Skip to content

[20.09] Allow username or email for authenticate API identity#10521

Merged
mvdbeek merged 6 commits into
galaxyproject:release_20.09from
dannon:username-baseauth
Oct 25, 2020
Merged

[20.09] Allow username or email for authenticate API identity#10521
mvdbeek merged 6 commits into
galaxyproject:release_20.09from
dannon:username-baseauth

Conversation

@dannon

@dannon dannon commented Oct 22, 2020

Copy link
Copy Markdown
Member

The primary authentication mechanism behaves this way.

Fixes #10519

@dannon dannon added kind/bug area/API area/auth Authentication and authorization paper-cut labels Oct 22, 2020
@innovate-invent

Copy link
Copy Markdown
Contributor

Closes #10519

@nsoranzo

Copy link
Copy Markdown
Member

Should we consolidate the code here with https://github.com/galaxyproject/galaxy/blob/release_20.09/lib/galaxy/webapps/galaxy/controllers/user.py#L135-L145 , maybe in an additional function in galaxy.security.validate_user_input ?

@dannon

dannon commented Oct 22, 2020

Copy link
Copy Markdown
Member Author

@nsoranzo Yeah, it'd be a good idea to followup with refactoring to have a single method for this -- it would have prevented this problem in the first place.

@mvdbeek

mvdbeek commented Oct 23, 2020

Copy link
Copy Markdown
Member

@dannon @nsoranzo what do you think about 5c7fdad ? This adds a method to UserManager for retrieving users via email or username, using the rules we had in https://github.com/galaxyproject/galaxy/blob/release_20.09/lib/galaxy/webapps/galaxy/controllers/user.py#L135-L145.

@mvdbeek mvdbeek added this to the 20.09 milestone Oct 23, 2020
@nsoranzo

Copy link
Copy Markdown
Member

@mvdbeek Looks good to me, I just added a comment on your commit page.

Note that handling the case of more than 1 record returned is different
between the 2 original methods.

-  The regular login retrieves just the
first matching record with `.first()` while `get_api_key` raises an
Exception. I've chosen to not raise an Exception since we don't do this
with regular logins and this targets 20.09. We could experiment with
raising an exception in dev, since that situation should hopefully not
be possible.

- The baseauth method did require exact email capitalization (which was
 a problem for some of Jen's account on usegalaxy.org and for users with
particular LDAP setups, xref: galaxyproject#8602)
@dannon

dannon commented Oct 23, 2020

Copy link
Copy Markdown
Member Author

@mvdbeek I can cherrypick that here, but I think using the regex to identify the identification type is probably better than just OR'ing in the query. I'll update it. The two regexes match distinct sets and cannot overlap, so you know what kind of identity you're looking for. (the extra test is a great idea either way, thanks)

@mvdbeek

mvdbeek commented Oct 23, 2020

Copy link
Copy Markdown
Member

Thanks @dannon!

Comment thread lib/galaxy/managers/users.py Outdated
We actually do have some capitalized publicnames historically.
@dannon

dannon commented Oct 24, 2020

Copy link
Copy Markdown
Member Author

I did a quick check and there are actually public usernames with capitalization on main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/API area/auth Authentication and authorization kind/bug paper-cut

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants