chpapa
commented
4 years ago But there are also use cases where people really login with username and password only without any trace of email/sms?
Open louischan-oursky opened 4 years ago
chpapa
commented
4 years ago But there are also use cases where people really login with username and password only without any trace of email/sms?
louischan-oursky
commented
4 years ago In that case how can the user finish the forgot password flow? 🤔
chpapa
commented
4 years ago In that case how can the user finish the forgot password flow? 🤔
Disable it in those cases?
louischan-oursky
commented
4 years ago I mean if the whole user experience is considered as complete by the stakeholder (the developer and the end user). People have no way to recover their account in case they have forgotten the password.
At least this should not be a situation that people can encounter using default settings. The current situation is that if the user really signs up with username, they will encounter this situation.
chpapa
commented
4 years ago I mean if the whole user experience is considered as complete by the stakeholder (the developer and the end user). People have no way to recover their account in case they have forgotten the password.
At least this should not be a situation that people can encounter using default settings. The current situation is that if the user really signs up with username, they will encounter this situation.
I totally agree, the default setting should be something like email + password (or username + password but need email), but I think only username + password could be an option if they deliberately choose to...
louischan-oursky
commented
4 years ago I propose we change the default login ID keys to be email only. In the documentation, we teach the developer how to add phone and username and the implication of having only username as login ID key.
chpapa
commented
4 years ago I propose we change the default login ID keys to be
phoneandusernameand the implication of having onlyusernameas login ID key.
Sure. BTW, is it currently possible to set up a configuration like "username + password but need email"? If not can you help create a feature issue for it?
louischan-oursky
commented
4 years ago No possible yet. https://github.com/authgear/authgear-server/issues/187
We have many features relying on email or phone to work, for example, forgot password and in the future, security alerts. If the user only signs up with username, we cannot contact them.We need to support creating multiple login IDs in the signup flow. Ben has purposed this before, like setting up both email and phone in the signup flow. We would like to enforce a constraint that during signup, we at least create one contactable identity.
The constraint should be upheld all the time. So the user cannot remove the last contactable identity.