Configurable Username Policies#13
Conversation
- length: min + max - characters: whitelist + firstCharNumber? - improved consistency (member naming) - added options in web admin
Error: function vibe.core.core.CoreTask.state cannot override final function core.thread.Fiber.state
Many of them are caused by an alias in 'userman.d' and seem to happen in 'vibe.d'. Don't get confused! The problem actually here.
This reverts commit a9109dc.
TL;DR
|
StillTL;DRI like my nick (@0xEAB) and I want to be able to use it. |
|
I didn't yet look at the implementation, but I fully agree to the change. There is usually no need to enforce programming language identifier rules here! The default for |
source/userman/userman.d
Outdated
| /** | ||
| Settings also used by the API | ||
| */ | ||
| struct UserManCommonSettings { |
There was a problem hiding this comment.
There is an inconsistency with other vibe.d related libraries that use settings types here. Usually all of them use class for this, but for some reason APISettings, which should also really be UserManAPISettings, uses struct. So this should really use class and inheritance instead.
source/userman/userman.d
Outdated
| mailSettings = new SMTPClientSettings; | ||
| } | ||
|
|
||
| deprecated("Consistency: Use .serviceURL instead.") @property { |
There was a problem hiding this comment.
Any reason not to put this into UserManCommonSettings as an alias instead?
There was a problem hiding this comment.
Basically, I simply forgot to do so.
source/userman/web.d
Outdated
|
|
||
| @noAuth @errorDisplay!getRegister | ||
| void postRegister(ValidEmail email, Nullable!ValidUsername name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation) | ||
| void postRegister(ValidEmail email, string name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation) |
There was a problem hiding this comment.
I need to put in some more thought into this. It would really be nice to have a facility that allows configuring the validation types instead of having to resort to manual validation here.
There was a problem hiding this comment.
One advantage of my changes is that the user will see a reasonable error message now. At the moment, when I try to sign up at the dub-registry, all I get is Missing user name field., though vibe.d actually receives 0xEAB.
There was a problem hiding this comment.
The wrong error message is actually a bug in the handling of Nullable!T. I'll push a fix for that.
There was a problem hiding this comment.
There is one more issue that I missed last time. It needs to be Nullable!string, or omitting the name field will fail before checking m_settings.useUserNames below. Other than that, I think we can keep the manual validation for now.
- consistency - fixed deprecation warnings caused by previous changes
A parameter that failed validation was erroneously treated as unset. See also rejectedsoftware/userman#13.
source/userman/web.d
Outdated
|
|
||
| @noAuth @errorDisplay!getRegister | ||
| void postRegister(ValidEmail email, Nullable!ValidUsername name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation) | ||
| void postRegister(ValidEmail email, string name, string fullName, ValidPassword password, Confirm!"password" passwordConfirmation) |
There was a problem hiding this comment.
There is one more issue that I missed last time. It needs to be Nullable!string, or omitting the name field will fail before checking m_settings.useUserNames below. Other than that, I think we can keep the manual validation for now.
source/userman/userman.d
Outdated
| string additionalChars = "-_"; | ||
| bool noNumberStart = false; // it's always a good idea to keep this option *disabled* | ||
|
|
||
| public bool validateUserName(R)(ref R error_sink, string userName) |
There was a problem hiding this comment.
I'd leave this declared as package. If a use case for this occurs outside of userman itself, we can still add it to the public API. But if, for example, this gets switched back to ValidUserName, this will have to be deprecated again, or will stay as an unused function.
»It needs to be Nullable!string, or omitting the name field will fail before checking m_settings.useUserNames below.« - Sönke Ludwig
|
Is there anything else to do? |
|
Looks good now, thanks! |
Configurable Username Policies Conflicts: example/source/app.d source/userman/api.d source/userman/web.d source/userman/webadmin.d views/userman.admin.settings.dt
|
A new version of the registry with the changes in is now deployed! |
|
I have no idea, what exactly went wrong, but, unfortunately, signing up at the dub-registry now leads to an error.
|
|
Hm, seems like I uploaded an older binary. The error was already fixed by 560e4b7 |
My changes add the possibility to configure what username policies are applied.
The main reason
The year is 2017. Homosexual people in the Netherlands have been allowed to marry for over 16 years by now; more and more countries have been or are following. Almost all European countries have abandoned the death penalty.
Nevertheless, people wanting to register with usernames that start with a number (like mine does 😊) cannot signup on several pages. This includes practically all services relying on userman (and thus also the dub-registry).
It's a shame that people still have to use umpteen fancy usernames on different sites because of weird and incomprehensible policies all over the WWW.
I wonder if this is really necessary ...
Why can't I simply have one single username that I can use everywhere? Because it's a hex number? Because it starts with a number? Because it has only 5 characters? Because it's easy to remember as it's based on my name's initials?
Whatever it is, it's always just ridiculous. Well, I'm a bit disappointed.
Findings
As you might guess, userman's new default setting for
noNumberStartis, of course,false. Because it would be simply wrong to enable it. If someone really needs to enforce this (and I doubt there will ever be one), she/he can enable it explicitly on purpose.By the way
Facebook, Twitter, VK, GitHub, GitLab, Discord, and so on, all those allow usernames starting with a number.
Note
I don't want to accuse anyone of anything. In this case, the problem simply comes from a design flaw in the defaults of vibe.d's username validation and userman was only affected because it lazily relied on those.
Conclusion
I would be very happy if these changes would find their way into the dub-registry one day.