Fix username/email case issue in login/signup #1317
Conversation
|
@catarak have a look and suggest required changes:) |
|
This code looks good. One problem that this uncovers is that it's completely possible to create an account with the username "ABC" or email "SOMETHING@EXAMPLE.COM" but then it's impossible to log in with those credentials? I think before merging we should check if there are any existing users that will suffer from this problem? And perhaps migrate the DB to use lowercase everywhere. |
|
Thanks for working on this! The case where this would break would be for all of the users that have uppercase letters stored in the database. I think the way to fix this would be:
|
|
I managed to figure out an alternative Mongo query that handles both cases... in the process of testing now! |
|
I now see the error in this logic... trying to figure out another solution! |
|
Did some more thinking about what the right behavior is here.
I'm not sure how to implement the username. In order to do case insensitive querying in MongoDB, you have to use a Regex, which you can't use with an index, or create a text index. Or you could store the username both case sensitive and the username in all lowercase. |
|
This further supports my theory that building an authentication/authorization system is the hardest problem in software development. |
|
Got a solution going that uses a RegEx search to lay out how this should actually function. It appears the RegEx search is slow there are other options to explore, but this at least lays out all of the places where the case sensitivity of the username/email matters. |
catarak
force-pushed
the
login-signup-issue
branch
from
edfe09b to
16860d7
Compare
- Add case insensitive indexes for User.email and User.username - Update user queries by username or email so that they are case insensitive
|
I had a breakthrough and now case-insensitive searches are working! Stuff that's left to do:
|
server/config/passport.js
Outdated
| @@ -43,7 +43,7 @@ passport.use(new LocalStrategy({ usernameField: 'email' }, (email, password, don | |||
| * Authentificate using Basic Auth (Username + Api Key) | |||
| */ | |||
| passport.use(new BasicStrategy((userid, key, done) => { | |||
| User.findOne({ username: userid }, (err, user) => { // eslint-disable-line consistent-return | |||
| User.findOne({ username: userid }).collation({ locale: 'en', strength: 2 }).exec((err, user) => { // eslint-disable-line consistent-return | |||
There was a problem hiding this comment.
We could add statics on the User model called User.findByUsername() and User.findByEmail() that will perform the User.findOne().collation(...) query.
This avoids duplication and ensures we won't forget to call it. It also means those statics can have a comment about what collation is doing as it's not very obvious.
There was a problem hiding this comment.
Thanks for the suggestion! Good idea.
|
I did some thinking about how to handle case-sensitive duplicates of email addresses currently in the database, and this is my plan of action:
WHEW. |
- Add new static methods to user model - `findByEmailAndUsername` - renames `findByMailOrName` to `findByEmailOrUsername` - `findByUsername` - `findByEmail` - Reverts case insensitive behavior for username
- Update the emailConsolidation script so that it will de-duplicate the first duplicated user - Sends email to user alerting them that the consolidation has taken place.
|
Since I've now run the update script, I'm going to merge this into |
|
Just did a query, and it turns out there are 5449 usernames that have duplicates. I unfortunately don't really see a way to allow users to login with their username, case-insensitive, that wouldn't involve changing usernames for users and therefore possibly changing urls. For that reason, I may just leave usernames as case sensitive, but prevent future duplicates. |
I have verified that this pull request:
npm run lint)Fixes #123Fixes #1314