Propose the concept of a crates.io username for identity#3946
Propose the concept of a crates.io username for identity#3946carols10cents wants to merge 2 commits intorust-lang:masterfrom
Conversation
Regardless of OAuth connections.
carols10cents
added
the
T-crates-io
|
Looks very well thought out. Should there be a limit to how frequently one can change one's username? (Considering the old name will be reserved from some period of time) Also I think there should be some way to revert a change of name if it's within the reservation window (ie. the old name hasn't been freed up yet) in case the rename was a mistake or the account was compromised. |
| deletion. We plan to limit the re-use of usernames, using a similar mechanism that we have today | ||
| that prevents re-use of a deleted crate name, so that no one could claim an abandonded username | ||
| for, say, 30 days. |
There was a problem hiding this comment.
@Diggsey And I'd be fine adding here that we will allow the person who previously had a name to "revert" to it within the period of time that the username isn't allowed to be used-- I'm torn on whether we want to build in a mechanism for users to be able to do the revert themselves, or have it be something admins could do after emailing us to see how often it's needed. 🤷🏻♀️
|
Hey, I just read your RFC, and I have something on my mind. Since there is already a refactoring happening, it might be quite beneficial to switch profile URLs to use the ID instead of the username. From your example in the markdown, this would mean this old URL The downside of course is that any URLs that already exist on the internet might break. Yes, this is a bit of overhead of course, but it would prevent malicious actors creating a crates.io account with a name that got available again. You can decide yourself, if it is worth the hassle. |
|
Second thing that came to my mind: It might make sense to run the script to initialize the new login user name in at least 2 batches. There is probably no 100% clean and correct solution for the name collision dilemma. The downside being that it would de-prioritize accounts without crates, or which have not been online in a certain time. |
| # Rationale and alternatives | ||
| [rationale-and-alternatives]: #rationale-and-alternatives |
There was a problem hiding this comment.
I'm sure this has been covered but perhaps worth documenting, what's the reason to not use email as the identifier? From a user perspective it's nicer to have one thing to remember rather than possibly needing to do "forgot my username".
Maybe at least it could be possible to log in with an email address rather than the associated username even if one does exist?
There was a problem hiding this comment.
two reasons I can think of: you may not want your email address to be public, and what happens if you lose/change your email address but wanted to keep the same username?
There was a problem hiding this comment.
emails are not a good identifier to use for user identity. People change emails over time.
Which is why most sites/login systems let you change your email (or even register more than one to the same account)
There was a problem hiding this comment.
Also email addresses are not public on crates.io and if we turned them into identifiers all of a sudden that would be a massive GDPR breach 😅
I think ultimately it's also for legacy reasons, since we want to stay compatible with the current chosen names.
There was a problem hiding this comment.
Yup that's all reasonable. Just think it may be worth documenting.
Also email addresses are not public on crates.io and if we turned them into identifiers all of a sudden that would be a massive GDPR breach 😅
They need not be public; identifying by numeric ID should be feasible (as a commenter above mentioned). Crates.io can show the name and/or linked account names for a given ID if available.
There was a problem hiding this comment.
I don't know about you but I'd rather be known by a proper name than a random number. I think this would also have security implications since typos would probably become more common etc.
... and please don't suggest UUIDs now 😅
| mismatch ⚠️ warning discussed above), then a new associated GitHub account logs in with the GitHub | ||
| username "example" (and a different GitHub ID), at that point we know the GitHub account "example" | ||
| does NOT belong to the crates.io account "example" and the crates.io account "example" should get | ||
| the mismatch ⚠️ warning. |
There was a problem hiding this comment.
Am I correctly interpreting that this means we don't surface a warning until crates.io learns of the new user? That seems potentially confusing, especially in regards to being asked to add people as owners.
This also seems like it interacts poorly with the impersonation attack prevention, since the crates.io UI would then actively mislead people into thinking they have the right user.
Is this a technical limitation (e.g., we don't have enough rate limit budget to continually ask GitHub for user IDs)?
| confident that the crates.io account has the same owner as the GitHub, GitLab, etc account they | ||
| trust. | ||
|
|
||
| In the database, accessible by admins only, we will track history of username changes (starting |
There was a problem hiding this comment.
Does it seem useful to flag prominently that a username was renamed, even if we don't show the before/after names? Relatedly, perhaps we can prevent adding users that were renamed to/from for a holding period (e.g., 1 day), to give time for us to detect impersonation and slow down attacks of that nature?
| - Should we start displaying it on user pages? | ||
| - Should we start using these ID-based URLs as the canonical user URLs? That is, should | ||
| visiting `https://crates.io/users/carols10cents` redirect to `https://crates.io/users/id/396`? | ||
| - Should we accept it in the CLI, such as `cargo owner --add id:396`? |
There was a problem hiding this comment.
Maybe related point: it would be worth considering if GitHub:1233 should be accepted, to allow unambiguous addition/removal of GitHub users without a race condition against renames
(E.g., rust-lang/team could conceptually use this for its syncing, though we're moving away from having any users other than the bot rust-lang-owner account on our crates).
8 participants
This RFC introduces the concept of a crates.io username separate from GitHub (or any potential future OAuth provider) usernames to be able to support multiple OAuth providers someday and adequately handle potential username collisions.
Introducing the concept of a crates.io username in the back end of crates.io and in the user experience is a prerequisite to eventually offering multiple OAuth providers.
Important
Since RFCs involve many conversations at once that can be difficult to follow, please use review comment threads on the text changes instead of direct comments on the RFC.
If you don't have a particular section of the RFC to comment on, you can click on the "Comment on this file" button on the top-right corner of the diff, to the right of the "Viewed" checkbox. This will create a separate thread even if others have commented on the file too.
Rendered