Username checking in native auth requests #2385
Conversation
Yuki-YuXin
changed the title
| @@ -53,6 +53,7 @@ data class ResetPasswordStartRequest private constructor( | |||
| headers: Map<String, String?> | |||
| ): ResetPasswordStartRequest { | |||
| // Check for empty Strings and empty Maps | |||
| ArgUtils.validateNonNullArg(username, "username") | |||
There was a problem hiding this comment.
why was this removed in the first place?
There was a problem hiding this comment.
Not sure about the reason but I would prefer to keep the checking here.
| @Test | ||
| fun testSignUpStartWithEmptyUsernameShouldNotThrowException() { | ||
| @Test(expected = ClientException::class) | ||
| fun testSignUpStartWithEmptyUsernameShouldThrowException() { |
There was a problem hiding this comment.
Wasn't this changed (i.e. the exception removed) as part of last year's work to align some of our errors and return an InvalidUsernameError in the case of an empty string? Giannis worked on that I believe.
There was a problem hiding this comment.
Yes. I think so. But either CommandResultUtil.kt
if (this.status != ICommandResult.ResultStatus.COMPLETED) {
var exception: Exception? = null
var exceptionMessage: String? = ""
if (this.result is Exception) {
exception = this.result as Exception
exceptionMessage = exception.message
}
return com.microsoft.identity.common.java.nativeauth.controllers.results.INativeAuthCommandResult.UnknownError(
error = UNSUCCESSFUL_COMMAND_ERROR,
errorDescription = exceptionMessage,
exception = exception,
correlationId = this.correlationId
) as ExpectedTypeor NativeAuthPublicClientApplication.kt
return withContext(Dispatchers.IO) {
try {
verifyNoUserIsSignedIn()
if (username.isBlank()) {
return@withContext SignUpError(
errorType = ErrorTypes.INVALID_USERNAME,
errorMessage = "Empty or blank username",
correlationId = "UNSET"
)
}can handle empty username.
I think the latter one act the main role of returning InvalidUsernameError before sending out the request/validating request parameters. Thus, I would prefer to keep the ThrowException here.
There was a problem hiding this comment.
Some thoughts:
- if we're already doing a username is empty check in the interface, we don't need to do it again in the API layer.
- we shouldn't just be throwing exceptions. An exception is a pretty heavy mechanism to give feedback to a developer. We should aim for something more graceful than that.
- the fact that this "throwing an exception" was removed from this API layer a few months ago, means we had a reason why. If that reason has changed, let's talk about it. We can just revert the work we did a few months ago without good reason.
There was a problem hiding this comment.
Will abandon this PR.
Put back ArgUtils.validateNonNullArg(username, "username") in all initial native auth requests.
Company PRs:
msal: AzureAD/microsoft-authentication-library-for-android#2080
native sample app: Azure-Samples/ms-identity-ciam-native-auth-android-sample#24