Closed mullernato closed 1 year ago
Hi @mullernato , Thank you very much for your report.
The process of checking the existence of a user in the database is done by looking up the email in the table. If the user with the desired email is in the table (provided that config(ShieldOAuthConfig::class)->syncingUserInfo is active), the information will be updated in the table every time user login, and if there is no user with the email, a new user will be registered.
It was expected that the username would be registered with some suffix to differentiate it from an existing user.
Your solution is good, but as long as the shield settings are for user login with email and password, if login is with username and password, the user cannot login because he/she does not know that an suffix has been automatically added to username. to be Unless it is assumed that we will not have login with username and password, which is definitely not a good assumption.
Do you have any other opinion with the above explanation? thoughts?
Here in my system the user has 2 login/registration options: 1) using email and password using Shield with only email and password. obs. Login with username is not allowed. 2) using google auth with your ShieldOAuth script.
The Shield requires a username in the register, and in the database table it cannot be duplicated, even if it is irrelevant for use, so I thought of putting a suffix in case of duplicity, as the user will not use this username to login. And also the user will be able to change it in a user settings panel in my use case.
even though it's not my case but if two people register using google oauth or any other oauth and they have the same first name it will result in this username already exists error.
to my case I change the Library GoogleOAuth.php setColumnsName function to:
protected function setColumnsName(string $nameOfProcess, $userInfo): array
{
if ($nameOfProcess === 'syncingUserInfo') {
$usersColumnsName = [
$this->config->usersColumnsName['first_name'] => $userInfo->given_name,
$this->config->usersColumnsName['last_name'] => $userInfo->family_name,
$this->config->usersColumnsName['avatar'] => $userInfo->picture,
];
}
if ($nameOfProcess === 'newUser') {
$usersColumnsName = [
// users tbl // OAuth
'username' => $this->genUsername($userInfo->name),
'email' => $userInfo->email,
'password' => random_string('crypto', 32),
'active' => $userInfo->email_verified,
$this->config->usersColumnsName['first_name'] => $userInfo->given_name,
$this->config->usersColumnsName['last_name'] => $userInfo->family_name,
$this->config->usersColumnsName['avatar'] => $userInfo->picture,
];
}
return $usersColumnsName;
}
protected function genUsername($name) : string
{
// change all spaces, underscores, dots, dashes, etc. to a single underscore
// and make it lowercase
$name = preg_replace('/\s+/', '_', $name);
$name = preg_replace('/[^A-Za-z0-9\_]/', '', $name);
$name = strtolower($name);
//add 2 random numbers to the end of the username to prevent duplicates separate by underscore
$name = $name . '_' . rand(10, 99);
return 'g_'.$name;
}
I thought about this a bit, we can add a prefix to username.
In addition, we can add a session or event so that if the user's login is OAuth, the user will be reminded to change his username(or any data) if needed.
I have pinned this topic, I will wait for a while, maybe we will get another feedback, otherwise we will proceed as I explained above.
@mullernato PR #58 solved this issue by replacing email for username. Check if you can.
PHP Version
8.2
CodeIgniter4 Version
4.3.3
Shield Version
latest dev
Shield OAuth Version?
dev-develop
Which operating systems have you tested for this bug?
Linux
Which server did you use?
fpm-fcgi
Database
Mariadb 10.6
Did you add customize OAuth?
No
What happened?
if there is another user with the same username, an error occurs when registering a new account with google login. duplicate username error
Steps to Reproduce
Manually register a user using Shield with the first name of a test gmail user, eg John. Then log in with a test Gmail account whose user is named John. This will generate a duplicate username error.
Expected Output
It was expected that the username would be registered with some suffix to differentiate it from an existing user.
Anything else?
No response