Hi devs, With all the auth changes going around, ...
# dev
a
Hi devs, With all the auth changes going around, I kind-of lost track of the difference between Username and Email on the User model, with respect to "userID" parameters. • What do I pass to auth.Service.Authorize: user.Username? • What do I pass to auth.Service.CreateCredentials: user.Username (of the user for whom I'm creating credentials)? THANKS!
y
Hey! I'll admit that it is confusing. Today we have two types of users - email-based and credential-based. The concept of username is different for each of them. For an email-based user, the username will be the email. For a credentials-based user it will be the "username" you supplied when creating the user. So in both cases you mentioned, you should supply either the email or the username the user was created with, depending on the user type.
a
So every time I want to know a user ID, I need to examine the type of the user?? Can you please link to where this happens in controller.go, so that I can see a known-good implementation?
Oh, I think I already asked this in April. Could the team prioritize handling this please? It seems like a security bug waiting to happen...
y
If you are the end user of the API, yes - you need to examine the type of user. In the code, both are always passed to the username field, AFAIR. Looking for an example
So if you consider this code in controller.go:
Copy code
resp, err := c.Auth.Authorize(ctx, &auth.AuthorizationRequest{
		Username:            user.Username,
		RequiredPermissions: perms,
	})
user.Username
is already assumed to be the email for email-based users, and the username for credential-based.
a
Thanks! I can see
Username
is used for authorization. Is it also safe to use it as an identifier for fetching the user? E.g. this call in CreateCredentials uses whatever it gets from the user; if I wanted to create "credentials for the calling user" then I could use
user.Username
to identify the user too, right?
y
Not sure I understand, where do you want to use it for fetching the user?
a
I want to write a call that generates credentials for the calling user, as part of a speedier "generate Spark config" flow. I (now) know that I can use
user.Username
to check whether the user is allowed to create credentials for themselves; I am asking is it also the right string to pass to auth.Service.CreateCredentials (the "user to create")? It should be, I am making sure. (Sorry)
y
Yes, it is the right string to pass there
We do need to go over this code because it's very confusing
a
Thanks!
We do need to go over this code because it's very confusing
I know 😕 . It was always confusing, then I lost track while we added email. Fix #3244 FTW.