Find user by username/email

[williamokano]

Context

I'm trying to build a terraform provider with some basic functionalities such as creating projects and inviting users to the project.

I would like to make this a tad easier, as usually the user knows his username (email) but they don't actively know their ID. Although is not that hard to find, having through email would be easier.

Problem

Currently Litmus don't expose user data by username in the user router.

There is an endpoint called /get_user_with_project/:username in which you're allowed to search some data and the user id is returned, unfortunately this endpoint only allows the logged in user to call, not admins, as it can be seem here.

Suggestion

I have two alternatives, creating a new endpoint for searching users by username or changing the logig on the get_user_with_project endpoint to allow admin users to also request this data.

Option 1 - Create a new endpoint that admin can call

Pros:

• Doesn't require extra hit on the database as I'm not interested in the project, only the uid

Cons:

• It will create an endpoint that there's no actual use for Litmus Chaos Center, but rather it will be used for automations, such as terraform

Option 2 - Allow admin to inquire get_user_with_project

Pros:

• No new endpoint will be created

Cons:

• Admin will have access to this data. I don't know why it's not currently allowed so I'm listing as con, although I don't truly believe it's an issue, but I have no context why it's implemented this way

The change could be something like this in this validation:

		// Validating logged in user
-		if c.MustGet("username").(string) != username {
+		role := c.MustGet("role").(string)
+		if c.MustGet("username").(string) != username && role != string(entities.RoleAdmin) {
			log.Error("auth error: unauthorized")
			c.JSON(utils.ErrorStatusCodes[utils.ErrUnauthorized],
				presenter.CreateErrorResponse(utils.ErrUnauthorized))
			return
		}

[ksatchit]

Thanks @williamokano for the suggestions! We shall get back on this soon!

[SarthakJain26]

Hi @williamokano thanks for the proposal. Your request can be fulfilled in multiple ways:

1. The API get_user_with_project can be modified to give admin the permission to access the API, which IMO doesn’t seems to be wrong since this API does not expose any user sensitive information.
2. A new API to list users by username or email.
   • Email currently is an optional field, and not all the accounts have email.
   • Search based on username can be added
3. With existing APIs, it is still possible to retrieve the user info. /users API can be used to list all the users which will include the username and userID of all the users created by the admin.

[SarthakJain26]

Hi @williamokano , are you working on making the suggested changes?

[williamokano]

Hi @SarthakJain26 , I didn't work on this yet, I can try and implement one of the proposed solutions this weekend.

[SarthakJain26]

Sure 🙌 , sounds good.

[shivam-Purohit]

@SarthakJain26 if its not done, can i go forward with the first or second proposed solution?

[williamokano]

Hey @shivam-Purohit , I'll push the PR today if it's ok, had some issues over the weekend and couldn't work on it. I really would like to have a contribution in this.

I'm going for the 1st solution which seems just a tad easier and less disruptive.

[williamokano]

@SarthakJain26 @shivam-Purohit submitted the PR. Please review when you have some time. Thanks in advance.

[shivam-Purohit]

@williamokano go ahead with the PR. I am also a contributor like you :) so @SarthakJain26 will review it soon.

[aryan-bhokare]

@williamokano if you think issue is solved. It would be to better close it. Thanks!