Database Signup requires username even when optional

[dbinetti]

Description

When using Authentication>Database>Signup

If my database does not require a username, then allow username=None.

Reproduction

In [4]: from auth0.v3.authentication import Database                                                                                                                                                 

In [5]: from django.conf import settings                                                                                                                                                             

In [6]: database = Database(settings.AUTH0_DOMAIN)                                                                                                                                                   


In [11]: try: 
    ...:     bar = database.signup(  
    ...:         client_id=settings.AUTH0_CLIENT_ID,  
    ...:         email='foo@startnormal.com',  
    ...:         password='foobar',  
    ...:         connection='Username-Password-Authentication',  
    ...:     )                                                         
    ...: except Exception as e: 
    ...:     bat = e 
    ...:                                                                       

In [17]: bat.error_code                                                                            
Out[17]: 'error in username - invalid type: null (expected string)'

***SIDE NOTE: this error doesn't populate via str() or any other field in the error.  only the error code.***

In [20]: try: 

    ...:     bar = database.signup(  
    ...:         client_id=settings.AUTH0_CLIENT_ID,  
    ...:         email='foo@startnormal.com',  
    ...:         password='foobar',  
    ...:         connection='Username-Password-Authentication',  
    ...:         username='dfdafd', 
    ...:     )                                                         
    ...: except Exception as e: 
    ...:     bat = e 
    ...:      
    ...:                                                                                           

In [22]: bar                                                                                       
Out[22]: 
{'_id': '5f00095f2eb3030019c82a57',
 'email_verified': False,
 'email': 'foo@startnormal.com'}

Environment

auth0-python 3.11.0
django 3.0.8
Mac, etc.

[ferozsalam]

I am also seeing this issue, but the problem seems to be in the underlying REST API rather than the Python library itself - the library makes the request to Auth0 servers just fine but then gets a 400 response code back from the API server.

[dbinetti]

Yes, that's correct -- it is a server-side API issue. The API does ignore the username param if it is not set on the API config itself, so it's more of a nuisance than anything else. But it will trip up people that don't investigate thoroughly, so the docs needs to be adjusted at least.

[lbalmaceda]

The way the Python Requests API work is this. When you set one param to None, it's not going to be added to the request body. If you check the tests we have for this endpoint, we're ensuring the default value of None is passed to the networking library if you don't specify a value for username. The request is being created correctly.

https://github.com/auth0/auth0-python/blob/master/auth0/v3/test/authentication/test_database.py#L41-L57

As mentioned above, connections that have the "Require username" option turned ON will fail when this endpoint is invoked without passing a valid username value.

@dbinetti What would be a change in this SDK's docs to improve this?

[ferozsalam]

This isn't the behaviour I'm seeing - I definitely have the 'Require username' option turned off (I just checked) and I'm still seeing the request failing if I don't provide a username.

[dbinetti]

@lbalmaceda Thanks for responding. If you're not able to replicate then perhaps I'll look a bit closer, but I think if you try it yourself you'll see the behavior I described in my original post. Check out Line 11 and then the response on Line 17.

[ferozsalam]

For some more context this my function:

        auth0_db = Database(APPLICATION_HOSTNAME)
        response = auth0_db.signup(
            client_id = os.environ.get('AUTH0_CLIENT_ID'),
            email = email,
            password = password,
            connection = 'Username-Password-Authentication',
        )   

This is the response that I get if I don't provide a username (as above):

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 2447, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1952, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1821, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.8/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1950, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.8/site-packages/flask/app.py", line 1936, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/app/index.py", line 29, in index
    response = auth0_db.signup(
  File "/usr/local/lib/python3.8/site-packages/auth0/v3/authentication/database.py", line 67, in signup
    return self.post(
  File "/usr/local/lib/python3.8/site-packages/auth0/v3/authentication/base.py", line 49, in post
    return self._process_response(response)
  File "/usr/local/lib/python3.8/site-packages/auth0/v3/authentication/base.py", line 58, in _process_response
    return self._parse(response).content()
  File "/usr/local/lib/python3.8/site-packages/auth0/v3/authentication/base.py", line 83, in content
    raise Auth0Error(status_code=self._status_code,
auth0.v3.exceptions.Auth0Error: 400:

To fix this, I only need to add username = email to the parameters I pass to the signup() function, and the function completes successfully.

I have attached an image to confirm that the 'Requires Username' option is turned off in my database settings:

One curious thing that I don't fully understand is why the API seems to be returning a 400 status code for me, but returns a 200 if I add the username details alone...I would have expected a 400 status code to be related to authorisation issues.

[lbalmaceda]

I just verified the docs and the code and it seems the behavior I explained above only applies to query parameters, not params that conform the body.
The fix would be checking for the parameter presence before adding the optional values to the data/body dictionary. This would apply to most of the POST requests on the SDK, although there are some that should still accept null.

Do you want to send a PR to fix these changes?

[dbinetti]

I’ll give it a shot

…

On Jul 6, 2020, 15:16 -0700, Luciano Balmaceda ***@***.***>, wrote: I just verified the docs and the code and it seems the behavior I explained above only applies to query parameters, not params that conform the body. The fix would be checking for the parameter presence before adding the optional values to the data/body dictionary. This would apply to most of the POST requests on the SDK, although there are some that should still accept null. Do you want to send a PR to fix these changes? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.

[lbalmaceda]

@dbinetti Thanks! I actually fixed this in the last hour and will be posting a PR soon.

[ferozsalam]

@lbalmaceda thanks very much!

[dbinetti]

Awesome —. Sooooooooooooo fast

…

On Jul 7, 2020, 12:32 -0700, Feroz Salam ***@***.***>, wrote: @lbalmaceda thanks very much! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.