I do believe Auth0 can be the miracle cure for my pains of user credentials in future apps. However, I have a few teething problems getting to use it how I want.
In short, I want all my users to have a public username property, (it’s a social project).
That’s very easy with the database connection setting. That updates the ‘username’ on the user profile which is checked for uniqueness on any signup using that method.
If then, I have another user log in with a social account, e.g. Facebook, I want to request for them to have a username. Once I have that, I want to update the user profile, but the only place I can do that is in the user_metadata. This then leads the first problem. which is, the check for a unique username via the Auth0 username-password method at sign up only uses the root username, thus ignoring any set in user_metadata, so I could get a conflict.
Therefore, I believe one way to fix this is to use a pre-registration hook, that sets a user_metadata.username property on sign up. But…it should check to see if any other user has that username in the user_metadata already set. An example of the illegal state is below:
e.g. User A signups with password and username ‘IAmUser’…
*{username: 'IAmUser', user_metadata: {username: 'IAmUser'}}*
User B signups with Facebook, middle tier sets the user_metadata to chosen username ‘IBeUser’
*{username: , user_metadata: {username: 'IBeUser'}}*
User C signsups with password and username ‘IBeUser’
*{username: 'IBeUser', user_metadata: {username: 'IBeUser'}}*
User C succeeds by default because Auth0.com process only checks the root username.
I am unsure how, during the pre-registration hook, to search other users metadata for the existing of the proposed username (kinda overriding auth0’s default unique check)
However, what I find strange, is that the root username, will then be irrelevant as the Social vs Database identities would have to use the common user_metadata. Why is it a social account can’t write to the root username property, as this would avoid all this headache!
The other option I am thinking, is to create a database connection account for anyone who logs in with a social media account, assigning them a random password (they can click forget password to reset) and a best guess username (e.g. their fullname concatenated). This would be done in my own middle tier, therefore can ensure unique username etc using the ManagementClient SDK.
Can you please advise on
- How to search all users metadata from within a hook, and on a match, raise a conflict exception to send back to the calling auth
- which option out of the two above you think is advisable
- explain why the username at root level on user profile is tied only database connections (and how does it differ to nickname)?