search

lipp / login-with

Stateless login-with microservice for OAuth
https://login-with.com
MIT License
2.33k stars 144 forks source link

Incorrect Google "username" value? #40

Closed jkriss closed 7 years ago

jkriss commented 7 years ago

It looks like the Google strategy sets both username and name to displayName. Shouldn't username be the primary email address, or at least something unique?

https://github.com/lipp/login-with/blob/master/src/strategies/google.js#L23-L24

lipp commented 7 years ago

Yeah, Google strategy is a bit special:

Normally e.g. on GitHub username=lipp and name=Gerhard Preuss. Likewise with other strategies. However, the username for google probably is the email (e.g. gelipp@gmail.com).

login-with considers email as precious private information which should only be exposed via http-only cookie. username and user in turn are intended for displaying information like:

"hello lipp! welcome back, btw your name is Gerhard Preuss"

without further API calls, so this information should not be http-only to make them available to JS (SPA).

I hope you agree with that decision (you can also downvote this :)).

However, as other people asked for the email to be included in the cookie, i'll create an issue #41 .

jkriss commented 7 years ago

At least for my purposes, it's fine to keep email out of the profile cookie, as long as it's in the jwt. I do think that username also carries a connotation of uniqueness, but maybe that's a different question.

lipp commented 7 years ago

Yeah, maybe putting the email in the jwt http-only cookie makes sense. So can I close this issue? I'll create an issue for including the email in the jwt.

jkriss commented 7 years ago

That sounds great to me. Thanks!