Re: Google signin

On Mon, Aug 14, 2017 at 5:17 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> > On Fri, Aug 11, 2017 at 5:15 PM, Stephen Frost <sfrost(at)snowman(dot)net>
> wrote:
> > > We should really have a DB constraint which enforces uniqueness on
> > > lower(username), imv, and perhaps try to proactively do something about
> > > accounts which have invalid characters, but that's a different
> > > discussion.
> >
> > I could've sworn we had a constraint on the lowercase part. It must be
> in a
> > different one of our systems though, because I can't see it in this one..
>
> I wouldn't have mentioned it if I had seen one there. :)
>
> Having it in a downstream system but not in the authorative one strikes
> me as a bad idea..
>

Yes. That's a recipie for trouble.

> > > Given that we're offering to do this, I almost wonder if we should just
> > > automatically do it rather than making them jump through the extra
> > > hoop.. That would have to be after we figure out a way to have
> accounts
> > > support multiple email addresses tho.
> >
> > We need them to pick a username, that's why we need an extra form to be
> > filled out. We could remove the name part of it to make it even simpler,
> > and have them change that after the fact, but I'm not sure that actually
> > simplifies things that much.
> >
> > We could get away with that if we could use the email address as the
> > username, but that breaks with mediawiki at least.
>
> I think you missed my point here- technically we need a username which
> isn't their email address, but they don't necessairly have to pick one
> and, indeed, this code actually builds one for them as a
> recommendation. Given that they don't need to know their username for
> logging in with Google or similar, it really could just be something
> that we internally keep track of.
>

We could, but that username is *visible* on systems. Anybody logging in
that way and then using the wiki, or the cf app, or redmine, etc, will have
that username exposed and will probably come asking to change it. And we
can't change usernames since it's the primary key across the distributed
system...

That does bring up a question though- does the code make sure to avoid a
> conflict with an existing username in the one that's suggested? I
> didn't see that, and we should probably do that.
>

In that case it will propose an invalid username and you will get the error
when you hit save. That's definitely a flow that could be improved if we
think this risks happening often.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>