Skip to content

Auto-create userid (login with email address) #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
peter- wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Auto-create userid (login with email address) #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 28 additions & 10 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,19 @@ This fork adds support for SQL databases as the back-end.
The module needs an `sqlauth:SQL` authentication source as the place to store user accounts. You can use an existing authsource, just make sure the credentials used allow for writing.

People that want to sign up for an account need to fill in their e-mail address, and they get sent a URL with a token to confirm the address.
Upon verification the user can then needs choose a username, a password, and values for first and last name.
Upon verification the user can then needs choose a username (unless auto-generation is configured, see below), a password, and values for first and last name.
These values are stored in the SQL back-end.
To store the password securely it is hashed with a salt, which is saved in a separate database column. This approach allows the database to do the password verification.

Enable this module the standard way (i.e. touching the file `enable` in the module directory, and copy the default configuration file to `config/`).

MySQL back-end
==============

--------------

The default configuration file `module_selfregister.php` contains all the necessary statements.


###Database set-up
### Database set-up

Create the database, add a user, and assign permissions:

Expand All @@ -44,8 +43,8 @@ Create the table that will hold you users:
)


###authsource set-up
--------------------
### authsource set-up

Create the accompanying authsource in `config/authsources.php`:

'selfregister-mysql' => array(
Expand All @@ -66,9 +65,9 @@ Create the accompanying authsource in `config/authsources.php`:


PostgreSQL back-end
===================
-------------------

###Database set-up
### Database set-up

As the postgres super user, create a new role, and a new database that is owner by the new user:

Expand All @@ -82,7 +81,7 @@ In order to use the crypto that is needed to do the password verification, you n

This in turn might depend on an extra package, for Debian/Ubuntu this is the `postgresql-contrib` package.

####authsource set-up
### authsource set-up

Create the accompanying authsource in `config/authsources.php` (and remember to update the `auth` statement in `module_selfregister.php`_:

Expand All @@ -101,7 +100,7 @@ Create the accompanying authsource in `config/authsources.php` (and remember to


Attribute mapping
=================
-----------------

Add the follwoing authproc filter to the IdP metadata (metadata/saml20-idp-hosted.php), so that the attributes will have the standard names:

Expand All @@ -116,3 +115,22 @@ Add the follwoing authproc filter to the IdP metadata (metadata/saml20-idp-hoste
'firstname' => 'givenName',
),


Log in with email address
-------------------------

> N.B.: This feature is currently only implemented for the SQL storage backend, not for LDAP.

Deployments that want to use the subject's email address as login name/userid can set the option `user.id.autocreate` to `true` in `config/module_selfregister.php`. This will cause the `userid` value to be filled automatically (more or less randomly), without the subject having to chose and remember Yet Another username during registration.
(Note that the string `Username` then might also need to be changed in the relevant dictionaries to state "Email address" instead, to avoid confusion about just what to enter during login.)

To prevent the username field and description from showing up during registration also disable (uncomment or delete) the mapping of `username` within the `$attributes` array in your `config/module_selfregister.php`, such as below:

'attributes' => array(
//'username' => 'uid', // Removed, we use user.id.autocreate instead
'firstname' => 'givenName',
'lastname' => 'sn',
'email' => 'mail',
'userPassword' => 'password',
),

9 changes: 7 additions & 2 deletions config-templates/module_selfregister.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@
// This is usually the primary key
// This relates to the attributs mapping (see below)
'user.id.param' => 'userid',

// Whether to create unique userids programmatically instead of
// having the subject pick a userid during registration.
// Useful if you re-use the email addresses as login name.
'user.id.autocreate' => false,
), // end SQL config


Expand All @@ -46,7 +51,7 @@


'attributes' => array(
'username' => 'uid',
'username' => 'uid', // comment out this line if you set user.id.autocreate to true
'firstname' => 'givenName',
'lastname' => 'sn',
'email' => 'mail',
Expand Down Expand Up @@ -275,4 +280,4 @@
),
*/

);
);
37 changes: 33 additions & 4 deletions lib/Storage/SqlMod.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ public function __construct($authSourceConfig, $writeConfig, $attributes, $hashA
$this->salt = bin2hex(SimpleSAML_Utilities::generateRandomBytes(64));
$wc = SimpleSAML_Configuration::loadFromArray($writeConfig);
$this->userIdAttr = $wc->getString('user.id.param');

$this->userIdAutoCreate = $wc->getBoolean('user.id.autocreate', false);
//$this->userIdAutoCreateLength = $wc->getInteger('user.id.autocreate.length', 9);
}

public function addUser($entry){
Expand All @@ -57,8 +58,11 @@ public function addUser($entry){

} else {

//$userid = $this->createUniqueUserId($entry['email']);
$userid = $entry['username'];
if ($this->userIdAutoCreate) {
$userid = $this->createUniqueUserId();
} else {
$userid = $entry['username'];
}
$sth = $this->dbh->prepare("
INSERT INTO users
(userid, email, password, salt, firstname, lastname, created, updated)
Expand All @@ -71,6 +75,31 @@ public function addUser($entry){
}
}

public function createUniqueUserId() {
$userid = $this->createUserId();
while ($this->isRegistered($this->userIdAttr, $userid)) {
$userid = $this->createUserId($string);
}
return $userid;
}

private function createUserId() {
// Ideas cf. http://stackoverflow.com/questions/2799495/generate-unique-random-alphanumeric-characters-that-are-7-characters-long

// Avoid chars that might be mistaken by a human (no [oO0il1]).
// Also is easily configurable wrt string length.
// Duplicates w/ deleted accounts are more likely over time, though.
// (All non-transient SAML identifiers require non-reassignment: subject-id, pairwise-id, persistent NameID, etc.)
//return substr( str_shuffle('abcdefghjkmnpqrstuvwxyz23456789'), 0, $this->userIdAutoCreateLength); // configurable length

// Makes duplicates w/ deleted accounts less likely, but can't rule those out completely.
// Not easily configureable wrt string length.
//return base_convert(mt_rand(100, 999) . intval(microtime(true) * 10), 10, 36); // 9 chars

// Time-based, so no duplicate ids even with deleted accounts.
return uniqid(); // 13 chars
}

private function hash_pass($plainPassword) {
$salt = $this->salt;

Expand Down Expand Up @@ -170,4 +199,4 @@ public function findAndGetUser($searchKeyName, $value) {

}

?>
?>