search

directus / directus

The Modern Data Stack šŸ° ā€” Directus is an instant REST+GraphQL API and intuitive no-code data collaboration app for any SQL database.
https://directus.io
Other
25.77k stars 3.59k forks source link

E-Mail Hashing - Privacy Improvment #22470

Closed NilsBaumgartner1994 closed 2 weeks ago

NilsBaumgartner1994 commented 3 weeks ago

Describe the Improvement

As users can register via different auth providers as for example Google, their external identifier is their email adress. This works totally fine, but considering privacy policies it would be nice to have an option of a hook to hash the email, adress into a string.

br41nslug commented 2 weeks ago

Can you elaborate on how this would work? After the email has been hashed it can no longer be used to send mails to that user like, notifications or password resets šŸ¤”

NilsBaumgartner1994 commented 2 weeks ago

These are 2 features currently. There is a need for the separation of: email address and external identifier.

if you want pseudonym users you would leave out the email adress, users canā€™t reset password but for SSO logins not necessarily and it would be more privacy policy friendly.

By default the email would be saved

NilsBaumgartner1994 commented 2 weeks ago

@br41nslug as some auth. providers like Apple create relay emails for the external identifiers they secure this.

but I donā€™t see why we could not just save the email address in the email field of the Directus user (or a field like registered with email), and a hashed external identifier.

this would only improve the security. Sure by migrating up, existing instances would hash once the external identifiers.

br41nslug commented 2 weeks ago

but I donā€™t see why we could not just save the email address in the email field of the Directus user (or a field like registered with email), and a hashed external identifier.

You can configure this for the SSO provider your using _IDENTIFIER_KEY and _EMAIL_KEY. Since this seems to already be covered by configuration i'll be closing this issue.

NilsBaumgartner1994 commented 2 weeks ago

but I donā€™t see why we could not just save the email address in the email field of the Directus user (or a field like registered with email), and a hashed external identifier.

You can configure this for the SSO provider your using _IDENTIFIER_KEY and _EMAIL_KEY. Since this seems to already be covered by configuration i'll be closing this issue.

But the identifier key will not be hashed? For example for the Google login?

br41nslug commented 2 weeks ago

Identifiers will not be hashed no, and shouldnt be necessary if you're not using the email or another privacy sensitive key. This can however be achieved using flows/hooks by hooking into the auth.create/auth.update events. To implement this hashing in core more than a "tiny tweak" and i want to ask you to make a proper feature request for that as all various SSO providers need to be considered for this.