antoine-pous
commented
2 years ago Simply ask for the password when updating the login will solve this issue painless and improve the security around personal information edition 😁
Open dobesv opened 5 years ago
antoine-pous
commented
2 years ago Simply ask for the password when updating the login will solve this issue painless and improve the security around personal information edition 😁
dobesv
commented
2 years ago FWIW our workaround is just provide an empty username for purposes of the algorithm. I think there enough other random tokens in the process that the username part of the system is optional.
Maybe this is more of a usage question - but it seems like if a user changes their
usernametheir password will be invalidated as a side-effect. The documentation may want to adjust its suggested workflow to one which will allow users to modify their username / email without getting locked out of their account.I'm not 100% sure of the right approach. I guess when the client sends the first request to the server, it can provide some token back to the client which identifies the user. If this has to be anonymous, the token would seemingly have to be something randomly generated (e.g. not a database user ID). This is kind of redundant with the salt, though, which in principle you could just require each account to have a unique salt and use the salt to find the user in a subsequent request.