superlogin icon indicating copy to clipboard operation
superlogin copied to clipboard

Published 20 hours ago verified publisher icon colinskow

Separate username/email from userDoc _id

Open peteruithoven opened this issue 8 years ago • 5 comments

As far as I understand it superlogin uses usernames as _id's in the userDB.

  • It looks like the username is validated using a regexp (/^[a-z0-9_-]{3,16}$/), this means we limit the userid's based on what couchdb can handle as _id's?
  • Doesn't this make it harder / impossible to change usernames later on? (While there are methods to change the E-mail and password there is no change username method)

When enabling the emailUsername the E-mail is used as _id. Which solves the uncommon characters issue, but doesn't make changing it easier.

It looks like Hoodie for example separated the username from the id. https://github.com/hoodiehq/hoodie-account-client#accountid

Wouldn't it be safer / more extensible to separate the _id from the username/email?

peteruithoven avatar Nov 23 '16 12:11 peteruithoven

In the case of socialAuth's the username isn't validated, meaning we assume social auth providers only have usernames that couchdb can handle as _id? See: https://github.com/colinskow/superlogin/blob/master/lib/user.js#L370

peteruithoven avatar Nov 23 '16 22:11 peteruithoven

To clarify, I'm proposing to use UUID's as userDoc _id. This would also be very helpful for Google Analytics usage, since this doesn't allow you to send them personally identifiable information (PII) such as usernames: https://davidsimpson.me/2013/10/17/identifying-your-users-in-google-analytics-while-complying-with-section-7-of-the-terms-of-service/

peteruithoven avatar Jan 02 '17 13:01 peteruithoven

I realise this issue was opened a while ago but I was wondering if there were any other thoughts on this.

I agree with the reasons stated above, a user should be able to change their username, especially if you are using emailUsername. Coupling those fields to the _id field makes that difficult.

For part of the app I'm creating I will need to compile lists of users and a UUID seems like a better bet to me than using the username or email address as a reference key.

I've not dug into the code to see how complex this change might be or whether it will impact on any other parts of the system.

darksnow avatar Aug 16 '17 21:08 darksnow

+1

markdturner avatar Oct 26 '17 19:10 markdturner

Interesting article on the subject: https://www.b-list.org/weblog/2018/feb/11/usernames/

peteruithoven avatar Feb 14 '18 18:02 peteruithoven