Username should not be equal to existing email address when using fos_user.user_provider.username_email

[ienzam]

When we use username and email both as user name (https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/logging_by_username_or_email.md) user should not be able to be register a username which is same as one of the existing users' email.

For example,

        Given There are users:
         | username    | email         | password |
         | alreadyUser | al@ready.user | somePass |

        When I try to register with following:
         | username        | email           | password |
         | al@ready.user | email@email.email | password |
        Then the registration should not pass

But in current system we can do that and the user cannot log in with his user name.

[wiistriker]

https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Model/UserManager.php#L91

Maybe it's will be better use here query like WHERE username = :input OR email = :input? But we may get another problem

[ienzam]

If both use the same password then which user will get priority :( If username is given preference (like WHERE username = :input OR email = :input) then id hijacking will be possible. If email is given preference (which is the current implementation) a previous user with the username same as the email will lost his account

A simple solution will be to disallow @ from username Another costly solution is we should add some validation on username and email while registering user

[wiistriker]

what kind of validation?

— username can't be email? — username can't be equal to someone email?

[ienzam]

Yes, username can't be some existing email

[wiistriker]

in that case i can add username with email before user with that email register on site

[ienzam]

Oh yes, when the next user will came to register with the email he will get the notification that the email already exists :/

[ienzam]

So what about username should not contain '@' character?

[wiistriker]

but there is actually no user with such email. there is user with such email in his username =)

[ienzam]

Sorry I don't get you I got the point that adding validation 'username should not be equal to email' is not going to work.

I am suggesting that user should not be allowed to register with the character '@' in their username so that username will never be an email.

[mvrhov]

In such case I recommend, that you override the validation...

[sdecandelario]

I think it's better control the username don't contain any @ character for more security, and you can use regular expresions or the inside form valdiation of symfony, no?