[PATCH v2] auth: let users log in using their email address
# HG changeset patch # User Andrew Shadura # Date 1431709586 -7200 # Fri May 15 19:06:26 2015 +0200 # Node ID 93de511e84fe940786acf468789a77daed83a461 # Parent 95bffe63997d40bfab5ae6b8d1a54859d6275471 auth: let users log in using their email address diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py --- a/kallithea/controllers/login.py +++ b/kallithea/controllers/login.py @@ -121,9 +121,15 @@ class LoginController(BaseController): session.invalidate() c.form_result = login_form.to_python(dict(request.POST)) # form checks for username/password, now we're authenticated + +username = c.form_result['username'] +if '@' in username: +username = User.get_by_email(username).username +remember = c.form_result['remember'] + headers = self._store_user_in_session( -username=c.form_result['username'], -remember=c.form_result['remember']) +username=username, +remember=remember) raise HTTPFound(location=c.came_from, headers=headers) except formencode.Invalid, errors: defaults = errors.value diff --git a/kallithea/model/validators.py b/kallithea/model/validators.py --- a/kallithea/model/validators.py +++ b/kallithea/model/validators.py @@ -316,6 +316,11 @@ def ValidAuth(): password = value['password'] username = value['username'] +if '@' in username: +user = User.get_by_email(username) +if user: +username = user.username + if not auth_modules.authenticate(username, password): user = User.get_by_username(username) if user and not user.active: ___ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: [PATCH v2] auth: let users log in using their email address
On 05/16/2015 03:49 PM, Andrew Shadura wrote: # HG changeset patch # User Andrew Shadura # Date 1431709586 -7200 # Fri May 15 19:06:26 2015 +0200 # Node ID 93de511e84fe940786acf468789a77daed83a461 # Parent 95bffe63997d40bfab5ae6b8d1a54859d6275471 auth: let users log in using their email address diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py --- a/kallithea/controllers/login.py +++ b/kallithea/controllers/login.py @@ -121,9 +121,15 @@ class LoginController(BaseController): session.invalidate() c.form_result = login_form.to_python(dict(request.POST)) # form checks for username/password, now we're authenticated + +username = c.form_result['username'] +if '@' in username: +username = User.get_by_email(username).username This will still fail if the username not is a valid email address? /Mads ___ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: [PATCH v2] auth: let users log in using their email address
Hello, On Sun, 17 May 2015 01:50:56 +0200 Mads Kiilerich wrote: > > diff --git a/kallithea/controllers/login.py > > b/kallithea/controllers/login.py --- > > a/kallithea/controllers/login.py +++ > > b/kallithea/controllers/login.py @@ -121,9 +121,15 @@ class > > LoginController(BaseController): session.invalidate() > > c.form_result = > > login_form.to_python(dict(request.POST)) # form checks for > > username/password, now we're authenticated + > > +username = c.form_result['username'] > > +if '@' in username: > > +username = User.get_by_email(username).username > > This will still fail if the username not is a valid email address? No, as this code will never be executed (input rejected by a validator first). Correct me if I'm wrong, but if I read the code correctly, the check here will have no effect (which is why I haven't added it). -- Cheers, Andrew pgpyAIKCx4Boy.pgp Description: OpenPGP digital signature ___ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: [PATCH v2] auth: let users log in using their email address
On 05/17/2015 02:11 AM, Andrew Shadura wrote: Hello, On Sun, 17 May 2015 01:50:56 +0200 Mads Kiilerich wrote: diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py --- a/kallithea/controllers/login.py +++ b/kallithea/controllers/login.py @@ -121,9 +121,15 @@ class LoginController(BaseController): session.invalidate() c.form_result = login_form.to_python(dict(request.POST)) # form checks for username/password, now we're authenticated + +username = c.form_result['username'] +if '@' in username: +username = User.get_by_email(username).username This will still fail if the username not is a valid email address? No, as this code will never be executed (input rejected by a validator first). Correct me if I'm wrong, but if I read the code correctly, the check here will have no effect (which is why I haven't added it). Ok. The explanation explains it. The code do however seem fragile and non-obvious when reading it. An extra check or a clear comment would help. Next, my first thought is whether the form validation check somehow should rewrite the login ... but that also seems wrong. My next (and correct?) thought is that it is wrong to use form validation for login check. As your patches shows, it is ok that the login process _not_ is user friendly. How about dropping the login form validation of usernames/password first (perhaps except for "non-empty")? What's your thought? /Mads ___ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: [PATCH v2] auth: let users log in using their email address
Hello, On Sun, 17 May 2015 03:12:20 +0200 Mads Kiilerich wrote: > > Correct me if I'm wrong, but if I read the code correctly, the check > > here will have no effect (which is why I haven't added it). > Ok. The explanation explains it. The code do however seem fragile and > non-obvious when reading it. An extra check or a clear comment would > help. So adding a comment — and you're fine with the change? :) > Next, my first thought is whether the form validation check somehow > should rewrite the login ... but that also seems wrong. > My next (and correct?) thought is that it is wrong to use form > validation for login check. As your patches shows, it is ok that the > login process _not_ is user friendly. How about dropping the login > form validation of usernames/password first (perhaps except for > "non-empty")? What's your thought? Yes, that didn't seem very right to me. I think the first thing to remove is tooShort check, authentication part is probably something to be improved separately. -- Cheers, Andrew ___ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
Re: [PATCH v2] auth: let users log in using their email address
On 05/17/2015 01:04 PM, Andrew Shadura wrote: Hello, On Sun, 17 May 2015 03:12:20 +0200 Mads Kiilerich wrote: Correct me if I'm wrong, but if I read the code correctly, the check here will have no effect (which is why I haven't added it). Ok. The explanation explains it. The code do however seem fragile and non-obvious when reading it. An extra check or a clear comment would help. So adding a comment — and you're fine with the change? :) Not really. I think we pin-pointed that it takes some existing technical debt and makes it worse ... and the feature still only works for some kind of logins and is thus not very usable. /Mads ___ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general