Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change username #19

Open
Eldenroot opened this issue Aug 13, 2019 · 13 comments

Comments

@Eldenroot
Copy link
Member

commented Aug 13, 2019

Maybe would be nice to add this option to add an ability to change an username after registration via 3rd party services. It could be in UCP -> Connections or during registration, not sure what would be the best place.

@Eldenroot Eldenroot added the feature label Aug 13, 2019
@Eldenroot Eldenroot added this to the v1.1.0 milestone Aug 13, 2019
@yuliu

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

Better be during the registration.

A username is essential to a registered user in MyBB system. We can't have duplicated usernames or bad usernames.

I suggest place a form for the 3rd party logged in user to set up their desired username just after they have been verified but before a record is inserted the users table. Also, we have to remember this connection's status, which is the user is not actually in MyBB database, if they don't set up a username. Just keep that record in the isango.

This is my preferred way handling 3rd connections, requires a moderate login logic change for current version.

@Eldenroot

This comment has been minimized.

Copy link
Member Author

commented Aug 20, 2019

  • bad or duplicate usernames - there wont be any duplications... but "bad" username - it is cannot be handled automatically, because what is bad? Inappropriate language?

  • username should be changed (selected) during registration process, if not changed -> set the default one as it does now.

@yuliu

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

* bad or duplicate usernames - there wont be any duplications... but "bad" username - it is cannot be handled automatically, because what is bad? Inappropriate language?

Sorry, I don't make it clear. MyBB does its job to filter duplicate and "bad" usernames (bad word filter, etc.) by the UserDataHandler when inserting a user to MyBB. So Isango should just care about what to insert and when to insert.

* username should be changed (selected) during registration process, if not changed -> set the default one as it does now.

You make the point, "username should be selected during registration process". Whether or not a user can change its username is also a MyBB user permission. I think we are far away from Isango's origin when talking about changing username.

As a user is not in MyBB database, and it logged in through 3rd party OAuth/2 services using Isango, it must go through its registration process to become a user that will be inserted into MyBB's users table. Since a user may just try to omit or bypass the step of providing a correct username with a verified email (regarding #30), it can't be inserted to the users table.

I don't know if I make my words clear. I mean, not all OAuth/2 services provide correct email, and username is so essential to MyBB, so we better not have logged in but not registered user in MyBB's users table directly, before the user can provide its username, and validate its email.

I suggest let Isango handle sessions of users logged in through 3rd party OAuth/2 services:

  • If they have MyBB accounts, continue logging them in as MyBB users, each of whom has a properly selected username and a valid email.

  • If they don't have MyBB accounts, always show them a customized registration page, when they start sessions, and treat them as pseudo users with a predefined user group, each of whom has a display name (given by Isango. No username since not set yet) and probably a valid/invalid email.

Really hope Isango can go that strong. I'm looking forward to extend it with WeChat, which would probably return a cellphone number if the user is not registered with an email (as I've said here).

@effone

This comment has been minimized.

Copy link
Member

commented Aug 20, 2019

If you look at the plugin code the plugin predicts the possible usernames based on the available received data as of now; checks availability one by one and applies the available one while creating account.
https://github.com/mybbgroup/Isango/blob/master/upload/inc/plugins/isango.php#L348

It uses MyBB native method to purify the decided username as well, on the fly.
https://github.com/mybbgroup/Isango/blob/master/upload/inc/plugins/isango.php#L429

It also passes through UserDataHandler and prompts any error encountered evaluating through that class.
https://github.com/mybbgroup/Isango/blob/master/upload/inc/plugins/isango.php#L389

Rest of the suggestions are already covered and acts exactly same way as described.

@Eldenroot

This comment has been minimized.

Copy link
Member Author

commented Aug 20, 2019

@yuliu feel free to open a PR with a new provider, also another enhancements are welcome too

@effone

This comment has been minimized.

Copy link
Member

commented Aug 20, 2019

Authenticating with SMS will be hard as I am not aware of any FREE SMS delivery API as on date. All existing ones got taken down. Few left and those are full of ads / spam.

If phone number verification is possible to implement then I will look at Telegram for sure.

@Eldenroot

This comment has been minimized.

Copy link
Member Author

commented Aug 20, 2019

I am not against SMS verification, but it seems to be very complex...and thats not the main goal for Isango. It should be simple social login system.

Maybe in future but not in 1.1.0

@yuliu

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

Sorry, I think my poor English prevents others from understanding my posts 😳 , and probably make others think I might be rude. But...

"A username is essential to a registered user in MyBB system. We can't have duplicated usernames or bad usernames." I was saying that to make it clear that MyBB wants to have its user's username clean in some way. And I understand Isango tries its best to select a username and use UserDataHandler just as MyBB does.

However, please enlighten me, @effone. I just read Isango "give" a username to a new user logged in through OAuth/2. The logging will halt with unavailable usernames. Rather than this, why not place a username input box for user.

Sorry, My idea was not that simple. Have a look at the "I suggest let Isango ..." part (with updated content). I hope Isango takes the most part of control before a user is really registered (has a record in users table), with a properly selected username (hopefully by the user itself) and a valid email address (some 3rd party OAuth/2 services don't provide or provide an invalid one).

When we can deal with invalid email address provided by 3rd party OAuth/2 services, we can also deal with none are provided through OAuth/2. Just force the user to set up its email, the same way we want it to set up its username.

Uhh, I don't mean the SMS verification. It's not what the OAuth/2 does, should not be what the Isango does. I was trying to remind you that some OAuth/2 services use phone number as their account identity and SMS to do their verification. Then, email is lacking when Isango fetch information from those OAuth/2 services.

@Eldenroot, I'd really love to. Just as I've said, the OAuth/2 that I want to add doesn't return email info for users 🤣 . Besides, my site is running with a PHP version under 7.1. Is PHP 7.1 really the minimum?

@Eldenroot

This comment has been minimized.

Copy link
Member Author

commented Aug 20, 2019

Yes, PHP 7.1 or newer is required. You should update ASAP, we wont support older version, srry- it could bring a lot of issues with coding in future.

@Eldenroot

This comment has been minimized.

Copy link
Member Author

commented Aug 20, 2019

About the second part - so you just want to load additional info via oAuth to get more data - sms verification etc?

@yuliu

This comment has been minimized.

Copy link
Contributor

commented Aug 20, 2019

About the second part - so you just want to load additional info via oAuth to get more data - sms verification etc?

No, I don't mean anything relates to SMS verification. Take WeChat for example to clarify:

  • WeChat provides OAuth/2.

  • Users can register WeChat account by either email, phone number, Facebook (outside mainland China), and QQ (like ICQ).

  • Most WeChat users are from QQ (QQ and WeChat are properties of Tencent Inc.) and registered by phone number.

  • If a user is trying to register a WeChat account through phone number, WeChat use SMS verification to verify this user's registration. It's not relating to OAuth/2's, and of course Isango.

  • OAuth/2 by WeChat returns neither email nor phone number for a user. This is where the problem I've indicated in this issue.

Yes, PHP 7.1 or newer is required. You should update ASAP, we wont support older version, srry- it could bring a lot of issues with coding in future.

Ah.. OK, I understand this. Was assuming it just keeps with MyBB 1.9 which requires 7.1. I'm on an old OpenVZ only supporting old Linux kernel, and I don't want to compile PHP myself so rely on the system's build. Hope they can upgrade the container service. Off-topic done.

Edit to add:
Seems discussion becomes away from only "change username" to "complete user registration by submitting username, and email if OAuth/2 returns nothing about email".

@effone effone modified the milestones: v1.1.0, 1.1.1 Aug 23, 2019
@yuliu

This comment has been minimized.

Copy link
Contributor

commented Sep 24, 2019

Tried XenForo's social login some days ago. It redirects to a page for selecting/inputting a username upon OAuth finish. I think Isango should do the same, enclose username submission as a part of completing the user registration on authenticated by 3rd party.

Edited to add:
The hook global_start could be the best spot for Isango to hijack:

  1. Validate the cookies set by Isango. No such cookies, let MyBB continue its job.
  2. Get a cookie set by Isango, verify if the session is valid and is started by a 3rd party authority, meaning there's a record in table isango corresponding to the session. If no, do some Isango authentication job or clear the cookies & let MyBB continue its job.
  3. For the previous step, if yes, check if the user exists. If yes, let MyBB continue its job, and Isango ends its hijack.
  4. For the previous step, if no, redirect the user to a member.php location such as member.php?action=member_login&completed=0 for the hook member_login to do some form displaying job for user to fill their username (or even email if email is invalid by 3rd party).
  5. Also use the hook member_login to validate user input, by UserHandler. If all inputs are correct, register the user as a forum member. If any error, redirect the user to this location with inline errors.

I think this outline would be helpful.

@Eldenroot

This comment has been minimized.

Copy link
Member Author

commented Sep 24, 2019

It is planned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.