joscha / play-authenticate

An authentication plugin for Play Framework 2.x (Java)
http://joscha.github.com/play-authenticate/
Other
807 stars 366 forks source link

How to sign up users on their behalf by another user #356

Open Hawk707 opened 6 years ago

Hawk707 commented 6 years ago

I am trying to implement something like this: -User A signs up using normal flow (email and password, then verify email). -User A can key in other users emails (and default password), which should follow the same (email password) flow, and send emails to those users. Then those users can verify their emails and change the default password

So far, I am able to do that, but could not include the defualt password. So those users are not able to login.

I want to copy the same flow when I created user A. So I traced the code, and I notice the password persists in LinkedAccount, which uses AuthUser to create user in the method User.create(final AuthUser authUser). When I traced upward, the method is invoked by MyUsernamePasswordAuthProvider.signupUser(final MyUsernamePasswordAuthUser user)

However, I am not sure how is MyUsernamePasswordAuthProvider.signupUser(final MyUsernamePasswordAuthUser user) being invoked, and how was MyUsernamePasswordAuthUser user parameter obtained.

Any idea?

Hawk707 commented 6 years ago

I tried more, and this is how far I got. The following run by user 'A' to create another user programmtically (I made use of another issue here:

        DynamicForm requestData = formFactory.form().bindFromRequest();
        MyUsernamePasswordAuthProvider.MySignup signup = new 
        MyUsernamePasswordAuthProvider.MySignup();
        signup.setName(requestData.get("name"));
        signup.setEmail(requestData.get("email"));
        signup.setPassword(requestData.get("password"));
        signup.setRepeatPassword(requestData.get("password"));
        MyUserService userService = new MyUserService(auth);
        MyUsernamePasswordAuthUser newUser = new MyUsernamePasswordAuthUser(signup);
        userService.save(newUser);
        final MyUsernamePasswordAuthProvider provider = this.userPaswAuthProvider;
        User myUser = User.findByEmail(requestData.get("email"));
        provider.sendVerifyEmailMailingAfterAddEmployee(myUser);
        return ok("ok");

This seems to work. But I am not sure how reliable and whether it is the right way. My concerns stem from the following:

  1. I have to create both User and MyUsernamePasswordAuthUser. The User is to send verification email, and the MyUsernamePasswordAuthUser is to create user and linkaccount. Somehow I feel this can be used in a better way, but not sure how.
  2. It would be ideal to reuse as much as possible of the existing signup process. That is, call Application.doSignup. But this method relys a lot on Context (which in my case refers to User A data), it seems very difficult to decouple it.

I would appreciate any thoughts/ideas