Allowed characters in username of User

[gfoo]

is there any rules about the value of the username property of a User?

We have many users to migrate from a DB into Knora and many of them have used their email as username. It produces some troubles with knora admin API.

For example a call to http://localhost:3333/admin/users/username/[email protected] return this error: {"error":"org.knora.webapi.BadRequestException: Invalid username Some([email protected])"}

I identified some problematic characters like - or @.

[gfoo]

For example: POST http://localhost:3333/admin/users

{
  "email": "[email protected]",
  "givenName": "Donald",
  "familyName": "Duck",
  "username": "[email protected]",
  "password": "test",
  "status": true,
  "lang": "en",
  "systemAdmin": false
}

Result:

{
    "user": {
        "email": "[email protected]",
        "familyName": "Duck",
        "givenName": "Donald",
        "groups": [],
        "id": "http://rdfh.ch/users/xQ3NYJzDQFaGi7oa2ylpgA",
        "lang": "en",
        "password": null,
        "permissions": {
            "administrativePermissionsPerProject": {},
            "groupsPerProject": {}
        },
        "projects": [],
        "sessionId": null,
        "status": true,
        "token": null,
        "username": "[email protected]"
    }
}

GET http://localhost:3333/admin/users/username/[email protected]

{
    "error": "org.knora.webapi.BadRequestException: Invalid username Some([email protected])"
}

[mrivoal]

@subotic : As long as we can create users via knora api whose usernames includes special characters, does it means that it is a bug in the admin road answer ?

If it is not a bug, then the creation of such usernames should be prevented. It would also means that all the users (around 200) we will have to migrate won't be able to use Knora app (unless we decide to change their usernames by removing all characters that Knora app doesn't like)

BTW: this issue is related to Lumieres.Lausanne release which is high priority for us.

[mrivoal]

@subotic, what do you think about it? Do you think a username could use some special characters?

[subotic]

@gfoo Here is the regex for checking username: https://github.com/dasch-swiss/knora-api/blob/22727a274948b8e092add6295ad952f1651b59d3/webapi/src/main/scala/org/knora/webapi/util/StringFormatter.scala#L882-L890

@mrivoal There are two reasons, why username was re-introduced (at some point we only had email as the "username"):

1. In Knora-App username is used in the URL, which wouldn't be possible with email
2. Users can change their email address while keeping their username

In your case, you could take the part before the @ as the username. When we have email notifications, then the user could get his username and password sent by email.

[gfoo]

1. In Knora-App username is used in the URL, which wouldn't be possible with email

In our app I don't use username at all, is that wrong ? should I ? I always use the email for login or get informations about the current user, for example I call API like that : http://api-test2.unil.ch/admin/users/email/cherch_test%40unil.ch and it works.

Anyway, we have to fix our migrated usernames on the fly. But there is still a problem, I was able to create a user with "username": "[email protected]" (see above)

[subotic]

In our app I don't use username at all, is that wrong ? should I ? I always use the email for login or get informations about the current user, for example I call API like that : http://api-test2.unil.ch/admin/users/email/cherch_test%40unil.ch and it works.

That is perfect. You can use whatever suits you.

What I meant is that the username is used in the angular routes, e.g., app2.dasch.swiss/user/subotic. At least, this was the case in the past, but apparently not anymore? (@flavens @kilchenmann).

[kilchenmann]

Yes, that's true. We want to use — as @subotic said — username for the route of (public) user profile (similar to github and other online tools). At the moment this route is not active, because of concerns about public user profile (cannot find the issue right now).

In the "create-user-form" we use the regex as described above to avoid unwanted characters.

For the app login we use the common placeholder username, but this can be e-mail address or username. Both works here --> https://docs.dasch.swiss/user-guide/#login

[subotic]

At the moment this route is not active, because of concerns about public user profile (cannot find the issue right now).

The GUI can show any available information. Any security concerns will need to be addressed in the knora-api. So as far as this goes, you can activate it whenever you like.

For the app login we use the common placeholder username, but this can be e-mail address or username. Both works here

This will only work if the username can be clearly distinguished from the email, because of the login API.

@gfoo Thanks for the bug report on "username": "[email protected]". I've opened issue #1585

[kilchenmann]

The GUI can show any available information. Any security concerns will need to be addressed in the knora-api.

Yes, I know. The only concern is about eMail-address. But we don't have to display it.

So as far as this goes, you can activate it whenever you like.

In the user profile is not so much information. It's not so interesting to display name and username. Probably the project membership, yes. We will think about the activation of public user profile in the app.