Force username & email to lowerCase PLUS Remove sensitive data before… #837
Conversation
|
@rhutchison @codydaig @ilanbiala @mleanos any thoughts? |
| @@ -6,7 +6,7 @@ <h3 class="col-md-12 text-center">Or with your account</h3> | |||
| <div class="form-group"> | |||
| <label for="username">Username</label> | |||
| <input type="text" id="username" name="username" class="form-control" | |||
| data-ng-model="credentials.username" placeholder="Username"> | |||
| data-ng-model="credentials.username" data-ng-change="credentials.username=credentials.username.toLowerCase();" placeholder="Username"> | |||
There was a problem hiding this comment.
We seem to have decided not to use the data- prefix for angular attributes so please change this through-out the PR to just ng-change and so on..
|
can we use css |
|
I agree with @rhutchison that this should be done with the save method, either on the client or server side. I'm not a fan of using I don't see a need to transform with css. The real need here is to change the username to lowercase, sometime, before authentication; in order to decrease the chance of user error. However, if the view must be updated to reflect the lowercase change, then I'd say that's an argument to do the conversion, in the client controller |
|
After looking at these changes a bit further, I think the lowercase conversion should be done at the very front-end with the user input; most likely in the client controller method that initiates any API calls. If these changes are made in the middleware, they can get lost & the SOC gets weaker. To ensure the username & email always get converted to lowercase, the pre- |
@mleanos Why wouldn't you just have text-transform? the user doesn't need to know when it's transformed, just that it is being transformed. |
|
@rhutchison I don't like using css as a means to transform data based on business logic/needs. The client/server controller would be sufficient in most cases. If someone wants to update the view to show the transformation, then adding the css |
|
.toLowerCase is good, but I'd do it in the JS and not in the HTML. |
|
Those ng-change bits could be removed; after that this LGTM and pretty much how I'm doing it already at my copy. +1 @mleanos - CSS/angular frontend tweaking seems hacky. I understand the sentiment tho; without it changing case sensitive input to lowercase at the backend comes as a surprise after hitting save. Changing text on the go while typing might be confusing as well. Personally I'm saving displayUsername separately, much like displayName works, so users can keep their CamelCaseUsernames and no confusing UX. |
|
reopened #866 |
… return authenticated user in password reset