[ZAuth/OAuth/Users] Registration process improvements

[Kaik]

I'm currently working on #4070 and at the same time I'm learning about the registration process and how to implement facebook/google registration nicely and improve whole flow.

It seems our registration flow is carried from quite old times while nowadays it's quite different much more easy (js popups) etc... I like medium.com or 9gag.com registrations but I guess these are too advanced atm.

I will list here issues which I have with the process and then will try to address them.

1. When an Authentication method is selected it is saved in session and there is no easy way to change it (you have to clear cookies) idk why this is needed it should be in url

2. I think both native uname and native email methods are obsolete and native either could replace them.

3. We may want to "prefer" or preload native method form... what I mean by that is that all other methods are re entrant, so we only need to show links like sign up with google facebook with the native method form.

4. I'm not sure if throwing an error here is the right way to handle situation when user already exist. I mean he went thru whole authentication process, he already is our user and at the and he is getting shoot in the face because he used register with facebook instead of login with facebook... ;) https://github.com/zikula/core/blob/master/src/system/UsersModule/Controller/RegistrationController.php#L116

5. hmm I wonder if anyone have that facebook register working as I do have lots of errors...

6. I'm not sure if 3rd party authentication/authorisation should use the same form or at least same events/hooks (all antispam protections are present on that form as well as policies and I guess profile fields as well (I have them turned off))

7. 3rd party login -> Uname "generation" and email check is weak, fields are hidden and in case something is wrong (uname/email are not unique) error occurs while there is no relevant field displayed.

8. Facebook registration for some reason does not provide email address. (Email is present and enabled in permissions) too old FB api version? It seems facebook oauth provider is no longer maintained or at least not updated frequently (provider graph version is 2.10 current graph version is 8) support for 2.10 ended last year.

9. Not active authentication method are still accessible via url /en/register?authenticationMethod=method_name

10. When hooks are reporting errors here https://github.com/zikula/core/blob/3.0/src/system/UsersModule/Controller/RegistrationController.php#L157 User is redirected to homepage here https://github.com/zikula/core/blob/3.0/src/system/UsersModule/Controller/RegistrationController.php#L227

[VIP] I will work on it now. I have core 3 installed as well so anything I'm working on will be proposed to v3 too.

#3720 #4351 #4197

[Kaik]

So I have played with registration for last few days.

Ad 8. It seems facebook works. The reason why it not worked for me was that my email on fb was some sort of "not primary" but I was able to log in with it, hard to say what was wrong actually but it was not "our side", anyway I'm able to get all informations from fb now. I I'm not sure how common is to have same issue as I had and "our side" should somehow be prepared (detect that there is no email etc...) and maybe allow user to fill email or something. FB register/login is still prone to errors for example what will happen if "native" authentication method is uname or email or either and our uname or email are already in the system and are expected to be unique... in all those edge cases I don't think it will work (user will probably end up in some sort of a loop like form with hidden fields and no option to fill them) that is ad 7

Ad.1 I was able to use /en/register?authenticationMethod=facebook with fb.

Actually Ad 1,2,3,5 I have removed choose authenticationMethod step, all methods can be displayed on one page. Reentrans are just urls and native well logically there should be only one of them "in use" uname or email or either. I'm not sure how it will work when native ones are disabled and only reentrant ones are displayed... will check that...

Ad.4,7 I'm working on it... it is a bit complicated, not only what should be unique and what can be not and consequences (like multiple accounts same user maybe ability to switch account?...). Ajax information about uname availability for users. Unique uname generator for reentrant methods like facebook when uname from 3rd party oauth is already in the system so... complicated

Ad. 6 I have created separated events and hooks for registration there are two registration areas native and reentrant. I will check how it works for a week or something and will propose changes on core3

I think that register url could be nicer for example instead of /register?authenticationMethod=facebook it could be /register/facebook /register/uname

[Kaik]

Ad. 10. Atm I'm using goto statement here https://github.com/zikula/core/blob/3.0/src/system/UsersModule/Controller/RegistrationController.php#L221 with a label here https://github.com/zikula/core/blob/3.0/src/system/UsersModule/Controller/RegistrationController.php#L229 this way the form is show with fields populated (apart from passwords) and error message is present. Don't know if there is a better way to do this.

I'm a bit confused why there is so many validation levels for example this one https://github.com/zikula/core/blob/3.0/src/system/UsersModule/Controller/RegistrationController.php#L164 The only think that comes to my mind is that entity is validated separatley/independently form register form. This place as well redirects to a new form in case of an error.

[Guite]

closing since this has entirely changed in zk4