SMTP Authentication" or "Use Authentication" switch to toggle the display of the SMTP Username and SMTP Password fields. This aligns with universal mail client behavior, where both username and password fields are displayed when authentication is required, and hidden/unused when authentication is not required (eg, local/trusted subnets)

Screenshots

Platform

CentOS 7.x, Fusionauth 1.19, with any SMTP server (I was using Zoho, but the service is irrelevent).

[robotdan]

A possible solution:

1. When a password HAS NOT been set, the Change password control is not shown. Instead, the Password field is always shown.
2. When a password HAS been set, the Change password control is shown like it is today. Only when this is toggled do we show the Password field.

We also add some text to indicate that no password has been configured when we are only showing the Password field. If we do have a password, we also indicate that with some text so the user knows why the Change password control is shown and that if you wish to change the existing password, you must toggle the control to show the Password field.

Would this help?

[andrewboring]

Following up with additional comments per a conversation in #601 where @robotdan requested feedback on UI/UX improvements.

Use cases:

1. No credentials, Security is None.
2. No credentials, Security is SSL
3. No credentials, Security is TLS
4. Username & Password, Security is None.
5. Username & Password, Security is SSL
6. Username & Password, Security is TLS

First, the distinction between SSL and TLS in the UI is not quite right, since SSL and TLS are largely interchangeable in common vernacular. The actual settings being distinguished here are SMTPS (port 465) and STARTTLS (ports 25/587).

The difference is that SMTPS initiates a TLS session first for the SMTP session to follow, just like HTTPS does for HTTP. That is, a TLS handshake followed by an exchange of certificates, and THEN the HELO/EHLO.

STARTTLS begins with a standard/unencrypted HELO/EHLO, followed by a STARTTLS command to initiate TLS session, so it uses the standard ports 25/587 (with 587 being preferred for SMTP Auth, and port 25 for unauthenticated relaying on a trusted network).

So with this in mind, I would suggest the fields display as such:

1. No credentials, Security is None. SMTP Host: SMTP Port: (default 25? or blank) Security: None Use Authentication toggle: Off

2. No credentials, Security is SMTPS/465 ("SSL") SMTP Host: SMTP Port: (changes to 465 if security is switched to SMTPS) Security: SMTPS Use Authentication: Off

3. No credentials, Security is STARTTLS/587 ("TLS") SMTP Host: SMTP Port: (changes to 587 if security is switched to STARTTLS) Security: STARTTLS Use Authentication: Off

4. Username & Password, Security is None. SMTP Host: SMTP Port: (defaults to 25) Security: None Use Authentication: On (enables two fields below) SMTP Username: SMTP Password:

5. Username & Password, Security is SSL SMTP Host: SMTP Port: (changes to 465 if security is switched to SMTPS) Security: SMTPS Use Authentication: On (enables two fields below) SMTP Username: SMTP Password:

6. Username & Password, Security is TLS SMTP Host: SMTP Port: (changes to 587 if security is switched to STARTTLS) Security: STARTTLS Use Authentication: On (enables two fields below) SMTP Username: SMTP Password:

I don't know why there is a dedicated "change password" switch...if you're re-saving the SMTP Host when changing the form field, then changing the password should only require re-entering new data.

Since a current/existing password isn't displayed in plain-text like SMTP host or username is, it might simply be a "blank" field that is populated by asterisks for display. If no data is entered in the field when saved, the password isn't updated. If the data changes (ie, someone types something in the field), then the password updates along with all other fields that are saved. (I'm not much of a developer, so I'm not entirely sure how other mail clients actually handle this).

[andrewboring]

@robotdan I think your suggestions would work, certainly for new configurations like mine.

A secondary administrator (who didn't do the initial configuration) might believe a password is not set since there is no password field displayed in the UI you describe. The existence of a Change Password button would indicate it is, though. It feels a little clunky, but I can't really think of a scenario where this might lead to any real problems.

For comparison, I've attached a screenshot from Keycloak's documentation, which I was also recently testing. It's a closer to the SMTP configuration experience I was expecting.

[robotdan]

Thanks for the thoughtful suggestions @andrewboring. We'll take a look at the existing configuration and see if we can improve upon it.