Jeff Gabhart - 20 - Jan 8, 2015

I’m using the FacebookAuthProvider, is there anything I can override or customize so that a user’s user_auth record does not get email and username filled out? In v3, it would only fill out primary_email - not email and username.

ok cool, latest version is also on MyGet should you need it.

Jeff Gabhart:

I also use CredentialsAuthProvider. The key here is that I was using IUserAuthRepository.GetUserAuthByUserName() to tell if the user authed with Credentials as opposed to Facebook.

You could inherit the FacebookAuthProvider and override https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/FacebookAuthProvider.cs#L86

Otherwise you could provide a FacebookAuthProvider.CustomValidationFilter and remove the populated fields from the auth tokens:
https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/AuthProvider.cs#L166

Jeff Gabhart:

That looks like it controls what ends up in UserAuthDetails not UserAuth. Blanking Email and UserName in LoadUserOAuthProvider() doesn’t seem to affect the UserAuth record.

What AuthRepo are you using? OrmLiteAuthRepository copies over the info from tokens and then copies it to UserAuth table:
https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack.Server/Auth/OrmLiteAuthRepository.cs#L415-L416

Jeff Gabhart:

Yeah, OrmLiteAuthRepository - do I need to implement the interface myself then ?

Jeff Gabhart:

Wouldn’t it be possible to have duplicate usernames then? If usernames are coming from any number of oauth providers?

I would think that you could use the callbacks above to clear the info from the tokens, so they don’t get populated.

We assert Unique Emails by default: https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/AuthProvider.cs#L351

And we assert Unique UserName’s upon registration (i.e. for User/Password registration), but not for OAuthProviders, I should probably make it configurable like it is for AuthProvider.ValidateUniqueEmails. You can also use the AuthProvider.CustomValidationFilter to add your own custom validation.

BTW added validation for Unique UserNames in this commit: 
https://github.com/ServiceStack/ServiceStack/commit/d66e4b581f55bc78ddf1586ec910604a8e5555be it’s overridable with AuthProvider.ValidateUniqueUserNames

Jeff Gabhart:

Cool. I ended up changing how our auth flow to fit in with how SS works in v4. 

This regex in OrmLiteAuthRepository is limiting username’s to a length less than or equal to 15. Since OAuth providers copy their username out the UserAuth record, we are seeing usernames from facebook that do not meet this validation requirement. As a result, updates to the user_auth such as changing the password fail because the username does pass the validation.

It’s overridable right? What change are you suggesting?

Yeah, we will replace the property with our own regex.
I brought it to your attention in case there is something you wanted to do about it since it was tricky to track down, affects anyone using facebook auth mixed with credential auth, and is a result of the v4 change that started copying the oauth username to the UserAuth table.

Can’t make the default unlimited since the max username limit can’t be relied on for display purposes. But I’ve increased it to 20 chars to minimize issues and consolidated it into a single AuthFeature.ValidUserNameRegEx config option in this commit, it also allows specifying a custom AuthFeature.IsValidUserNameFn function instead.

1 Like