-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using username instead of user_id in signer #48
Comments
Why do you want to use username instead of user_id in the signer? Currently Django REST Registration does not allow to customize the signing process in that way. |
Beacuse i don't want to disclose user's id. Using username in verification mail is a better security concern instead of user-id. Also username should not be used in reset password link instead of this use email address to send reset password link. |
OK, but could you provide your use case? I'm still not getting how revealing the user id could cause a problem.
Could you explain what you mean by that? I understand that in some cases the username may be more exposed to the user (in the UI), but I don't see how identifying the user by username and identifying the user by user id is different in regards to security concerns. Actually, there may be cases where you allow the user to change the username - in this case I imagine identifying by username can pose potential security threat.
There is a similar problem like the one I described above: you can change the e-mail for a given user, but you can't change the user ID. So theoretically using a e-mail in reset password link could cause a possibility to reset a password for a different user (but it will probably not happen with |
The main reason to not use user_id is this shows the primary key of user database. And i don't like to show my user how many users i have.
I can't understand this. But what i can tell you in daily life people are used to remember email address but remembering username is bit hard.
How i can assume? whenever user signup for first time they will have the user id on their email. So basically user knows that what is their user id. |
OK, that's fair point. One way to solve this would be to use UUID as your primary key, but I know some people may prefer to use integer IDs as internal primary keys and UUIDs (or whatever random key) as a external ID (with unique constraint in the DB). I would still not use e-mail as user id (and this applies to username as well if it can be changed), reasons below. I guess you convinced me. The problem I see is that the best solution I have in mind (which will not make DRR code messy and hard to read) includes changing I guess the initial solution could be leaving the name
Example (in case of username used for user identification):
This is somewhat improbable scenario, but as you can see it's not impossible. In case of using e-mail as user identification this scenario So again, I would argue that if you don't want to expose your user primary keys you should NOT use any field which may change for given user (e-mail, username if changeable). You should rather have another field which would be some random sequence (UUID or string of chars) which would never change. |
Well you are absolutely right. I have a simple solution for this in my mind. Why don't we ask for password when confirming email. DRR simply integrate username in verification hash and when someone confirm their email it will decode verification hash for username then it will verify with decoded username and password. |
* Added 'USER_VERIFICATION_ID_FIELD' setting key * Added tests
Added |
Changes: * Resolved issue #48: Allowing to use custom user field for verification * Resolved issue #46: added SEND_RESET_PASSWORD_LINK_SERIALIZER_USE_EMAIL setting * Resolved issue #50: customizable send reset password link serializer * Fixed reset password in case user is unverified and one-time use is enabled
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I am trying to use username instead of user_id. But i am getting this error
File "/home/krishna/Projects/django/cms/account/views.py", line 79, in _calculate_salt if registration_settings.REGISTER_VERIFICATION_ONE_TIME_USE: File "/home/krishna/anaconda3/envs/django/lib/python3.7/site-packages/rest_registration/utils/nested_settings.py", line 38, in __getattr__ self=self, attr=attr)) AttributeError: Invalid REST_REGISTRATION setting: 'REGISTER_VERIFICATION_ONE_TIME_USE'
However this is not related to username or userid data but yet i am getting this error. I tried to trackdown this error in nested_settings.py and settings_field.py but there is no problem.
Also i am using whole view.py from
rest-registration/api/views/register.py
The text was updated successfully, but these errors were encountered: