Feature #3956
openLogin by Email
0%
Description
I was looking at a phpBB MOD and thought this is something good any site with user authentication could use.
It lets you login with your email address, and disallows people registering new usernames that match the emails of previously registered users.
Files
Related issues
Updated by Felix Schäfer over 14 years ago
- Category set to Accounts / authentication
- Assignee deleted (
Chaoqun Zou)
Updated by Robert Claypool over 12 years ago
I vote for this. It would be very useful.
Updated by Latchezar Tzvetkoff over 11 years ago
Hi! We have a heavy-used Redmine install at our company and we've found out that most users get confused with those IRC'ish logins, so we needed to patch email login in.
NB: We maintain a patch set we apply after every update, but we think that most of the people will be happy to have email login provided in the official version.
Here is the diff against trunk:
$ svn diff Index: app/models/user.rb =================================================================== --- app/models/user.rb (revision 11691) +++ app/models/user.rb (working copy) @@ -160,7 +160,13 @@ # Make sure no one can sign in with an empty login or password return nil if login.empty? || password.empty? - user = find_by_login(login) + + if login.match(/\A([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})\z/) + user = find_by_mail(login) + else + user = find_by_login(login) + end + if user # user is already in local database return nil unless user.active?
Updated by Slawomir CALUCH about 10 years ago
+1 I maintain a redmine for freelance and personal projects and friends/customers tend to try using their emails.
A few stopped connecting to redmine due to the unmet expectation.
I think this could be an option in `/settings?tab=authentication`
Updated by Dimitris Vi about 10 years ago
+1
for some people having to remember yet another username is not as trivial as it might sound, and when you use their e-mail as username it is ugly and can even mess with the issues list table's layout
Updated by Pierre Maigne about 10 years ago
+1
As far as I can see, it has very little impact,and I would not need to modify user.rb file at each update :)
Updated by Bernhard Rohloff almost 6 years ago
+1 This is so common these days and people don't have to remember another login.
Updated by Marius BĂLTEANU almost 6 years ago
You can already achieve this by using the same email address as login username (attached a screenshot). IMO, current implementation is flexible enough to cover multiple use cases.
We also need to consider that an user can have multiple email addresses (which makes a possible implementation more complex).
Updated by Bernhard Rohloff almost 6 years ago
Marius BALTEANU wrote:
You can already achieve this by using the same email address as login username (attached a screenshot). IMO, current implementation is flexible enough to cover multiple use cases.
If your email address changes you can't change your username which makes it somehow impractical. I also see it more like a second chance to get into your account if you have forgotten your username. It's not particularly a problem of mine but I have users who aren't using Redmine very often and tending to forget their username from time to time.
We also need to consider that an user can have multiple email addresses (which makes a possible implementation more complex).
I think it would be sufficient enough to only check the primary email address.
Updated by Marius BĂLTEANU almost 6 years ago
Thanks Bernhard for clarification.
It should be enough to allow users to login by username or email address, right? without any other impact in application. I'm asking because first time when I read this, I understood that we should have a setting to choose between username and email.
Updated by Bernhard Rohloff almost 6 years ago
Sorry for my late reply Marius, there seems to be an issue with notification mails on redmine.org.
Marius BALTEANU wrote:
It should be enough to allow users to login by username or email address, right? without any other impact in application.
Yes, that's exactly what I ment. You can find it very often these days for example on GitLab, GitHub, or also on Facebook or Amazon.
It's very convenient to get into your account even if you don't remember your username. I think plan.io has done it the same way, as I can remember.
Updated by Go MAEDA 11 months ago
I think the problem may occur when a user sets another user's email address as their login ID. For example, if there are two users as shown in the table below, which user can sign in with foo@example.com
?
id | login | |
---|---|---|
11 | testuser1 |
foo@example.com |
12 | foo@example.com |
testuser2@example.com |
Updated by Holger Just 11 months ago
A simple (and consistent) solution could be to find a user fiorst by login and then as a fallback by email address. This could be implemented with just the following patch:
diff --git a/app/models/user.rb b/app/models/user.rb
index 0f78a8937a..67704cd162 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -216,7 +216,7 @@ def self.try_to_login!(login, password, active_only=true)
# Make sure no one can sign in with an empty login or password
return nil if login.empty? || password.empty?
- user = find_by_login(login)
+ user = find_by_login(login) || find_by_mail(login)
if user
# user is already in local database
return nil unless user.check_password?(password)
From the example in #note-16, a user trying to login as foo@example.com
would thus be logged in as user 12.
Updated by Marius BĂLTEANU 11 months ago
Is it safer to enable this feature under a new setting in Administration -> Authentication which should turn on / off this behaviour? We can keep the setting disabled for existing installations and enabled for new installations.
Updated by Go MAEDA 11 months ago
Marius BĂLTEANU wrote in #note-18:
Is it safer to enable this feature under a new setting in Administration -> Authentication which should turn on / off this behaviour? We can keep the setting disabled for existing installations and enabled for new installations.
I think Redmine should now allow the creation of a new user that contains '@' in their login ID if the new setting is enabled.
Suppose that there is a user below. User 11 can sign in with testuser1
or foo@example.com
.
id | login | |
---|---|---|
11 | testuser1 |
foo@example.com |
If the following user 12 is created, then user 11 will suddenly not be able to sign in with foo@example.com
.
id | login | |
---|---|---|
11 | testuser1 |
foo@example.com |
12 | foo@example.com |
foo@example.net |
Updated by Heiko Robert 9 months ago
I think Redmine should now allow the creation of a new user that contains '@' in their login ID if the new setting is enabled.
Unfortunately it is possible to create new users having a at-sign in the username. This is always a source of trouble, if this is not the user's email which should be also validated against the email property. I would disallow at-sign in usernames to avoid such inconsistencies.
Anyway - in the current implementation it would be safest to add such a config as suggested to turn on / off using `find_by_mail(login)` on login.
I already patch user.rb since 10 years. Would be nice to avoid that and to close this ticket ;-)
P.S.: You should switch your db character set to not fail on specific utf-characters ...