search

apioo / fusio

Open source API management platform
https://www.fusio-project.org
Apache License 2.0
1.87k stars 223 forks source link

Register only using email & password, no username. #79

Open zaniar opened 7 years ago

zaniar commented 7 years ago

I see that https://github.com/apioo/fusio-impl/commit/0100cc6293ea3c71c290e999c3e5597031151352 allow us to login using email instead of username.

I need to allow user register on my app only using email & password. Currently I set the usename to the same value as email. But Fusio does not allow character @ on username. So I need to change Schema\User::NAME_PATTERN on the source code. If I remembered correctly, character @ used to be allowed on username.

I believe that this kind of scenario is not rare. So, I suggest it to be a feature.

What do you think?

chriskapp commented 7 years ago

Regarding the name pattern I was a bit inspired by Facebook where you can also use only A-z, 0-9 and . as username. The email field is much more relaxed and can contain also other characters.

Regarding your problem, could you not simply use the part before the @ as username. I.e. if a user foo.bar@gmail.com registers that you use foo.bar as username?

So I think our current rule a-zA-Z0-9\-\_\. should handle most common use cases. But of course this is not set in stone and if there are other good arguments we can expand the list with other characters. But allowing more characeters is also a vector for abuse.

zaniar commented 7 years ago

If I trim the part after @, there is chance that foo.bar@gmail.com & foo.bar@yahoo.com will be treated as the same username. They could be two different person.

How about a parameter on Fusio\Impl\Service\User->create to chose which one we wish to use as identifier. The choice are: USERNAME_AND_EMAIL or EMAIL_ONLY. I do not think USERNAME_ONLY is necessary.

If I chose EMAIL_ONLY, Fusio will check user existence using email instead username (I have another question regarding this, I will create another issue). Fusio will also skip $this->assertName($name); and set $name with $email.

We can leave it to be accessible only via Action, if it is considered as advanced feature. Or, we can expose it on Settings.

chriskapp commented 7 years ago

If I trim the part after @, there is chance that foo.bar@gmail.com & foo.bar@yahoo.com will be treated as the same username. They could be two different person.

ok this is a valid point. The problem is the table structure which requires a unique name and email for each user so we have to insert those two unique values. Then we can use both values to identify a user. I think the main problem is, which username should we chosse in case a user provides only an email and not a username. I will think more about it and let you know whether I find a good solution.

riwin commented 6 years ago

Maybe:

gmail.com_foo.bar
EvoPulseGaming commented 4 years ago

User name would still be unique if you only remove the '@' symbol from the email. Then you just make sure you don't show the username stuff. and you should be fine... or do as riwin suggested. Either ways this can be closed.