www: Remove all email lookups #860
Comments
|
@degeri brought up a good point about switching the login to username. Since usernames are public its possible for someone to lock another user's account via failed login attempts. This could be problematic if a specific user was targeted and kept getting their account locked. For this reason, we'll be switching the login back to email until 2fa (#544) has been added. 2fa will be required for users that do not have an email address. This will solve the account locking issue detailed above since the login request will only be sent once 2fa has been successfully authenticated. |
|
We have decided to fix this a different way. We're going to add a lookup table to the userdb that maps the hashed user email address to the user ID. This will allow the user to login with either email or username+totp. |
|
Closing this issue due to inactivity or because it was included in the v1.0.0. If you feel this issue is still relevant, please re-open it to bring it to our attention. |
* Fix Manage Identity identation * Update GeneralTab.js * Update GeneralTab.js
We need to go through politeiawww and switch all user lookups by email to be either lookups by username or lookups by userID. This will require that login credentials be switched to username/password instead of email/password. Once all of the user by email lookups have been removed, we can also get rid of the politeiawww
userEmailsmemory cache.This is part of an effort to make email optional (#554) and to remove all politeiawww memory caches so that multiple politeiawww instances can be run concurrently (#665).
The text was updated successfully, but these errors were encountered: