-
Notifications
You must be signed in to change notification settings - Fork 999
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some external auth systems generate invalid usernames, that should be prevented. #16194
Comments
Same thing happens when keycloak tries to use the email as the username IIRC -- |
Of 25K users on Galaxy Australia, 800 or so have spaces in their usernames. It's unconventional, but is this a problem for any other reason than the fact that history link urls are not being urlencoded/decoded by galaxy? That would not be hard to fix. |
We could 'fix' the urls to encode, but I think that just perpetuates a problem where we don't want usernames with spaces. What we discussed in a recent backend WG meeting was to address the creation issue (i.e. -- new users from external auth will be created with usernames following the spec that is enforced for 'normal' user creation) and to provide a gxadmin command or script to 'fix' existing usernames with spaces. |
I'm seeing a lot of illegal punctuation in usernames as well, (),'&~ et cetera |
I think spaces will be an issue for anyone running as real user as well, and LDAP + real user is a common combination (xref #11270 which @nsoranzo debugged to be a username mangling from external auth)
mildly terrifying |
Can confirm that EU's all look safe
|
Yikes, yes that would be a big problem |
Reported to @cat-bro as it was noticed on UseGalaxy.org.au, but I think it's a more general issue. One user's username includes a space. It's blocking access to their histories.
all 404.
Diagnosis
You cannot manually enter a space, it's coming from their external authentication system most likely.
Remediation
We should fix it on the external auth side. Additionally it would make sense to ensure that when usernames come from external authentication systems, that they are properly mangled or just error, forcing the galaxy admin to choose a safer field that doesn't include prohibited values, or some automatic transformation for that field.
The text was updated successfully, but these errors were encountered: