george-hawkins-work
commented
7 years ago OK - as remarked in my comment on #1354 I can confirm that the change in this pull request to DefaultDataStore resolves the issue of losing custom data on doing a password reset.
I would point out that the original cause of the problem was the change in how custom data is handled now vs pre-Okta.
Previously custom data got stored in an instance of a concrete implementation of the CustomData interface. As part of the switchover it ended up being stored in a plain old LinkedHashMap.
As a result the special case handling based around checking for CustomData no longer works (see my earlier comment on #1354).
So the change by @bdemers means that missing fields, i.e. custom data, won't get deleted now the user profile is POSTed rather than PUT. However the fields wouldn't be missing in the first place if the special case handling around CustomData still kicked in.
Anyway - I think custom data should either be stored as a CustomData instance or if you've decided that LinkedHashMap is the right way to go then CustomData and the related checks etc. should be gotten rid. At the moment they just confuse things if they're just hanging around as remnants of an earlier age.
Whatever is decided can you push out a fix for this soon on Maven Central? Losing all custom data related to a user on password resets seems quite a big issue (I wonder how it wasn't picked up earlier by us or another customer that migrated from Stormpath). Sorry it took me 5 days to give feedback - we have password resetting disabled currently for our users and I've been racing around on other issues.
It's always good having the developers on a project, that you depend on, be on your side. So at the risk of @bdemers marking me as a jerk ("he's the guy who suggested there should be more unit tests!") I'd just like to comment a bit (more).
I do note that this pull request comes without a unit test.
Back in the pre-Okta days I'd often look at the changes commited by @dogeared and others in response to issues I'd logged and they generally came with a reassuring amount of tests etc.
And they often came with comments from people like @lhazlewood that implied that everything really was getting a proper code review. Often I might think some of the comments from @lhazlewood were a bit nitpicky but nitpicky is good when it comes to a security related framework.
I understand that you've probably been under extreme time pressure to handle the switch over to Okta, so keeping this discipline while meeting the August shutdown deadline may have been impossible.
But I hope things will calm down for you guys and that for future development you'll be able to devote the same level of time to code review, unit tests and such like as seen earlier.
bdemers
richard-hulm
re: #1354 @george-hawkins-aa give try this out