Discuss: Thoughts about identity handling

[sielay]

Hi

I do enjoy learning and doing on this MEAN stack. In my projects I heavily play with multiple identity providers (can say that your code works well with all passport strategies I found so far). I have listed few things you may consider to address:

• putting first non-email provider into user.providerData and all other to user.additionalProviders has no benefits and a lot of workarounds needed. Following snippet can be useful:

UserSchema.methods.getProviderData = function ( provider ) {
    if ( this.provider === provider ) {
        return this.providerData;
    }
    return this.additionalProvidersData[ provider ];
};

• many strategies and/or APIs aren't very consequent about user ids. Many of them (like Github or Trello) allow you to use user hash and unique user name. We often save hash as user field for authentication sake, but later API calls often prefer to get username. We may consider having multi-id per provider.
• previous point lead to one of biggest pitfalls - we assume user can have only one email connected to the app; that also limit hugely use cases

Why I think that should be in core:
Authentication is core. It's not modular. A lot of different parts of the stack depend on it. If I fork out with huge changes, my project (or anyone who would like to say contributor to the root repo) will lose chance to link close to origin.

I try to address some of the issues in my small lib (https://github.com/sielay/octopusidentity doc is not up to date, but meanuserplugin is in latest version (npm not updated yet)). It puts some of the issues abstract, but to achieve all I want I would have to interfere more in core.

[rschwabco]

Thanks @sielay! This sounds very reasonable - and I second the idea of using a hash of the username instead of the email. I feel less strongly about authentication not being optional, and I'm not entirely sure I would want to prevent people from building apps without auth of any kind.

[sielay]

Well :) @roieki there are two topics here - identity and authentication, which unfortunately share lot of data. If I would suggest something I would start from aligning all providers data (including local) to same structure. It would be far easier to make further steps. For instance that may be some sort of subdocuments. Consider example of user object

{
    _id : <HASH>,
    auths : [{
        id : "john@gmail.com",
        provider : "email",
        secret : "<HASHED_PASSWORD>",
        salt : "<SALT>"
    }, {
        id : "1234567890",
        provider : "facebook",
        accessToken : "<TOKEN>",
        refreshToken : "<TOKEN2>",
        providerData : { ... }
    }]
}

[rschwabco]

Sounds good to me. Anyone else care to comment? @amoshaviv @NeverOddOrEven @lirantal @ilanbiala

[ilanbiala]

I like the idea a lot. PR?

[sielay]

Ok I will do it together with #273 on top of already PR'ed #288. In fact I need such change now.

[ilanbiala]

Closing in favor of handling everything on the PR.